From c2ead71eeb7cbd081f32ef7eca6251a275649c21 Mon Sep 17 00:00:00 2001 From: Piotr Karbowski Date: Sun, 20 Apr 2014 06:01:52 +0200 Subject: [PATCH] Auto commit, 1 new patch{es}. --- test/changelog-test.txt | 122286 +++++++++++++++ test/grsecurity-3.0-3.14.1-201404192355.patch | 119569 ++++++++++++++ ...security-3.0-3.14.1-201404192355.patch.sig | Bin 0 -> 543 bytes 3 files changed, 241855 insertions(+) create mode 100644 test/grsecurity-3.0-3.14.1-201404192355.patch create mode 100644 test/grsecurity-3.0-3.14.1-201404192355.patch.sig diff --git a/test/changelog-test.txt b/test/changelog-test.txt index 3cd4d05..5f0ccc6 100644 --- a/test/changelog-test.txt +++ b/test/changelog-test.txt @@ -1,3 +1,122289 @@ +commit d3bbc864301cb104276f4436884323ee3fa85ffc +Author: Brad Spengler +Date: Sat Apr 19 23:49:07 2014 -0400 + + update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 1397 ++++++++++++++++++++++++++++++++++--- + 1 files changed, 1316 insertions(+), 81 deletions(-) + +commit cd23784e8fa1bfdb94ab996974b55ff393a99d1d +Author: Brad Spengler +Date: Sat Apr 19 17:56:43 2014 -0400 + + update hash table + + tools/gcc/size_overflow_hash.data | 89 ++++++++++++++++++++++++++++++++---- + 1 files changed, 79 insertions(+), 10 deletions(-) + +commit c690d26a85ddc401b41736fcf3843184b8aa8ce3 +Author: Brad Spengler +Date: Sat Apr 19 17:27:30 2014 -0400 + + compile fix + + fs/sysfs/dir.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 9c2e86fc73a07e339453c37d453c15df5239a81b +Author: Brad Spengler +Date: Sat Apr 19 17:21:37 2014 -0400 + + compile fix + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 291020f4909335691022cad5667223cba91b889a +Author: Brad Spengler +Date: Sat Apr 19 17:16:53 2014 -0400 + + compile fix + + kernel/sched/core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c7ff410e37eefde634fbc08b161cb2588955dd2d +Author: Brad Spengler +Date: Sat Apr 19 17:11:30 2014 -0400 + + compile fixes + + fs/exec.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 52aeace717f5179e7da8b4bc1a5b8d30dd2a5435 +Author: Brad Spengler +Date: Sat Apr 19 17:01:32 2014 -0400 + + Initial port of grsecurity for Linux 3.14.1 + + Documentation/dontdiff | 2 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 18 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/Kconfig | 1 + + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/Kconfig | 4 +- + arch/arm/mm/fault.c | 40 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/Kconfig | 1 + + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/Kconfig | 1 + + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 4 + + arch/powerpc/Kconfig | 1 + + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 5 +- + arch/powerpc/kernel/Makefile | 2 + + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/mmap.c | 2 +- + arch/powerpc/mm/slice.c | 2 +- + arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 15 +- + arch/tile/Kconfig | 1 + + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 6 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/floppy.h | 20 +- + arch/x86/include/asm/paravirt_types.h | 23 +- + arch/x86/include/asm/processor.h | 2 +- + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ldt.c | 11 + + arch/x86/kernel/msr.c | 10 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/mm/init_32.c | 6 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/x86/xen/Kconfig | 1 + + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/acpi/acpica/hwxfsleep.c | 11 +- + drivers/acpi/custom_method.c | 4 + + drivers/block/cciss.h | 30 +- + drivers/block/drbd/drbd_interval.c | 6 +- + drivers/block/smart1,2.h | 40 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 19 +- + drivers/firewire/ohci.c | 4 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- + drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- + drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- + drivers/infiniband/hw/nes/nes_cm.c | 22 +- + drivers/isdn/gigaset/bas-gigaset.c | 32 +- + drivers/isdn/gigaset/ser-gigaset.c | 32 +- + drivers/isdn/gigaset/usb-gigaset.c | 32 +- + drivers/isdn/i4l/isdn_concap.c | 6 +- + drivers/isdn/i4l/isdn_x25iface.c | 16 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/misc/sgi-xp/xp_main.c | 12 +- + drivers/net/bonding/bond_main.c | 1 + + drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wan/lmc/lmc_media.c | 97 +- + drivers/net/wan/z85230.c | 24 +- + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/platform/x86/asus-wmi.c | 12 + + drivers/rtc/rtc-dev.c | 3 + + drivers/scsi/bfa/bfa_fcs.c | 19 +- + drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- + drivers/scsi/bfa/bfa_modules.h | 12 +- + drivers/scsi/hpsa.h | 20 +- + drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- + drivers/staging/lustre/lustre/libcfs/module.c | 10 +- + drivers/staging/lustre/lustre/llite/dir.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/uio/uio.c | 6 +- + drivers/usb/core/hub.c | 5 + + drivers/video/arcfb.c | 2 +- + drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ + drivers/video/matrox/matroxfb_DAC1064.c | 10 +- + drivers/video/matrox/matroxfb_Ti3026.c | 5 +- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 40 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 17 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 196 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/mount.h | 4 +- + fs/namei.c | 235 ++- + fs/namespace.c | 24 + + fs/nfs/nfs4proc.c | 19 +- + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/posix_acl.c | 15 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 166 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 7 +- + fs/proc/interrupts.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 52 +- + fs/proc/root.c | 8 + + fs/proc/stat.c | 27 +- + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/reiserfs/item_ops.c | 24 +- + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 20 +- + fs/sysfs/dir.c | 15 +- + fs/utimes.c | 7 + + fs/xattr.c | 38 +- + grsecurity/Kconfig | 1161 +++++++++ + grsecurity/Makefile | 54 + + grsecurity/gracl.c | 2679 +++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_compat.c | 270 ++ + grsecurity/gracl_fs.c | 437 ++++ + grsecurity/gracl_ip.c | 386 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_policy.c | 1782 +++++++++++++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 313 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 433 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 272 ++ + grsecurity/grsec_ipc.c | 48 + + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 341 +++ + grsecurity/grsec_mem.c | 48 + + grsecurity/grsec_mount.c | 65 + + grsecurity/grsec_pax.c | 45 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 236 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 479 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsec_usb.c | 15 + + grsecurity/grsum.c | 61 + + include/linux/binfmts.h | 5 +- + include/linux/capability.h | 5 + + include/linux/compiler-gcc4.h | 5 + + include/linux/compiler.h | 8 + + include/linux/cred.h | 7 +- + include/linux/dcache.h | 2 +- + include/linux/fs.h | 24 +- + include/linux/fs_struct.h | 2 +- + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 340 +++ + include/linux/gracl_compat.h | 156 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 229 ++ + include/linux/grmsg.h | 116 + + include/linux/grsecurity.h | 246 ++ + include/linux/grsock.h | 19 + + include/linux/ipc_namespace.h | 2 +- + include/linux/kallsyms.h | 18 +- + include/linux/kmod.h | 5 + + include/linux/kobject.h | 2 +- + include/linux/mm.h | 1 + + include/linux/mm_types.h | 4 +- + include/linux/module.h | 4 +- + include/linux/mount.h | 2 +- + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/path.h | 4 +- + include/linux/perf_event.h | 13 +- + include/linux/pid_namespace.h | 2 +- + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 13 + + include/linux/proc_ns.h | 2 +- + include/linux/rbtree_augmented.h | 4 +- + include/linux/sched.h | 80 +- + include/linux/security.h | 3 +- + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 4 +- + include/linux/thread_info.h | 2 + + include/linux/tty.h | 2 +- + include/linux/tty_driver.h | 4 +- + include/linux/uidgid.h | 5 + + include/linux/user_namespace.h | 2 +- + include/linux/utsname.h | 2 +- + include/linux/vermagic.h | 16 +- + include/net/af_unix.h | 2 +- + include/net/neighbour.h | 3 +- + include/net/net_namespace.h | 2 +- + include/net/netfilter/nf_conntrack_extend.h | 4 +- + include/net/sock.h | 4 +- + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 23 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + ipc/util.c | 6 + + kernel/capability.c | 40 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 24 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 94 +- + kernel/kprobes.c | 7 +- + kernel/ksysfs.c | 2 + + kernel/locking/lockdep_proc.c | 10 +- + kernel/module.c | 106 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/pid_namespace.c | 4 +- + kernel/posix-timers.c | 8 + + kernel/power/Kconfig | 2 + + kernel/printk/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 71 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + kernel/user_namespace.c | 15 + + lib/Kconfig.debug | 7 +- + lib/is_single_threaded.c | 3 + + lib/list_debug.c | 65 +- + lib/rbtree.c | 4 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/Kconfig | 5 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 6 +- + mm/mmap.c | 85 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 29 +- + net/atm/lec.c | 6 +- + net/atm/mpoa_caches.c | 42 +- + net/core/dev_ioctl.c | 4 + + net/core/filter.c | 25 +- + net/core/neighbour.c | 9 +- + net/core/net-procfs.c | 5 + + net/core/sock_diag.c | 7 + + net/decnet/dn_dev.c | 2 +- + net/ieee802154/dgram.c | 3 +- + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/ping.c | 22 +- + net/ipv4/raw.c | 4 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 31 +- + net/ipv6/raw.c | 4 +- + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 12 +- + net/l2tp/l2tp_ip.c | 4 +- + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/nf_tables_api.c | 7 +- + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 1 - + net/socket.c | 72 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + net/vmw_vsock/vmci_transport_notify.c | 30 +- + net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- + net/x25/sysctl_net_x25.c | 2 +- + scripts/Makefile | 2 + + security/Kconfig | 349 +++- + security/apparmor/file.c | 4 +- + security/apparmor/lsm.c | 8 +- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/tomoyo/file.c | 12 +- + security/tomoyo/mount.c | 4 + + security/tomoyo/tomoyo.c | 22 +- + security/yama/Kconfig | 2 +- + sound/core/seq/oss/seq_oss.c | 4 +- + sound/core/seq/seq_midi.c | 4 +- + sound/drivers/opl3/opl3_seq.c | 4 +- + sound/drivers/opl4/opl4_seq.c | 4 +- + sound/isa/sb/emu8000_synth.c | 4 +- + sound/pci/emu10k1/emu10k1_synth.c | 4 +- + sound/synth/emux/emux_seq.c | 14 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 11 + + tools/gcc/gen-random-seed.sh | 8 + + tools/gcc/randomize_layout_plugin.c | 910 +++++++ + virt/kvm/ioapic.c | 2 +- + 398 files changed, 18219 insertions(+), 2583 deletions(-) + +commit 6c907241bdb826a89c81080d01b5fa596b8300a2 +Author: Brad Spengler +Date: Sat Apr 19 15:15:29 2014 -0400 + + Initial import of pax-linux-3.14.1-test5.patch + + Documentation/dontdiff | 47 +- + Documentation/kernel-parameters.txt | 23 + + Makefile | 102 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 442 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 12 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 3 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 3 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 54 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 96 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-common.S | 40 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 3 + + arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/module.c | 31 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/process.c | 42 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 20 +- + arch/arm/kernel/signal.c | 35 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/tcm.c | 4 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 24 +- + arch/arm/kvm/arm.c | 8 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 4 +- + arch/arm/mach-at91/setup.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 6 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/cache-l2x0.c | 2 +- + arch/arm/mm/context.c | 10 +- + arch/arm/mm/fault.c | 140 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 178 +- + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/include/asm/uaccess.h | 1 + + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 27 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/cavium-octeon/dma-octeon.c | 2 +- + arch/mips/include/asm/atomic.h | 728 +++- + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/hw_irq.h | 2 +- + arch/mips/include/asm/local.h | 57 + + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/include/asm/pgtable.h | 3 + + arch/mips/include/asm/smtc_proc.h | 2 +- + arch/mips/include/asm/uaccess.h | 1 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/i8259.c | 2 +- + arch/mips/kernel/irq-gt641xx.c | 2 +- + arch/mips/kernel/irq.c | 6 +- + arch/mips/kernel/process.c | 12 - + arch/mips/kernel/reset.c | 4 + + arch/mips/kernel/smtc-proc.c | 6 +- + arch/mips/kernel/smtc.c | 2 +- + arch/mips/kernel/sync-r4k.c | 24 +- + arch/mips/kernel/traps.c | 13 +- + arch/mips/mm/fault.c | 25 + + arch/mips/mm/mmap.c | 51 +- + arch/mips/pci/pci-octeon.c | 4 +- + arch/mips/pci/pcie-octeon.c | 12 +- + arch/mips/sgi-ip27/ip27-nmi.c | 6 +- + arch/mips/sni/rm200.c | 2 +- + arch/mips/vr41xx/common/icu.c | 2 +- + arch/mips/vr41xx/common/irq.c | 4 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 15 + + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/local.h | 15 + + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 141 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 15 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/kvm/powerpc.c | 2 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap.c | 22 +- + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 16 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 34 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable.h | 4 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/smp_64.c | 12 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 52 +- + arch/sparc/kernel/traps_64.c | 27 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/sparc/mm/init_64.c | 10 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 13 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 16 +- + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 4 +- + arch/x86/boot/compressed/head_64.S | 12 +- + arch/x86/boot/compressed/misc.c | 13 +- + arch/x86/boot/cpucheck.c | 16 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 106 +- + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 18 +- + arch/x86/ia32/ia32entry.S | 173 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 269 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 166 +- + arch/x86/include/asm/bitops.h | 18 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/calling.h | 118 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 16 +- + arch/x86/include/asm/desc.h | 78 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 8 +- + arch/x86/include/asm/futex.h | 14 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 106 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 136 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 15 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 124 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/preempt.h | 2 +- + arch/x86/include/asm/processor.h | 79 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rmwcc.h | 84 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 29 +- + arch/x86/include/asm/smap.h | 64 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 82 +- + arch/x86/include/asm/tlbflush.h | 73 +- + arch/x86/include/asm/uaccess.h | 180 +- + arch/x86/include/asm/uaccess_32.h | 24 +- + arch/x86/include/asm/uaccess_64.h | 173 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xen/page.h | 2 +- + arch/x86/include/asm/xsave.h | 14 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/include/uapi/asm/ptrace-abi.h | 1 - + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 69 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 132 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/microcode/core.c | 2 +- + arch/x86/kernel/cpu/microcode/intel.c | 4 +- + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 356 ++- + arch/x86/kernel/entry_64.S | 742 +++- + arch/x86/kernel/ftrace.c | 10 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 228 +- + arch/x86/kernel/head_64.S | 138 +- + arch/x86/kernel/i386_ksyms_32.c | 12 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 67 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/jump_label.c | 8 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/ksysfs.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/preempt.S | 3 + + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 20 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 42 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 3 +- + arch/x86/kernel/setup.c | 63 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 30 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 12 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/tracepoint.c | 4 +- + arch/x86/kernel/traps.c | 62 +- + arch/x86/kernel/tsc.c | 2 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 6 +- + arch/x86/kernel/x86_init.c | 6 +- + arch/x86/kernel/xsave.c | 10 +- + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 63 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 20 +- + arch/x86/lib/copy_user_64.S | 81 +- + arch/x86/lib/copy_user_nocache_64.S | 14 + + arch/x86/lib/csum-copy_64.S | 18 +- + arch/x86/lib/csum-wrappers_64.c | 8 +- + arch/x86/lib/getuser.S | 74 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 10 +- + arch/x86/lib/memmove_64.S | 4 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 2 + + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 12 +- + arch/x86/lib/usercopy_32.c | 357 +- + arch/x86/lib/usercopy_64.c | 18 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 564 +++- + arch/x86/mm/gup.c | 6 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 24 +- + arch/x86/mm/init.c | 101 +- + arch/x86/mm/init_32.c | 111 +- + arch/x86/mm/init_64.c | 45 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 36 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 151 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/mm/uderef_64.c | 37 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 38 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/intel_mid_pci.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/intel-mid/intel-mid.c | 3 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 3 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 45 +- + arch/x86/xen/mmu.c | 11 +- + arch/x86/xen/smp.c | 21 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-cgroup.c | 4 +- + block/blk-iopoll.c | 2 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 2 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 4 +- + block/genhd.c | 9 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 29 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 2 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/ghes.c | 4 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 12 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 8 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_nl.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/null_blk.c | 27 +- + drivers/block/pktcdvd.c | 4 +- + drivers/bluetooth/btwilink.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 43 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 18 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clk/socfpga/clk.c | 9 +- + drivers/cpufreq/acpi-cpufreq.c | 17 +- + drivers/cpufreq/cpufreq.c | 26 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 4 +- + drivers/cpufreq/cpufreq_ondemand.c | 10 +- + drivers/cpufreq/intel_pstate.c | 30 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/driver.c | 2 +- + drivers/cpuidle/governor.c | 2 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/crypto/hifn_795x.c | 4 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdmac.c | 2 +- + drivers/edac/edac_device.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci.c | 4 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 6 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 2 +- + drivers/firmware/efi/cper.c | 8 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-em.c | 2 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-rcar.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 12 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 13 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 26 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- + drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- + drivers/gpu/drm/qxl/qxl_drv.h | 8 +- + drivers/gpu/drm/qxl/qxl_ioctl.c | 10 +- + drivers/gpu/drm/qxl/qxl_irq.c | 16 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- + drivers/gpu/drm/tegra/dc.c | 2 +- + drivers/gpu/drm/tegra/hdmi.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/gpu/vga/vga_switcheroo.c | 4 +- + drivers/hid/hid-core.c | 4 +- + drivers/hid/uhid.c | 6 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 4 +- + drivers/hv/hv_balloon.c | 18 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/nct6775.c | 6 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mcg.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- + drivers/infiniband/hw/mthca/mthca_main.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- + drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/misc/ims-pcu.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/input/serio/serio_raw.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_common.c | 2 + + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/isdn/mISDN/dsp_cmx.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stats.c | 6 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 4 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/platform/vivi.c | 4 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 16 +- + drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- + drivers/media/v4l2-core/v4l2-device.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 13 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 67 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/ab8500-debugfs.c | 2 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/max8925-i2c.c | 2 +- + drivers/mfd/tps65910.c | 2 +- + drivers/mfd/twl4030-irq.c | 9 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/eeprom/sunxi_sid.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/card/block.c | 2 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/mmci.c | 4 +- + drivers/mmc/host/sdhci-esdhc-imx.c | 7 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_netlink.c | 2 +- + drivers/net/can/Kconfig | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 4 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/usb/r8152.c | 2 +- + drivers/net/usb/sierra_net.c | 4 +- + drivers/net/vxlan.c | 4 +- + drivers/net/wimax/i2400m/rx.c | 2 +- + drivers/net/wireless/airo.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath10k/htc.c | 7 +- + drivers/net/wireless/ath/ath10k/htc.h | 4 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/b43/phy_lp.c | 2 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 28 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/nfc/nfcwilink.c | 2 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 6 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/msi.c | 6 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/chrome/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/msi-wmi.c | 2 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/powercap/powercap_sys.c | 136 +- + drivers/regulator/core.c | 4 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/android/timed_output.c | 6 +- + drivers/staging/gdm724x/gdm_tty.c | 2 +- + drivers/staging/imx-drm/imx-drm-core.c | 6 +- + drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- + drivers/staging/lustre/lnet/selftest/framework.c | 4 - + drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- + drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- + drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/target/sbp/sbp_target.c | 4 +- + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/hvc/hvsi.c | 22 +- + drivers/tty/hvc/hvsi_lib.c | 4 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 5 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/ioc4_serial.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/msm_serial.c | 4 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 8 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 15 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/devio.c | 10 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 6 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/dwc3/gadget.c | 2 - + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/host/ehci-hub.c | 4 +- + drivers/usb/misc/appledisplay.c | 4 +- + drivers/usb/serial/console.c | 8 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vfio/vfio.c | 2 +- + drivers/vhost/vringh.c | 20 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbmem.c | 8 +- + drivers/video/hyperv_fb.c | 4 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/omap2/dss/display.c | 8 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/afs/inode.c | 4 +- + fs/aio.c | 2 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 6 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 680 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/delayed-inode.c | 6 +- + fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/super.c | 2 +- + fs/btrfs/sysfs.c | 2 +- + fs/buffer.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/ceph/super.c | 4 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/file.c | 10 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 4 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 16 +- + fs/dcache.c | 5 +- + fs/ecryptfs/inode.c | 2 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext2/xattr.c | 5 +- + fs/ext3/xattr.c | 5 +- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/ext4/xattr.c | 5 +- + fs/fhandle.c | 3 +- + fs/file.c | 4 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 40 +- + fs/fscache/internal.h | 200 +- + fs/fscache/object.c | 26 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/hostfs/hostfs_kern.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/kernfs/dir.c | 2 +- + fs/kernfs/file.c | 16 +- + fs/kernfs/symlink.c | 2 +- + fs/libfs.c | 12 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 16 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 2 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 22 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 2 +- + fs/ntfs/super.c | 6 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 59 +- + fs/posix_acl.c | 4 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 16 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 4 +- + fs/splice.c | 41 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_readdir.c | 7 +- + fs/xfs/xfs_ioctl.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 212 +- + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/bitops/__fls.h | 2 +- + include/asm-generic/bitops/fls.h | 2 +- + include/asm-generic/bitops/fls64.h | 4 +- + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 16 + + include/asm-generic/uaccess.h | 16 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 16 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/i915_pciids.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/drm/ttm/ttm_page_alloc.h | 1 + + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/audit.h | 2 +- + include/linux/binfmts.h | 3 +- + include/linux/bitops.h | 6 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 8 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 12 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fdtable.h | 2 +- + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 4 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/hash.h | 2 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 6 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 12 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 6 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/jiffies.h | 14 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/linkage.h | 1 + + include/linux/list.h | 15 + + include/linux/math64.h | 10 +- + include/linux/mempolicy.h | 7 + + include/linux/mm.h | 118 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/padata.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/pm.h | 1 + + include/linux/pm_domain.h | 4 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/preempt.h | 21 + + include/linux/proc_ns.h | 2 +- + include/linux/quota.h | 2 +- + include/linux/random.h | 23 +- + include/linux/rculist.h | 20 +- + include/linux/rcupdate.h | 2 +- + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 68 +- + include/linux/sched/sysctl.h | 1 + + include/linux/security.h | 2 - + include/linux/semaphore.h | 2 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 8 +- + include/linux/slab.h | 48 +- + include/linux/slab_def.h | 14 +- + include/linux/slub_def.h | 2 +- + include/linux/smp.h | 2 + + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 18 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 9 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vga_switcheroo.h | 8 +- + include/linux/vmalloc.h | 7 +- + include/linux/vmstat.h | 24 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-device.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 17 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 20 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 4 +- + include/net/netns/ipv6.h | 4 +- + include/net/ping.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/checksum.h | 4 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 8 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 13 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/bcache.h | 5 +- + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 2 - + include/uapi/linux/videodev2.h | 2 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 78 +- + ipc/compat.c | 2 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 4 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/events/internal.h | 10 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 4 +- + kernel/fork.c | 166 +- + kernel/futex.c | 11 +- + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 2 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 8 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 +- + kernel/locking/lockdep.c | 7 +- + kernel/locking/mutex-debug.c | 12 +- + kernel/locking/mutex-debug.h | 4 +- + kernel/locking/mutex.c | 10 +- + kernel/locking/rtmutex-tester.c | 24 +- + kernel/module.c | 337 +- + kernel/notifier.c | 17 +- + kernel/padata.c | 4 +- + kernel/panic.c | 5 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 24 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcu/srcu.c | 4 +- + kernel/rcu/tiny.c | 4 +- + kernel/rcu/torture.c | 56 +- + kernel/rcu/tree.c | 76 +- + kernel/rcu/tree.h | 26 +- + kernel/rcu/tree_plugin.h | 42 +- + kernel/rcu/tree_trace.c | 22 +- + kernel/rcu/update.c | 4 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/completion.c | 6 +- + kernel/sched/core.c | 45 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 12 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 34 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_clock.c | 4 +- + kernel/trace/trace_events.c | 1 - + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/average.c | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/hash.c | 2 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/percpu-refcount.c | 2 +- + lib/radix-tree.c | 2 +- + lib/random32.c | 2 +- + lib/show_mem.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 10 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 3 +- + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 28 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 25 + + mm/mlock.c | 15 +- + mm/mmap.c | 581 +++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 42 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 44 +- + mm/shmem.c | 19 +- + mm/slab.c | 106 +- + mm/slab.h | 15 +- + mm/slab_common.c | 60 +- + mm/slob.c | 206 +- + mm/slub.c | 86 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 75 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/client.c | 6 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/fragmentation.c | 2 +- + net/batman-adv/soft-interface.c | 6 +- + net/batman-adv/types.h | 6 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 4 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/ceph/messenger.c | 4 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/filter.c | 2 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 4 +- + net/core/net_namespace.c | 8 +- + net/core/netpoll.c | 4 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/skbuff.c | 8 +- + net/core/sock.c | 28 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 20 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 16 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 20 +- + net/ipv4/sysctl_net_ipv4.c | 37 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 18 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/af_inet6.c | 2 +- + net/ipv6/datagram.c | 2 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ip6_vti.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/output_core.c | 15 +- + net/ipv6/ping.c | 33 +- + net/ipv6/raw.c | 17 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 6 +- + net/ipv6/xfrm6_policy.c | 17 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 16 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/nft_compat.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 8 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 13 +- + net/socket.c | 20 +- + net/sunrpc/auth_gss/svcauth_gss.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/svcauth_unix.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 16 +- + net/xfrm/xfrm_state.c | 33 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 16 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/module-common.lds | 4 + + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 689 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/security.c | 9 +- + security/selinux/avc.c | 6 +- + security/selinux/hooks.c | 11 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/hda/hda_codec.c | 10 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 6 +- + sound/soc/soc-core.c | 6 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 51 + + tools/gcc/checker_plugin.c | 150 + + tools/gcc/colorize_plugin.c | 169 + + tools/gcc/constify_plugin.c | 552 +++ + tools/gcc/gcc-common.h | 287 ++ + tools/gcc/generate_size_overflow_hash.sh | 97 + + tools/gcc/kallocstat_plugin.c | 182 + + tools/gcc/kernexec_plugin.c | 519 +++ + tools/gcc/latent_entropy_plugin.c | 457 ++ + tools/gcc/size_overflow_hash.data | 4629 ++++++++++++++++++++ + tools/gcc/size_overflow_hash_aux.data | 92 + + tools/gcc/size_overflow_plugin.c | 4166 ++++++++++++++++++ + tools/gcc/stackleak_plugin.c | 374 ++ + tools/gcc/structleak_plugin.c | 273 ++ + tools/include/linux/compiler.h | 8 + + tools/lib/api/Makefile | 2 +- + tools/perf/util/include/asm/alternative-asm.h | 3 + + virt/kvm/kvm_main.c | 44 +- + 1763 files changed, 34368 insertions(+), 8117 deletions(-) +commit e8658e072c00c4c4124383dba46d91f67a24cf97 +Merge: b48043e f70f945 +Author: Brad Spengler +Date: Fri Apr 18 21:05:15 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f70f94597c07e3902709100b9e8b0ca88ee5be4d +Author: Brad Spengler +Date: Fri Apr 18 21:04:32 2014 -0400 + + Update to pax-linux-3.13.10-test20.patch: + - forward port to 3.13.10 + - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves + + tools/gcc/size_overflow_plugin.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b48043e1a01025db96cbbe3b9817a221c8dc154b +Merge: 30ce675 0338ded +Author: Brad Spengler +Date: Thu Apr 17 17:55:02 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0338dedbccd1d623ef78ccebd057893a8510905d +Author: Brad Spengler +Date: Thu Apr 17 17:54:33 2014 -0400 + + Update to pax-linux-3.13.9-test20.patch: + - Emese fixed two size overflow false positives due to intentional overflows, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) and marcin1j (https://forums.grsecurity.net/viewtopic.php?f=3&t=3943) + + include/uapi/linux/bcache.h | 5 ++- + tools/gcc/size_overflow_hash_aux.data | 9 +++++ + tools/gcc/size_overflow_plugin.c | 58 ++++++++++++++++++++++++++++++++- + 3 files changed, 69 insertions(+), 3 deletions(-) + +commit 30ce6750d8a1cd0484a19bb136baaec0f7780b09 +Author: Brad Spengler +Date: Thu Apr 17 17:12:50 2014 -0400 + + fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on + specific shmemfs reads that end up copying from empty_zero_page, + which on 32bit x86 has the same address as _etext. Fix up some + other harmless instances of this error as well + + Thanks to 'jy' from IRC for reporting this + + arch/x86/mm/init_32.c | 6 +++--- + fs/exec.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit b3a6e7d392ea040b10b5d84e21ce3b25964ce6df +Merge: 27bdf99 b377d16 +Author: Brad Spengler +Date: Mon Apr 14 16:49:55 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b377d16f0d5b072ef75635ca0d778e2807c20ae8 +Merge: fc6d889 f994ec5 +Author: Brad Spengler +Date: Mon Apr 14 16:49:37 2014 -0400 + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + arch/x86/crypto/ghash-clmulni-intel_asm.S + kernel/futex.c + +commit 27bdf99dcadbe3e4b185aea4f8574a6cadf3cc93 +Author: Brad Spengler +Date: Sun Apr 13 12:47:57 2014 -0400 + + From: Mathias Krause + [PATCH net] filter: prevent nla extensions to peek beyond the end of + the message + + The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check + for a minimal message length before testing the supplied offset to be + within the bounds of the message. This allows the subtraction of the nla + header to underflow and therefore -- as the data type is unsigned -- + allowing far to big offset and length values for the search of the + netlink attribute. + + The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is + also wrong. It has the minuend und subtrahend mixed up, therefore + calculates a huge length value, allowing to overrun the end of the + message while looking for the netlink attribute. + + The following three BPF snippets will trigger the bugs when attached to + a UNIX datagram socket and parsing a message with length 1, 2 or 3. + + ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- + | ld #0x87654321 + | ldx #42 + | ld #nla + | ret a + `--- + + ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- + | ld #0x87654321 + | ldx #42 + | ld #nlan + | ret a + `--- + + ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- + | ; (needs a fake netlink header at offset 0) + | ld #0 + | ldx #42 + | ld #nlan + | ret a + `--- + + Fix the first issue by ensuring the message length fulfills the minimal + size constrains of a nla header. Fix the second bug by getting the math + for the remainder calculation right. + + Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") + Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") + Cc: Patrick McHardy + Cc: Pablo Neira Ayuso + Signed-off-by: Mathias Krause + + net/core/filter.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 397ff885e5d3da96d0f115caa9d4c697895b3281 +Author: Pablo Neira Ayuso +Date: Mon Mar 31 12:26:39 2014 +0200 + + Upstream commit: 2fec6bb6f484b1a88b4a325724234d6cfd08c918 + + netfilter: nf_tables: fix wrong format in request_module() + + The intended format in request_module is %.*s instead of %*.s. + + Reported-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_tables_api.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 4d8b1faffb7cfe526eb20b717cb0b6d59f348108 +Author: Pablo Neira Ayuso +Date: Mon Mar 24 15:10:37 2014 +0100 + + Upstream commit: a9bdd8365684810e3de804f8c51e52c26a5eccbb + + netfilter: nf_tables: set names cannot be larger than 15 bytes + + Currently, nf_tables trims off the set name if it exceeeds 15 + bytes, so explicitly reject set names that are too large. + + Reported-by: Giuseppe Longo + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_tables_api.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit a99a10ea229b7ae7f6af473949ff5138aef76209 +Author: Brad Spengler +Date: Fri Apr 11 17:33:00 2014 -0400 + + Upstream commit: 5678de3f15010b9022ee45673f33bcfc71d47b60 + + KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) + QE reported that they got the BUG_ON in ioapic_service to trigger. + I cannot reproduce it, but there are two reasons why this could happen. + + The less likely but also easiest one, is when kvm_irq_delivery_to_apic + does not deliver to any APIC and returns -1. + + Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that + function is never reached. However, you can target the similar loop in + kvm_irq_delivery_to_apic_fast; just program a zero logical destination + address into the IOAPIC, or an out-of-range physical destination address. + + Signed-off-by: Paolo Bonzini + + virt/kvm/ioapic.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7c522310c240fa3b1e671066def9fcab1f232f3b +Author: Dan Carpenter +Date: Tue Apr 8 12:23:09 2014 +0300 + + Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737 + + isdnloop: several buffer overflows + + There are three buffer overflows addressed in this patch. + + 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and + then copy it into a 60 character buffer. I have made the destination + buffer 64 characters and I'm changed the sprintf() to a snprintf(). + + 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 + character buffer so we have 54 characters. The ->eazlist[] is 11 + characters long. I have modified the code to return if the source + buffer is too long. + + 3) In isdnloop_command() the cbuf[] array was 60 characters long but the + max length of the string then can be up to 79 characters. I made the + cbuf array 80 characters long and changed the sprintf() to snprintf(). + I also removed the temporary "dial" buffer and changed it to use "p" + directly. + + Unfortunately, we pass the "cbuf" string from isdnloop_command() to + isdnloop_writecmd() which truncates anything over 60 characters to make + it fit in card->omsg[]. (It can accept values up to 255 characters so + long as there is a '\n' character every 60 characters). For now I have + just fixed the memory corruption bug and left the other problems in this + driver alone. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- + 1 files changed, 9 insertions(+), 8 deletions(-) + +commit 9b011cba3d245a48139ab05099e6a825956f8056 +Author: Andrey Vagin +Date: Fri Mar 28 13:54:32 2014 +0400 + + Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279 + + netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len + + "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst + case it can contain all extensions. Bellow you can find sizes for all + types of extensions. Their sum is definitely bigger than 256. + + nf_ct_ext_types[0]->len = 24 + nf_ct_ext_types[1]->len = 32 + nf_ct_ext_types[2]->len = 24 + nf_ct_ext_types[3]->len = 32 + nf_ct_ext_types[4]->len = 152 + nf_ct_ext_types[5]->len = 2 + nf_ct_ext_types[6]->len = 16 + nf_ct_ext_types[7]->len = 8 + + I have seen "len" up to 280 and my host has crashes w/o this patch. + + The right way to fix this problem is reducing the size of the ecache + extension (4) and Florian is going to do this, but these changes will + be quite large to be appropriate for a stable tree. + + Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) + Cc: Pablo Neira Ayuso + Cc: Patrick McHardy + Cc: Jozsef Kadlecsik + Cc: "David S. Miller" + Signed-off-by: Andrey Vagin + Signed-off-by: Pablo Neira Ayuso + + include/net/netfilter/nf_conntrack_extend.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit c323aca3431ec956221a0333826a0aebcad6182c +Author: Trond Myklebust +Date: Wed Mar 26 13:24:37 2014 -0700 + + Upstream commit: e911b8158ee1def8153849b1641b736026b036e0 + + NFSv4: Fix a use-after-free problem in open() + + If we interrupt the nfs4_wait_for_completion_rpc_task() call in + nfs4_run_open_task(), then we don't prevent the RPC call from + completing. So freeing up the opendata->f_attr.mdsthreshold + in the error path in _nfs4_do_open() leads to a use-after-free + when the XDR decoder tries to decode the mdsthreshold information + from the server. + + Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) + Tested-by: Steve Dickson + Cc: stable@vger.kernel.org # 3.5+ + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4proc.c | 19 ++++++++++--------- + 1 files changed, 10 insertions(+), 9 deletions(-) + +commit afbc7281d89c10419bcaf9cd8f2a34fa1f0dc74a +Author: Brad Spengler +Date: Fri Apr 11 16:57:17 2014 -0400 + + Apply: https://lkml.org/lkml/2014/4/10/736 + + PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak + + net/ipv4/ping.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit 64688b956632b3165fd8aabb9b143f4d365ba382 +Author: H. Peter Anvin +Date: Sun Mar 16 15:31:54 2014 -0700 + + Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382 + + x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels + + The IRET instruction, when returning to a 16-bit segment, only + restores the bottom 16 bits of the user space stack pointer. We have + a software workaround for that ("espfix") for the 32-bit kernel, but + it relies on a nonzero stack segment base which is not available in + 32-bit mode. + + Since 16-bit support is somewhat crippled anyway on a 64-bit kernel + (no V86 mode), and most (if not quite all) 64-bit processors support + virtualization for the users who really need it, simply reject + attempts at creating a 16-bit segment when running on top of a 64-bit + kernel. + + Cc: Linus Torvalds + Signed-off-by: H. Peter Anvin + Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org + Cc: + + Conflicts: + + arch/x86/kernel/ldt.c + + arch/x86/kernel/ldt.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 027b8db0f3266f307c6324f52d19c9425e01a95b +Author: Brad Spengler +Date: Mon Apr 7 18:41:45 2014 -0400 + + Update GRKERNSEC_IO documentation + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4ffae780ca4045f1e00c3695a1c67fa7b83e842a +Author: Brad Spengler +Date: Sun Apr 6 18:59:00 2014 -0400 + + add compiler.h to path.h + + include/linux/path.h | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 697d5a873545a0ee00e2bffbf74ba5faae55c286 +Author: Brad Spengler +Date: Sun Apr 6 18:37:18 2014 -0400 + + fix typo + + security/tomoyo/tomoyo.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit d1a22c83e7a3175d894b8ceb0f01b77fe499db28 +Author: Brad Spengler +Date: Sun Apr 6 17:58:39 2014 -0400 + + fix tomoyo compilation with RANDSTRUCT + + Conflicts: + + security/tomoyo/tomoyo.c + + security/tomoyo/tomoyo.c | 27 ++++++++++++++++----------- + 1 files changed, 16 insertions(+), 11 deletions(-) + +commit 96785c664a95a149773214bed1d7463ffad0441f +Author: Brad Spengler +Date: Sun Apr 6 17:50:38 2014 -0400 + + fix tomoyo compilation with RANDSTRUCT + + security/tomoyo/file.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 25475ea5ba7ec539347edb25d8d15eac6a9e65d1 +Author: Brad Spengler +Date: Sun Apr 6 17:43:47 2014 -0400 + + Fix tomoyo compilation with RANDSTRUCT + + security/tomoyo/file.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit bd744926b9496053982db351f2b087725e931ce2 +Author: Brad Spengler +Date: Sun Apr 6 17:23:09 2014 -0400 + + fix apparmor compilation with RANDSTRUCT + + security/apparmor/file.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 6a70a4ca3f2f5b2f9f2f1c500a3b39813f980091 +Author: Brad Spengler +Date: Sun Apr 6 17:11:40 2014 -0400 + + fix apparmor compilation with RANDSTRUCT + + security/apparmor/lsm.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 6d5c843ec117929962b0b5e36b6efe36d7008489 +Author: Brad Spengler +Date: Sun Apr 6 16:58:35 2014 -0400 + + add __randomize_layout to more important structures + + Conflicts: + + include/linux/filter.h + include/net/af_unix.h + include/net/sock.h + + include/linux/binfmts.h | 4 ++-- + include/linux/path.h | 2 +- + include/linux/security.h | 2 +- + include/linux/tty_driver.h | 2 +- + include/net/af_unix.h | 2 +- + include/net/sock.h | 4 ++-- + 6 files changed, 8 insertions(+), 8 deletions(-) + +commit 2d58b7af7d974cf11c9b6fcaafc098f68925b28d +Merge: f7886f6 fc6d889 +Author: Brad Spengler +Date: Sun Apr 6 09:10:40 2014 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + tools/gcc/Makefile + +commit fc6d8892f8370cc6b246aab23dfe3ce472da9058 +Author: Brad Spengler +Date: Sun Apr 6 09:06:24 2014 -0400 + + Update to pax-linux-3.13.9-test19.patch: + - updated the hash database for external modules, by Emese + - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa + - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream + - fixed plugin compilation under gcc 4.5, reported by Emese Revfy + - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594 + + arch/x86/boot/compressed/misc.c | 7 +- + drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- + scripts/gcc-plugin.sh | 4 +- + tools/gcc/Makefile | 12 ++- + tools/gcc/gcc-common.h | 1 + + tools/gcc/generate_size_overflow_hash.sh | 5 +- + tools/gcc/size_overflow_hash_aux.data | 83 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 25 ++++-- + 8 files changed, 123 insertions(+), 18 deletions(-) + +commit f7886f6633822747782b7206b371ea521eee3f0b +Author: Brad Spengler +Date: Sun Apr 6 08:34:08 2014 -0400 + + This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b. + + net/socket.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 0f1d45357477cb7658e7dc361c7ac67678d7a9b9 +Merge: ca30500 6bf7e1d +Author: Brad Spengler +Date: Sat Apr 5 18:09:10 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 6bf7e1df5475a7244d717546bd5c0569acdf8215 +Merge: 20f0a08 bf061ff +Author: Brad Spengler +Date: Sat Apr 5 18:08:56 2014 -0400 + + Merge branch 'linux-3.13.y' into pax-test + +commit ca305006c767819ee7924d7ea952a8f9c817d2a7 +Author: Pablo Neira +Date: Tue Apr 1 19:38:44 2014 +0200 + + Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835 + + netlink: don't compare the nul-termination in nla_strcmp + + nla_strcmp compares the string length plus one, so it's implicitly + including the nul-termination in the comparison. + + int nla_strcmp(const struct nlattr *nla, const char *str) + { + int len = strlen(str) + 1; + ... + d = memcmp(nla_data(nla), str, len); + + However, if NLA_STRING is used, userspace can send us a string without + the nul-termination. This is a problem since the string + comparison will not match as the last byte may be not the + nul-termination. + + Fix this by skipping the comparison of the nul-termination if the + attribute data is nul-terminated. Suggested by Thomas Graf. + + Cc: Florian Westphal + Cc: Thomas Graf + Signed-off-by: Pablo Neira Ayuso + Signed-off-by: David S. Miller + + lib/nlattr.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 4676a42ce0a63b9713d315c715d6f863d6388bf2 +Author: Oleg Nesterov +Date: Wed Apr 2 17:45:05 2014 +0200 + + Upstream commit: d23082257d83e4bc89727d5aedee197e907999d2 + + pid_namespace: pidns_get() should check task_active_pid_ns() != NULL + + pidns_get()->get_pid_ns() can hit ns == NULL. This task_struct can't + go away, but task_active_pid_ns(task) is NULL if release_task(task) + was already called. Alternatively we could change get_pid_ns(ns) to + check ns != NULL, but it seems that other callers are fine. + + Signed-off-by: Oleg Nesterov + Cc: Eric W. Biederman ebiederm@xmission.com> + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + kernel/pid_namespace.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit b2c5c8d231e1749fe42698c6be31a49b46b8eb7e +Author: YOSHIFUJI Hideaki / 吉藤英明 +Date: Wed Apr 2 12:48:42 2014 +0900 + + Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62 + + isdnloop: Validate NUL-terminated strings from user. + + Return -EINVAL unless all of user-given strings are correctly + NUL-terminated. + + Signed-off-by: YOSHIFUJI Hideaki + Signed-off-by: David S. Miller + + drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit abceea2065cb053917751b02a02e87134d5af5b0 +Author: Wei Liu +Date: Tue Apr 1 12:46:12 2014 +0100 + + Upstream commit: e9d8b2c2968499c1f96563e6522c56958d5a1d0d + + xen-netback: disable rogue vif in kthread context + + When netback discovers frontend is sending malformed packet it will + disables the interface which serves that frontend. + + However disabling a network interface involving taking a mutex which + cannot be done in softirq context, so we need to defer this process to + kthread context. + + This patch does the following: + 1. introduce a flag to indicate the interface is disabled. + 2. check that flag in TX path, don't do any work if it's true. + 3. check that flag in RX path, turn off that interface if it's true. + + The reason to disable it in RX path is because RX uses kthread. After + this change the behavior of netback is still consistent -- it won't do + any TX work for a rogue frontend, and the interface will be eventually + turned off. + + Also change a "continue" to "break" after xenvif_fatal_tx_err, as it + doesn't make sense to continue processing packets if frontend is rogue. + + This is a fix for XSA-90. + + Reported-by: Török Edwin + Signed-off-by: Wei Liu + Cc: Ian Campbell + Reviewed-by: David Vrabel + Acked-by: Ian Campbell + Signed-off-by: David S. Miller + + drivers/net/xen-netback/common.h | 5 +++++ + drivers/net/xen-netback/interface.c | 11 +++++++++++ + drivers/net/xen-netback/netback.c | 16 ++++++++++++++-- + 3 files changed, 30 insertions(+), 2 deletions(-) + +commit ff438506da3cf85c07f3f3c80429f87138502d82 +Author: Brad Spengler +Date: Thu Apr 3 11:34:13 2014 -0400 + + revert last change + + net/core/filter.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit aed17226225c496cea10f90db89cb5f505ce5c3a +Author: Brad Spengler +Date: Thu Apr 3 10:38:55 2014 -0400 + + harden non-JIT socket filters against memory corruption occuring after + check time + + net/core/filter.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +commit 8153c4335a8c655d0dc51fb547bf257339faabe3 +Author: Brad Spengler +Date: Thu Apr 3 11:01:13 2014 -0400 + + add additional checking, convert WARN to a BUG since we should be able to filter + out any invalid ops at filter install time -- finding them during runtime is + a sign of memory corruption + + Conflicts: + + net/core/filter.c + + net/core/filter.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +commit cf4164083c37d1f301ab28f5cf102b875c6a3057 +Author: Brad Spengler +Date: Thu Apr 3 07:39:34 2014 -0400 + + Update documentation on chroot to notify users that chrooting to + a bind mount of the root filesystem provides no security benefits + and will not trigger the chroot protections. + + grsecurity/Kconfig | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 809c33c81db39b5e0a2f8b8953f156d3ae2bc9d4 +Merge: b224936 20f0a08 +Author: Brad Spengler +Date: Tue Apr 1 18:41:17 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 20f0a08510a47d6d31c29da6ff3bd093a62cfdd1 +Merge: 6b71ad0 5366635 +Author: Brad Spengler +Date: Tue Apr 1 18:41:02 2014 -0400 + + Merge branch 'linux-3.13.y' into pax-test + +commit b224936088e49229a37e4a3b17567598161bb1c0 +Author: Sasha Levin +Date: Fri Mar 28 17:38:42 2014 +0100 + + Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6 + + random32: avoid attempt to late reseed if in the middle of seeding + + Commit 4af712e8df ("random32: add prandom_reseed_late() and call when + nonblocking pool becomes initialized") has added a late reseed stage + that happens as soon as the nonblocking pool is marked as initialized. + + This fails in the case that the nonblocking pool gets initialized + during __prandom_reseed()'s call to get_random_bytes(). In that case + we'd double back into __prandom_reseed() in an attempt to do a late + reseed - deadlocking on 'lock' early on in the boot process. + + Instead, just avoid even waiting to do a reseed if a reseed is already + occuring. + + Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") + Signed-off-by: Sasha Levin + Acked-by: Hannes Frederic Sowa + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + lib/random32.c | 13 ++++++++++++- + 1 files changed, 12 insertions(+), 1 deletions(-) + +commit 9aa441e0e5aa2480ca073e33fcf6a9f5cdaabc81 +Author: Michael S. Tsirkin +Date: Thu Mar 27 12:00:26 2014 +0200 + + Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0 + + vhost: fix total length when packets are too short + + When mergeable buffers are disabled, and the + incoming packet is too large for the rx buffer, + get_rx_bufs returns success. + + This was intentional in order for make recvmsg + truncate the packet and then handle_rx would + detect err != sock_len and drop it. + + Unfortunately we pass the original sock_len to + recvmsg - which means we use parts of iov not fully + validated. + + Fix this up by detecting this overrun and doing packet drop + immediately. + + CVE-2014-0077 + + Signed-off-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/vhost/net.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+), 0 deletions(-) + +commit 43ee74030403a780a1e9418ab825f4d675ccdb47 +Merge: 9987cd5 6b71ad0 +Author: Brad Spengler +Date: Sun Mar 30 13:28:35 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 6b71ad024068595a2e4caa3393fbb4d531197e27 +Author: Brad Spengler +Date: Sun Mar 30 13:27:44 2014 -0400 + + Update to pax-linux-3.13.7-test17.patch: + - fixed a regression in the previous latent entropy plugin change, reported by spender + - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem + - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger + + drivers/hv/hv.c | 2 +- + scripts/gcc-plugin.sh | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 6 +++++- + 3 files changed, 8 insertions(+), 4 deletions(-) + +commit 9987cd5663f69ecc4d8bdfe80e46775ec081512c +Author: Wei Liu +Date: Sat Mar 15 16:11:47 2014 +0000 + + Upstream commit: 09ed3d5ba06137913960f9c9385f71fc384193ab + + xen/balloon: flush persistent kmaps in correct position + + Xen balloon driver will update ballooned out pages' P2M entries to point + to scratch page for PV guests. In 24f69373e2 ("xen/balloon: don't alloc + page while non-preemptible", kmap_flush_unused was moved after updating + P2M table. In that case for 32 bit PV guest we might end up with + + P2M X -----> S (S is mfn of balloon scratch page) + M2P Y -----> X (Y is mfn in persistent kmap entry) + + kmap_flush_unused() iterates through all the PTEs in the kmap address + space, using pte_to_page() to obtain the page. If the p2m and the m2p + are inconsistent the incorrect page is returned. This will clear + page->address on the wrong page which may cause subsequent oopses if + that page is currently kmap'ed. + + Move the flush back between get_page and __set_phys_to_machine to fix + this. + + Signed-off-by: Wei Liu + Signed-off-by: David Vrabel + Cc: stable@vger.kernel.org # 3.12+ + + drivers/xen/balloon.c | 24 ++++++++++++++++++------ + 1 files changed, 18 insertions(+), 6 deletions(-) + +commit f6481e295cb69c34218b694ba5fca6315cc90b71 +Author: David Vrabel +Date: Tue Mar 25 10:38:37 2014 +0000 + + Upstream commit: 5926f87fdaad4be3ed10cec563bf357915e55a86 + + Revert "xen: properly account for _PAGE_NUMA during xen pte translations" + + This reverts commit a9c8e4beeeb64c22b84c803747487857fe424b68. + + PTEs in Xen PV guests must contain machine addresses if _PAGE_PRESENT + is set and pseudo-physical addresses is _PAGE_PRESENT is clear. + + This is because during a domain save/restore (migration) the page + table entries are "canonicalised" and uncanonicalised". i.e., MFNs are + converted to PFNs during domain save so that on a restore the page + table entries may be rewritten with the new MFNs on the destination. + This canonicalisation is only done for PTEs that are present. + + This change resulted in writing PTEs with MFNs if _PAGE_PROTNONE (or + _PAGE_NUMA) was set but _PAGE_PRESENT was clear. These PTEs would be + migrated as-is which would result in unexpected behaviour in the + destination domain. Either a) the MFN would be translated to the + wrong PFN/page; b) setting the _PAGE_PRESENT bit would clear the PTE + because the MFN is no longer owned by the domain; or c) the present + bit would not get set. + + Symptoms include "Bad page" reports when munmapping after migrating a + domain. + + Signed-off-by: David Vrabel + Acked-by: Konrad Rzeszutek Wilk + Cc: [3.12+] + + arch/x86/include/asm/pgtable.h | 14 ++------------ + arch/x86/xen/mmu.c | 4 ++-- + 2 files changed, 4 insertions(+), 14 deletions(-) + +commit 29e56c3fdd2ff43c43f31e74bccc164c38ec96b2 +Author: Daniel Vetter +Date: Wed Mar 26 20:10:09 2014 +0100 + + Upstream commit: 8ee661b505613ef2747b350ca2871a31b3781bee + + drm/i915: Undo gtt scratch pte unmapping again + + It apparently blows up on some machines. This functionally reverts + + commit 828c79087cec61eaf4c76bb32c222fbe35ac3930 + Author: Ben Widawsky + Date: Wed Oct 16 09:21:30 2013 -0700 + + drm/i915: Disable GGTT PTEs on GEN6+ suspend + + Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=64841 + Reported-and-Tested-by: Brad Jackson + Cc: stable@vger.kernel.org + Cc: Takashi Iwai + Cc: Paulo Zanoni + Cc: Todd Previte + Signed-off-by: Daniel Vetter + Signed-off-by: Dave Airlie + + drivers/gpu/drm/i915/i915_gem_gtt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f5fd5843a87569cfd8de8e8843ccb13e9e35afd5 +Author: Jan Kara +Date: Wed Mar 26 06:20:14 2014 +0100 + + Upstream commit: 75c5a52da3fc2a06abb6c6192bdf5d680e56d37d + + vfs: Allocate anon_inode_inode in anon_inode_init() + + Currently we allocated anon_inode_inode in anon_inodefs_mount. This is + somewhat fragile as if that function ever gets called again, it will + overwrite anon_inode_inode pointer. So move the initialization of + anon_inode_inode to anon_inode_init(). + + Signed-off-by: Jan Kara + [ Further simplified on suggestion from Dave Jones ] + Signed-off-by: Linus Torvalds + + fs/anon_inodes.c | 30 ++++++++---------------------- + 1 files changed, 8 insertions(+), 22 deletions(-) + +commit da2cc3c610141a5f41bd382b5ee7729893e3db12 +Author: Brad Spengler +Date: Thu Mar 27 21:54:11 2014 -0400 + + ignore noreturn functions for now in the latent_entropy plugin + + tools/gcc/latent_entropy_plugin.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 0d1e588588bc19f449d667b69ac76bad0584752d +Author: Brad Spengler +Date: Thu Mar 27 21:27:56 2014 -0400 + + update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity + + grsecurity/Kconfig | 12 +++++------- + 1 files changed, 5 insertions(+), 7 deletions(-) + +commit 4ad2f9fd7429c81e3b2115227685af06830d05c4 +Author: Brad Spengler +Date: Thu Mar 27 21:24:58 2014 -0400 + + Revert "Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b" + + This reverts commit b6ab67fc7a47b542601dd116f934d255c9c2c372. + + kernel/trace/trace.c | 27 ++------------------------- + 1 files changed, 2 insertions(+), 25 deletions(-) + +commit 1a70975ec716c68b37758fbba95ab9b7b6165c8a +Author: Linus Torvalds +Date: Tue Mar 25 17:43:34 2014 -0700 + + Upstream commit: fce7fc79c8f7188dfc5eafa1b937bcc3c5a4c2f5 + + fs: remove now stale label in anon_inode_init() + + The previous commit removed the register_filesystem() call and the + associated error handling, but left the label for the error path that no + longer exists. Remove that too. + + Signed-off-by: Linus Torvalds + + fs/anon_inodes.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 6c1ec97bac84bc22b1a37008193643b9bcab1a46 +Author: Jan Kara +Date: Tue Mar 25 21:37:09 2014 +0100 + + Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1 + + fs: Avoid userspace mounting anon_inodefs filesystem + + anon_inodefs filesystem is a kernel internal filesystem userspace + shouldn't mess with. Remove registration of it so userspace cannot + even try to mount it (which would fail anyway because the filesystem is + MS_NOUSER). + + This fixes an oops triggered by trinity when it tried mounting + anon_inodefs which overwrote anon_inode_inode pointer while other CPU + has been in anon_inode_getfile() between ihold() and d_instantiate(). + Thus effectively creating dentry pointing to an inode without holding a + reference to it. + + Reported-by: Sasha Levin + Signed-off-by: Jan Kara + Signed-off-by: Linus Torvalds + + fs/anon_inodes.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 1e03cd2f178d167cc13e29836c1cb040aeea8d0f +Author: Al Viro +Date: Sun Mar 23 00:28:40 2014 -0400 + + Upstream commit: e825196d48d2b89a6ec3a8eff280098d2a78207e + + make prepend_name() work correctly when called with negative *buflen + + In all callchains leading to prepend_name(), the value left in *buflen + is eventually discarded unused if prepend_name() has returned a negative. + So we are free to do what prepend() does, and subtract from *buflen + *before* checking for underflow (which turns into checking the sign + of subtraction result, of course). + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/dcache.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 8c174b004c6eed3d46e9888385207f454599aa23 +Author: Al Viro +Date: Thu Mar 20 15:18:22 2014 -0400 + + Upstream commit: b37199e626b31e1175fb06764c5d1d687723aac2 + + rcuwalk: recheck mount_lock after mountpoint crossing attempts + + We can get false negative from __lookup_mnt() if an unrelated vfsmount + gets moved. In that case legitimize_mnt() is guaranteed to fail, + and we will fall back to non-RCU walk... unless we end up running + into a hard error on a filesystem object we wouldn't have reached + if not for that false negative. IOW, delaying that check until + the end of pathname resolution is wrong - we should recheck right + after we attempt to cross the mountpoint. We don't need to recheck + unless we see d_mountpoint() being true - in that case even if + we have just raced with mount/umount, we can simply go on as if + we'd come at the moment when the sucker wasn't a mountpoint; if we + run into a hard error as the result, it was a legitimate outcome. + __lookup_mnt() returning NULL is different in that respect, since + it might've happened due to operation on completely unrelated + mountpoint. + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/namei.c | 29 +++++++++++++---------------- + 1 files changed, 13 insertions(+), 16 deletions(-) + +commit b6ab67fc7a47b542601dd116f934d255c9c2c372 +Author: Steven Rostedt (Red Hat) +Date: Tue Mar 25 23:39:41 2014 -0400 + + Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b + + tracing: Fix traceon trigger condition to actually turn tracing on + + While working on my tutorial for 2014 Linux Collaboration Summit + I found that the traceon trigger did not work when conditions were + used. The other triggers worked fine though. Looking into it, it + is because of the way the triggers use the ring buffer to store + the fields it will use for the condition. But if tracing is off, nothing + is stored in the buffer, and the tracepoint exits before calling the + trigger to test the condition. This is fine for all the triggers that + only work when tracing is on, but for traceon trigger that is to + work when tracing is off, nothing happens. + + The fix is simple, just use a temp ring buffer to record the event + if tracing is off and the event has a trace event conditional trigger + enabled. The rest of the tracepoint code will work just fine, but + the tracepoint wont be recorded in the other buffers. + + Cc: Tom Zanussi + Signed-off-by: Steven Rostedt + + kernel/trace/trace.c | 27 +++++++++++++++++++++++++-- + 1 files changed, 25 insertions(+), 2 deletions(-) + +commit 3b8aebe0c4cffda5d5bfc738e7a02fd320184b06 +Author: Eric Dumazet +Date: Tue Mar 25 18:42:27 2014 -0700 + + Upstream commit: de1443916791d75fdd26becb116898277bb0273f + + net: unix: non blocking recvmsg() should not return -EINTR + + Some applications didn't expect recvmsg() on a non blocking socket + could return -EINTR. This possibility was added as a side effect + of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in + unix recv routines"). + + To hit this bug, you need to be a bit unlucky, as the u->readlock + mutex is usually held for very small periods. + + Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") + Signed-off-by: Eric Dumazet + Cc: Rainer Weikusat + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 17 ++++++++++++----- + 1 files changed, 12 insertions(+), 5 deletions(-) + +commit 1bb09af0e99a5b3f3006e4fedf9bba1c3ed3d9d4 +Merge: 5473ce5 0a11cb5 +Author: Brad Spengler +Date: Thu Mar 27 20:00:42 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0a11cb57b4afce8c08851aef512f873bdb3d9943 +Author: Brad Spengler +Date: Thu Mar 27 20:00:02 2014 -0400 + + Update to pax-linux-3.13.7-test16.patch: + - updated the size overflow hast table, by spender + - fixed the gcc plugin capability detector script for gcc 4.9 + - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list + - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused) + - removed the pointless retaddr instrumentation from the low level kernel relocator code + + arch/x86/kernel/head_64.S | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 2 -- + arch/x86/kernel/smpboot.c | 2 +- + scripts/gcc-plugin.sh | 17 ++++++++--------- + tools/gcc/latent_entropy_plugin.c | 10 ++++++---- + tools/gcc/size_overflow_hash.data | 6 ++++++ + 6 files changed, 22 insertions(+), 17 deletions(-) + +commit 5473ce509ab763c927aa2639f7db8aee384d3693 +Author: Eric Dumazet +Date: Wed Mar 19 21:02:21 2014 -0700 + + Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8 + + tcp: syncookies: do not use getnstimeofday() + + While it is true that getnstimeofday() uses about 40 cycles if TSC + is available, it can use 1600 cycles if hpet is the clocksource. + + Switch to get_jiffies_64(), as this is more than enough, and + go back to 60 seconds periods. + + Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds") + Signed-off-by: Eric Dumazet + Cc: Florian Westphal + Acked-by: Florian Westphal + Signed-off-by: David S. Miller + + include/net/tcp.h | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 580a16424470410a1655dd62f71847725a89e1f0 +Author: Dave Kleikamp +Date: Fri Mar 14 10:42:01 2014 -0500 + + Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371 + + sparc64: don't treat 64-bit syscall return codes as 32-bit + + When checking a system call return code for an error, + linux_sparc_syscall was sign-extending the lower 32-bit value and + comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return + codes whose lower 32-bits alone would indicate a failure (such as 4G-1). + Use the whole 64-bit value to check for errors. Only the 32-bit path + should sign extend the lower 32-bit value. + + Signed-off-by: Dave Kleikamp + Acked-by: Bob Picco + Acked-by: Allen Pais + Cc: David S. Miller + Cc: sparclinux@vger.kernel.org + Signed-off-by: David S. Miller + + arch/sparc/kernel/syscalls.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 29127b7a71024630e40d98ec08c77e3feb584e7e +Author: Brad Spengler +Date: Tue Mar 25 17:07:59 2014 -0400 + + update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit d42eece8853149008b9645106936f9cd4ddb38bc +Merge: df4b222 cb629d4 +Author: Brad Spengler +Date: Mon Mar 24 19:07:49 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cb629d4458d7491cc16580860c234f85c463111d +Merge: 3afa257 896c694 +Author: Brad Spengler +Date: Mon Mar 24 19:07:30 2014 -0400 + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + arch/x86/kernel/head_32.S + drivers/cpufreq/intel_pstate.c + +commit df4b2229045f125eaa91dd2a696e56c589f8c962 +Merge: e440e3a 3afa257 +Author: Brad Spengler +Date: Mon Mar 24 18:55:45 2014 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3afa2576ef64a8266c5a2f142e3cb3c970f21d3c +Author: Brad Spengler +Date: Mon Mar 24 18:54:38 2014 -0400 + + Update to pax-linux-3.13.7-test15.patch: + - fixed several compilation problems on arm all*configs, by spender + - small update to gcc-common.h + - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) + + Makefile | 2 +- + arch/arm/include/asm/uaccess.h | 1 + + arch/ia64/include/asm/uaccess.h | 1 + + arch/powerpc/include/asm/uaccess.h | 1 + + arch/powerpc/mm/mmap.c | 6 +++--- + arch/s390/include/asm/uaccess.h | 1 + + arch/x86/include/asm/uaccess.h | 2 +- + arch/x86/include/asm/uaccess_64.h | 12 ++++++------ + 8 files changed, 15 insertions(+), 11 deletions(-) + +commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90 +Author: Brad Spengler +Date: Thu Mar 20 23:16:11 2014 -0400 + + convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation + + drivers/tty/hvc/hvsi.c | 10 +++++----- + 1 files changed, 5 insertions(+), 5 deletions(-) + +commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8 +Author: Brad Spengler +Date: Thu Mar 20 22:53:31 2014 -0400 + + add local_unchecked_t accessors to fix ppc64 compilation + + arch/powerpc/include/asm/local.h | 15 +++++++++++++++ + 1 files changed, 15 insertions(+), 0 deletions(-) + +commit 1cffa7895513b754c95673b12a8c638797e5b7e2 +Author: Brad Spengler +Date: Thu Mar 20 22:25:47 2014 -0400 + + add access_ok_noprefault macro to fix ppc64+kvm compilation, patch + from pipacs + + arch/arm/include/asm/uaccess.h | 1 + + arch/arm64/include/asm/uaccess.h | 1 + + arch/ia64/include/asm/uaccess.h | 1 + + arch/mips/include/asm/uaccess.h | 1 + + arch/powerpc/include/asm/uaccess.h | 1 + + arch/s390/include/asm/uaccess.h | 1 + + arch/x86/include/asm/uaccess.h | 2 +- + arch/x86/include/asm/uaccess_64.h | 12 ++++++------ + arch/x86/mm/gup.c | 4 ++-- + virt/kvm/kvm_main.c | 2 +- + 10 files changed, 16 insertions(+), 10 deletions(-) + +commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002 +Author: Brad Spengler +Date: Thu Mar 20 21:53:32 2014 -0400 + + correct function definition for kvm_arch_init() to fix compilation on ppc64 + + arch/powerpc/kvm/powerpc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997 +Author: Brad Spengler +Date: Thu Mar 20 21:47:35 2014 -0400 + + fix ppc64 allyesconfig compilation with RANDSTRUCT + + arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit fb017032977cb38d750fe9b9a11d22fc565e576f +Author: Brad Spengler +Date: Thu Mar 20 21:36:39 2014 -0400 + + use $(LATENT_ENTROPY_PLUGIN_CFLAGS) + + arch/powerpc/kernel/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e795367c8c4d750c3900f6546365ca27b9a8aad5 +Author: Brad Spengler +Date: Thu Mar 20 21:24:01 2014 -0400 + + move REMOVE_CFLAGS + + arch/powerpc/kernel/Makefile | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit f80a67cf62542dbab790fcad2395c00e6534c26d +Author: Brad Spengler +Date: Thu Mar 20 20:30:35 2014 -0400 + + fix compilation by removing the latent entropy plugin from prom_init.c -- there's + a script for ppc64 that checks the object file for a whitelisted set of + exported symbols, code is very fragile + + arch/powerpc/kernel/Makefile | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa +Author: Brad Spengler +Date: Thu Mar 20 20:28:07 2014 -0400 + + export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64 + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 90330189b37110d8343edd37147bb5c666feede4 +Author: Brad Spengler +Date: Thu Mar 20 20:24:53 2014 -0400 + + fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout + + arch/powerpc/mm/mmap.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec +Author: Brad Spengler +Date: Wed Mar 19 21:53:12 2014 -0400 + + add ktla_ktva/ktva_ktla to sparc to fix compilation + + arch/sparc/include/asm/pgtable.h | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 896004e18909d7de9ffe295180e12c275a623990 +Author: Brad Spengler +Date: Wed Mar 19 21:32:20 2014 -0400 + + remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS + + net/netfilter/ipvs/ip_vs_ctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 143dcb4ff8b259163f978c468663dcaebfe573b4 +Author: Brad Spengler +Date: Wed Mar 19 21:18:46 2014 -0400 + + Include second patch needed for compilation, not yet included by + upstream (so MIPS compilation is broken there): + http://patchwork.linux-mips.org/patch/6585/ + + arch/mips/include/asm/ftrace.h | 20 ++++++++++---------- + 1 files changed, 10 insertions(+), 10 deletions(-) + +commit b464eb7ac1132953ab99ff25826478e32690844f +Author: Markos Chandras +Date: Wed Jan 22 14:39:57 2014 +0000 + + Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b + + MIPS: asm: syscall: Fix copying system call arguments + + The syscall_get_arguments function expects the arguments to be copied + to the '*args' argument but instead a local variable was used to hold + the system call argument. As a result of which, this variable was + never passed to the filter and any filter testing the system call + arguments would fail. This is fixed by passing the '*args' variable + as the destination memory for the system call arguments. + + Signed-off-by: Markos Chandras + Reviewed-by: Paul Burton + Reviewed-by: James Hogan + Cc: linux-mips@linux-mips.org + Patchwork: https://patchwork.linux-mips.org/patch/6402/ + Signed-off-by: Ralf Baechle + + arch/mips/include/asm/syscall.h | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit b8f9d6f82e2fb814be37391109623d79e297571d +Author: Brad Spengler +Date: Wed Mar 19 21:01:40 2014 -0400 + + add ktla_ktva/ktva_ktla macros to MIPS + + arch/mips/include/asm/pgtable.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce +Author: Brad Spengler +Date: Wed Mar 19 20:46:38 2014 -0400 + + include linux/prefetch.h to fix mips compilation + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 514ec7617daa1a925a0ec0fa910335396213ef45 +Author: Brad Spengler +Date: Wed Mar 19 20:45:59 2014 -0400 + + Revert "fix compiler warning in hugetlbfs code" + + This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0. + + fs/hugetlbfs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6da49b57e2795853a453f596e0b874aece27aa4b +Author: Viller Hsiao +Date: Sat Feb 22 15:46:49 2014 +0800 + + Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a + + MIPS: ftrace: Fix icache flush range error + + In 32-bit mode, the start address passed to flush_icache_range is + shifted by 4 bytes before the second safe_store_code() call. + + This causes system crash from time to time because the first 4 bytes + might not be flushed properly. This bug exists since linux-3.8. + + Also remove obsoleted comment while at it. + + Signed-off-by: Viller Hsiao + Cc: linux-mips@linux-mips.org + Cc: rostedt@goodmis.org + Cc: fweisbec@gmail.com + Cc: mingo@redhat.com + Cc: Qais.Yousef@imgtec.com + Patchwork: https://patchwork.linux-mips.org/patch/6586/ + Signed-off-by: Ralf Baechle + + arch/mips/kernel/ftrace.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 624ddea7bbda3535b7c9a779b6ff149e93863321 +Author: Lars Persson +Date: Mon Mar 17 12:14:13 2014 +0100 + + Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0 + + MIPS: Fix syscall tracing interface + + Fix pointer computation for stack-based arguments. + + Signed-off-by: Lars Persson + Cc: linux-mips@linux-mips.org + Patchwork: https://patchwork.linux-mips.org/patch/6620/ + Signed-off-by: Ralf Baechle + + arch/mips/include/asm/syscall.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182 +Author: Brad Spengler +Date: Wed Mar 19 20:28:16 2014 -0400 + + fix octeon compilation, add __maybe_unused to usp local var + + arch/mips/include/asm/syscall.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0 +Author: Brad Spengler +Date: Wed Mar 19 19:46:52 2014 -0400 + + fix compiler warning in hugetlbfs code + + fs/hugetlbfs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 43783f55374fe9bafc064ceacf915920ca45a6c5 +Merge: e018f0a aae8b87 +Author: Brad Spengler +Date: Mon Mar 17 19:51:01 2014 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/gpio/gpio-rcar.c + +commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6 +Author: Brad Spengler +Date: Mon Mar 17 19:48:43 2014 -0400 + + Update to pax-linux-3.13.6-test14.patch: + - fixed several compilation problems on arm all*configs, by spender + - small update to gcc-common.h + - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) + + arch/arm/include/asm/page.h | 1 + + drivers/base/power/domain.c | 4 +- + drivers/gpio/gpio-em.c | 2 +- + drivers/gpio/gpio-rcar.c | 2 +- + drivers/mfd/ab8500-debugfs.c | 2 +- + drivers/net/can/Kconfig | 2 +- + drivers/staging/imx-drm/imx-drm-core.c | 6 +- + include/linux/pm_domain.h | 2 +- + tools/gcc/gcc-common.h | 12 +++ + tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++--------- + 10 files changed, 106 insertions(+), 43 deletions(-) + +commit e018f0a38370496abe4289911eb67f1816cdc65d +Author: Brad Spengler +Date: Mon Mar 17 19:12:04 2014 -0400 + + move the location of the include to suit pipacs' OCD + + arch/arm/include/asm/page.h | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc +Author: Brad Spengler +Date: Mon Mar 17 18:01:11 2014 -0400 + + revert lustre change, we'll include compiler.h from asm/page.h instead + + .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit a39c965db54a571780b9844d93cfec71265b2c5e +Author: Brad Spengler +Date: Mon Mar 17 18:00:13 2014 -0400 + + fix ARM compilation with constify plugin + + arch/arm/include/asm/page.h | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 721fb83dc182e1442311b8ca3a986963f9cf2b76 +Author: Brad Spengler +Date: Mon Mar 17 17:18:04 2014 -0400 + + move header ordering + + .../lustre/include/linux/lnet/linux/lib-lnet.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 985afa44870e690fce35adf47979a99855db3323 +Author: Brad Spengler +Date: Mon Mar 17 17:02:24 2014 -0400 + + compile fix for lustre on ARM with constify plugin + + .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24 +Author: Brad Spengler +Date: Mon Mar 17 16:04:34 2014 -0400 + + fix compiler error caused by constify plugin on ARM + + drivers/mfd/ab8500-debugfs.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4 +Author: Brad Spengler +Date: Mon Mar 17 15:46:53 2014 -0400 + + fix more compile errors caused by RANDSTRUCT and constify plugins on ARM + + drivers/base/power/domain.c | 4 ++-- + include/linux/pm_domain.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66 +Author: Brad Spengler +Date: Mon Mar 17 15:34:17 2014 -0400 + + fix another compile error caused by constify plugin on ARM + + drivers/gpio/gpio-rcar.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 05b33c660567d4dc74ebcd06e996bf0656146757 +Author: Brad Spengler +Date: Mon Mar 17 15:08:49 2014 -0400 + + fix compile error caused by constify plugin on ARM + + drivers/gpio/gpio-em.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31 +Author: Brad Spengler +Date: Sun Mar 16 21:17:20 2014 -0400 + + fix allyesconfig compilation with PAX_REFCOUNT + + drivers/staging/imx-drm/imx-drm-core.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a +Author: Brad Spengler +Date: Sun Mar 16 21:04:10 2014 -0400 + + fix arm allmodconfig + + drivers/net/can/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 611bf735a4def802205cc83a131ec9c77c194662 +Author: Brad Spengler +Date: Fri Mar 14 20:12:02 2014 -0400 + + add /usr/share/apport/apport to the allowed userland exec paths -- + because apparently some distros have no problem just throwing + critical binaries around anywhere. + + kernel/kmod.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 51692fc9a6be048dd0500f78f97aed4db87bc359 +Merge: 54fa0d5 7fcc1d0 +Author: Brad Spengler +Date: Fri Mar 14 20:09:56 2014 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/mips/mm/mmap.c + +commit 7fcc1d01537c3e4d4cb3494b4e19890864473376 +Author: Brad Spengler +Date: Fri Mar 14 20:08:19 2014 -0400 + + Update to pax-linux-3.13.6-test13.patch: + - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen + + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/kernel/setup.c | 4 ++-- + arch/arm/mm/mmu.c | 2 +- + arch/mips/cavium-octeon/dma-octeon.c | 2 +- + arch/mips/include/asm/hw_irq.h | 2 +- + arch/mips/kernel/i8259.c | 2 +- + arch/mips/kernel/irq-gt641xx.c | 2 +- + arch/mips/kernel/reset.c | 4 ++++ + arch/mips/mm/mmap.c | 2 +- + arch/mips/pci/pci-octeon.c | 4 ++-- + arch/mips/pci/pcie-octeon.c | 12 ++++++------ + arch/mips/sni/rm200.c | 2 +- + arch/mips/vr41xx/common/icu.c | 2 +- + arch/mips/vr41xx/common/irq.c | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 2 +- + ipc/mq_sysctl.c | 2 +- + kernel/panic.c | 2 +- + 18 files changed, 29 insertions(+), 25 deletions(-) + +commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf +Author: Brad Spengler +Date: Wed Mar 12 22:54:32 2014 -0400 + + add support for PAX_EMUTRAMP by default in the autoconfig + + security/Kconfig | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 1a3518d87b5faa66b5684569bfe84024edc955ce +Author: Laura Abbott +Date: Mon Mar 10 15:49:44 2014 -0700 + + Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f + + mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block + + We received several reports of bad page state when freeing CMA pages + previously allocated with alloc_contig_range: + + BUG: Bad page state in process Binder_A pfn:63202 + page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf + page flags: 0x40080068(uptodate|lru|active|swapbacked) + + Based on the page state, it looks like the page was still in use. The + page flags do not make sense for the use case though. Further debugging + showed that despite alloc_contig_range returning success, at least one + page in the range still remained in the buddy allocator. + + There is an issue with isolate_freepages_block. In strict mode (which + CMA uses), if any pages in the range cannot be isolated, + isolate_freepages_block should return failure 0. The current check + keeps track of the total number of isolated pages and compares against + the size of the range: + + if (strict && nr_strict_required > total_isolated) + total_isolated = 0; + + After taking the zone lock, if one of the pages in the range is not in + the buddy allocator, we continue through the loop and do not increment + total_isolated. If in the last iteration of the loop we isolate more + than one page (e.g. last page needed is a higher order page), the check + for total_isolated may pass and we fail to detect that a page was + skipped. The fix is to bail out if the loop immediately if we are in + strict mode. There's no benfit to continuing anyway since we need all + pages to be isolated. Additionally, drop the error checking based on + nr_strict_required and just check the pfn ranges. This matches with + what isolate_freepages_range does. + + Signed-off-by: Laura Abbott + Acked-by: Minchan Kim + Cc: Mel Gorman + Acked-by: Vlastimil Babka + Cc: Joonsoo Kim + Acked-by: Bartlomiej Zolnierkiewicz + Acked-by: Michal Nazarewicz + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/compaction.c | 20 +++++++++++++------- + 1 files changed, 13 insertions(+), 7 deletions(-) + +commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b +Author: Artem Fetishev +Date: Mon Mar 10 15:49:45 2014 -0700 + + Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b + + fs/proc/base.c: fix GPF in /proc/$PID/map_files + + The expected logic of proc_map_files_get_link() is either to return 0 + and initialize 'path' or return an error and leave 'path' uninitialized. + + By the time dname_to_vma_addr() returns 0 the corresponding vma may have + already be gone. In this case the path is not initialized but the + return value is still 0. This results in 'general protection fault' + inside d_path(). + + Steps to reproduce: + + CONFIG_CHECKPOINT_RESTORE=y + + fd = open(...); + while (1) { + mmap(fd, ...); + munmap(fd, ...); + } + + ls -la /proc/$PID/map_files + + Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991 + + Signed-off-by: Artem Fetishev + Signed-off-by: Aleksandr Terekhov + Reported-by: + Acked-by: Pavel Emelyanov + Acked-by: Cyrill Gorcunov + Reviewed-by: "Eric W. Biederman" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/proc/base.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf +Author: Matthew Leach +Date: Tue Mar 11 11:58:27 2014 +0000 + + Upstream commit: dbb490b96584d4e958533fb637f08b557f505657 + + net: socket: error on a negative msg_namelen + + When copying in a struct msghdr from the user, if the user has set the + msg_namelen parameter to a negative value it gets clamped to a valid + size due to a comparison between signed and unsigned values. + + Ensure the syscall errors when the user passes in a negative value. + + Signed-off-by: Matthew Leach + Signed-off-by: David S. Miller + + net/socket.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca +Author: Alexei Starovoitov +Date: Mon Mar 10 15:56:51 2014 -0700 + + Upstream commit: fdfaf64e75397567257e1051931f9a3377360665 + + x86: bpf_jit: support negative offsets + + Commit a998d4342337 claimed to introduce negative offset support to x86 jit, + but it couldn't be working, since at the time of the execution + of LD+ABS or LD+IND instructions via call into + bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func) + had junk value instead of access size in bytes (1 or 2 or 4). + + Store size into %edx instead of %ecx (what original commit intended to do) + + Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets") + Signed-off-by: Alexei Starovoitov + Cc: Jan Seiffert + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + arch/x86/net/bpf_jit.S | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 977ee3909139082a57a04afbb8e9ee202475aa27 +Author: Brad Spengler +Date: Wed Mar 12 19:21:43 2014 -0400 + + Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up -- + if an attacker had an arbitrary read vuln and ability to redirect control flow, + he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a + 32bit random key which the attacker has XORed with his desired immediates to + cause the constant blinding to produce a potentially useful instruction stream + (which he could verify by abusing the infoleak). Instead of using one key + per instruction stream, generate a new key for each instruction using prandom_u32(). + + The downside is some performance impact during JIT compilation, though this + shouldn't be so common an event for anyone to notice. + + arch/x86/net/bpf_jit_comp.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4 +Author: Brad Spengler +Date: Fri Mar 7 20:44:22 2014 -0500 + + fix typo + + ipc/mq_sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 90c31e93dc4eb2045775930cacbb64318cabafad +Author: Brad Spengler +Date: Fri Mar 7 20:25:53 2014 -0500 + + add no_const to ctl_table located on stack + + ipc/mq_sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71 +Author: Sabrina Dubroca +Date: Thu Mar 6 17:51:57 2014 +0100 + + Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39 + + ipv6: don't set DST_NOCOUNT for remotely added routes + + DST_NOCOUNT should only be used if an authorized user adds routes + locally. In case of routes which are added on behalf of router + advertisments this flag must not get used as it allows an unlimited + number of routes getting added remotely. + + Signed-off-by: Sabrina Dubroca + Acked-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/route.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd +Merge: 71ed8ef a2aac72 +Author: Brad Spengler +Date: Fri Mar 7 20:10:30 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a2aac72603c2309d560a606493bb3003e2abe6c7 +Merge: 96545e3 404df65 +Author: Brad Spengler +Date: Fri Mar 7 20:10:13 2014 -0500 + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + arch/arm/mm/mmu.c + mm/memory.c + +commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7 +Author: Brad Spengler +Date: Tue Mar 4 18:08:29 2014 -0500 + + Backport security fix: http://seclists.org/oss-sec/2014/q1/477 + + net/ipv4/inet_fragment.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3 +Author: Daniel Borkmann +Date: Mon Mar 3 17:23:04 2014 +0100 + + Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729 + Remote DoS fix + + net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable + + RFC4895 introduced AUTH chunks for SCTP; during the SCTP + handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS + being optional though): + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + -------------------- COOKIE-ECHO --------------------> + <-------------------- COOKIE-ACK --------------------- + + A special case is when an endpoint requires COOKIE-ECHO + chunks to be authenticated: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + ------------------ AUTH; COOKIE-ECHO ----------------> + <-------------------- COOKIE-ACK --------------------- + + RFC4895, section 6.3. Receiving Authenticated Chunks says: + + The receiver MUST use the HMAC algorithm indicated in + the HMAC Identifier field. If this algorithm was not + specified by the receiver in the HMAC-ALGO parameter in + the INIT or INIT-ACK chunk during association setup, the + AUTH chunk and all the chunks after it MUST be discarded + and an ERROR chunk SHOULD be sent with the error cause + defined in Section 4.1. [...] If no endpoint pair shared + key has been configured for that Shared Key Identifier, + all authenticated chunks MUST be silently discarded. [...] + + When an endpoint requires COOKIE-ECHO chunks to be + authenticated, some special procedures have to be followed + because the reception of a COOKIE-ECHO chunk might result + in the creation of an SCTP association. If a packet arrives + containing an AUTH chunk as a first chunk, a COOKIE-ECHO + chunk as the second chunk, and possibly more chunks after + them, and the receiver does not have an STCB for that + packet, then authentication is based on the contents of + the COOKIE-ECHO chunk. In this situation, the receiver MUST + authenticate the chunks in the packet by using the RANDOM + parameters, CHUNKS parameters and HMAC_ALGO parameters + obtained from the COOKIE-ECHO chunk, and possibly a local + shared secret as inputs to the authentication procedure + specified in Section 6.3. If authentication fails, then + the packet is discarded. If the authentication is successful, + the COOKIE-ECHO and all the chunks after the COOKIE-ECHO + MUST be processed. If the receiver has an STCB, it MUST + process the AUTH chunk as described above using the STCB + from the existing association to authenticate the + COOKIE-ECHO chunk and all the chunks after it. [...] + + Commit bbd0d59809f9 introduced the possibility to receive + and verification of AUTH chunk, including the edge case for + authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, + the function sctp_sf_do_5_1D_ce() handles processing, + unpacks and creates a new association if it passed sanity + checks and also tests for authentication chunks being + present. After a new association has been processed, it + invokes sctp_process_init() on the new association and + walks through the parameter list it received from the INIT + chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO + and SCTP_PARAM_CHUNKS, and copies them into asoc->peer + meta data (peer_random, peer_hmacs, peer_chunks) in case + sysctl -w net.sctp.auth_enable=1 is set. If in INIT's + SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, + peer_random != NULL and peer_hmacs != NULL the peer is to be + assumed asoc->peer.auth_capable=1, in any other case + asoc->peer.auth_capable=0. + + Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is + available, we set up a fake auth chunk and pass that on to + sctp_sf_authenticate(), which at latest in + sctp_auth_calculate_hmac() reliably dereferences a NULL pointer + at position 0..0008 when setting up the crypto key in + crypto_hash_setkey() by using asoc->asoc_shared_key that is + NULL as condition key_id == asoc->active_key_id is true if + the AUTH chunk was injected correctly from remote. This + happens no matter what net.sctp.auth_enable sysctl says. + + The fix is to check for net->sctp.auth_enable and for + asoc->peer.auth_capable before doing any operations like + sctp_sf_authenticate() as no key is activated in + sctp_auth_asoc_init_active_key() for each case. + + Now as RFC4895 section 6.3 states that if the used HMAC-ALGO + passed from the INIT chunk was not used in the AUTH chunk, we + SHOULD send an error; however in this case it would be better + to just silently discard such a maliciously prepared handshake + as we didn't even receive a parameter at all. Also, as our + endpoint has no shared key configured, section 6.3 says that + MUST silently discard, which we are doing from now onwards. + + Before calling sctp_sf_pdiscard(), we need not only to free + the association, but also the chunk->auth_chunk skb, as + commit bbd0d59809f9 created a skb clone in that case. + + I have tested this locally by using netfilter's nfqueue and + re-injecting packets into the local stack after maliciously + modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) + and the SCTP packet containing the COOKIE_ECHO (injecting + AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. + + Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") + Signed-off-by: Daniel Borkmann + Cc: Vlad Yasevich + Cc: Neil Horman + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/sm_statefuns.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 855c02e8cb1af9b40752258060af547805881899 +Author: Brad Spengler +Date: Tue Mar 4 18:05:10 2014 -0500 + + Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494 + + security/keys/keyring.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +commit 4877e98529649880ac76ade11e5529403a40ea73 +Author: Brad Spengler +Date: Mon Mar 3 14:42:58 2014 -0500 + + mark 'processor' as __read_only instead of forcing constify on it + to avoid a GCC constant propagation that will cause a NULL deref on boot + on ARM MULTI_CPU configs + + Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from + the PaX Team + + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/kernel/setup.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 9c8d2926262f0345af454da45b41c6259bdc89e8 +Author: Andrew Honig +Date: Thu Feb 27 19:35:14 2014 +0100 + + Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b + + kvm: x86: fix emulator buffer overflow (CVE-2014-0049) + + The problem occurs when the guest performs a pusha with the stack + address pointing to an mmio address (or an invalid guest physical + address) to start with, but then extending into an ordinary guest + physical address. When doing repeated emulated pushes + emulator_read_write sets mmio_needed to 1 on the first one. On a + later push when the stack points to regular memory, + mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0. + + As a result, KVM exits to userspace, and then returns to + complete_emulated_mmio. In complete_emulated_mmio + vcpu->mmio_cur_fragment is incremented. The termination condition of + vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved. + The code bounces back and fourth to userspace incrementing + mmio_cur_fragment past it's buffer. If the guest does nothing else it + eventually leads to a a crash on a memcpy from invalid memory address. + + However if a guest code can cause the vm to be destroyed in another + vcpu with excellent timing, then kvm_clear_async_pf_completion_queue + can be used by the guest to control the data that's pointed to by the + call to cancel_work_item, which can be used to gain execution. + + Fixes: f78146b0f9230765c6315b2e14f56112513389ad + Signed-off-by: Andrew Honig + Cc: stable@vger.kernel.org (3.5+) + Signed-off-by: Paolo Bonzini + + arch/x86/kvm/x86.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 40051b60939861d365baf66d95dadd3f090542ac +Author: Mike Pecovnik +Date: Mon Feb 24 21:11:16 2014 +0100 + + Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f + + net: Fix permission check in netlink_connect() + + netlink_sendmsg() was changed to prevent non-root processes from sending + messages with dst_pid != 0. + netlink_connect() however still only checks if nladdr->nl_groups is set. + This patch modifies netlink_connect() to check for the same condition. + + Signed-off-by: Mike Pecovnik + Signed-off-by: David S. Miller + + net/netlink/af_netlink.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a3be34042aa8d3eccb476cb240d8cdc85024b18a +Author: Brad Spengler +Date: Sat Mar 1 23:17:33 2014 -0500 + + Apply role_umask RBAC restrictions to POSIX ACLs as well + + fs/posix_acl.c | 7 +++++-- + fs/xattr_acl.c | 9 +++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +commit 652b798b80f39815b94fc9b7192d648ad6b6cf64 +Author: Brad Spengler +Date: Mon Feb 24 21:57:37 2014 -0500 + + mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT + + grsecurity/Kconfig | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 5ffde76a88cb5dadc307cabc33d7ad253158b608 +Author: Brad Spengler +Date: Mon Feb 24 18:54:34 2014 -0500 + + use current_umask() helper in lustre instead of current->fs->umask + + drivers/staging/lustre/lustre/llite/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 49761e88b63e2771f09aa16cb4e98c681515cf31 +Merge: daf0afa 96545e3 +Author: Brad Spengler +Date: Mon Feb 24 17:43:09 2014 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/cpu/common.c + +commit 96545e3f1c4df86c1d9b74a1916d1b712138345f +Merge: 1ea0c4a dc0ead5 +Author: Brad Spengler +Date: Mon Feb 24 17:37:59 2014 -0500 + + Update to pax-linux-3.13.5-test11.patch: + - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine + - the latent entropy plugin can now initialize structure variables as well + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + arch/x86/kernel/ftrace.c + include/linux/compiler-gcc4.h + +commit daf0afa64695bd49bf6be19450fea0a533edc3ab +Author: Brad Spengler +Date: Mon Feb 24 17:16:47 2014 -0500 + + when IPC hardening is disabled via sysctl, we shouldn't be imposing + any additional restrictions + thanks to Mathias Krause (minipli) for the report + + grsecurity/grsec_ipc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 179bf20a88510350fc86383c7d1b8e7d422cc604 +Author: Brad Spengler +Date: Fri Feb 21 12:06:41 2014 -0500 + + add missing return in the ARM refcount code. + + Thanks to Arnaud Fontaine for the report and patch! + + arch/arm/include/asm/atomic.h | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 5eecd26548fa8462296745eedf66858bf83532c9 +Merge: d32875c 1ea0c4a +Author: Brad Spengler +Date: Thu Feb 20 21:39:25 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99 +Author: Brad Spengler +Date: Thu Feb 20 21:39:02 2014 -0500 + + Update to pax-linux-3.13.4-test10.patch + + tools/gcc/latent_entropy_plugin.c | 10 +++++----- + 1 files changed, 5 insertions(+), 5 deletions(-) + +commit d32875ccf8800fd9b458907fbd9f08e74847012b +Author: Brad Spengler +Date: Thu Feb 20 18:42:11 2014 -0500 + + work around pipacs' latent_entropy plugin + + tools/gcc/randomize_layout_plugin.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +commit 91ea54c68a7f728341371d3ca8c6208acc885706 +Author: Brad Spengler +Date: Thu Feb 20 17:57:36 2014 -0500 + + .data takes the address of the ints, not their values + + net/core/neighbour.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit bc41258c48ca6acae51d191e914556ab37ca7c92 +Merge: 3051292 0ce19d4 +Author: Brad Spengler +Date: Thu Feb 20 17:45:07 2014 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + include/linux/compiler-gcc4.h + +commit 0ce19d411496f0ab77a86c1c5091b909fd720665 +Author: Brad Spengler +Date: Thu Feb 20 17:43:26 2014 -0500 + + Update to pax-linux-3.13.4-test10.patch: + - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87) + - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender + - the latent entropy plugin will now insert some entropy at compile time into the random pools + + drivers/char/random.c | 6 +- + fs/binfmt_elf.c | 2 +- + include/linux/compiler-gcc4.h | 4 -- + tools/gcc/gcc-common.h | 10 ++++- + tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++---- + tools/gcc/stackleak_plugin.c | 5 +- + 6 files changed, 90 insertions(+), 21 deletions(-) + +commit 3051292e84bf30c218e447a105ab898e8c509b44 +Merge: 71d207d 8a3ecf6 +Author: Brad Spengler +Date: Thu Feb 20 17:19:54 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b +Merge: 98242db 93ee5dc +Author: Brad Spengler +Date: Thu Feb 20 17:17:30 2014 -0500 + + Merge branch 'linux-3.13.y' into pax-test + +commit 71d207d2df0cc95b1cf26d1499317d5b010c4033 +Author: Brad Spengler +Date: Thu Feb 20 16:59:26 2014 -0500 + + Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was + enabled, reported by jacekalex on the forums + + include/net/neighbour.h | 1 - + net/core/neighbour.c | 9 +++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15 +Author: Brad Spengler +Date: Wed Feb 19 22:01:38 2014 -0500 + + Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401 + + fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++--- + 1 files changed, 34 insertions(+), 3 deletions(-) + +commit 20eb03803ea2fea3f8c420b69097058122de32f6 +Author: Trond Myklebust +Date: Tue Feb 11 09:15:54 2014 -0500 + + Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226 + + SUNRPC: Fix races in xs_nospace() + + When a send failure occurs due to the socket being out of buffer space, + we call xs_nospace() in order to have the RPC task wait until the + socket has drained enough to make it worth while trying again. + The current patch fixes a race in which the socket is drained before + we get round to setting up the machinery in xs_nospace(), and which + is reported to cause hangs. + + Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown + Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...) + Reported-by: Neil Brown + Cc: stable@vger.kernel.org + Signed-off-by: Trond Myklebust + + net/sunrpc/xprtsock.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +commit 9fff690287df8c389126420e1dab2608ddb4be75 +Author: Trond Myklebust +Date: Tue Feb 11 13:56:54 2014 -0500 + + Upstream commit: 628356791b04ea988fee070f66a748a823d001bb + + SUNRPC: Fix potential memory scribble in xprt_free_bc_request() + + The call to xprt_free_allocation() will call list_del() on + req->rq_bc_pa_list, which is not attached to a list. + This patch moves the list_del() out of xprt_free_allocation() + and into those callers that need it. + + Signed-off-by: Trond Myklebust + + net/sunrpc/backchannel_rqst.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1 +Author: Trond Myklebust +Date: Sun Feb 16 12:14:13 2014 -0500 + + Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd + + SUNRPC: Ensure that gss_auth isn't freed before its upcall messages + + Fix a race in which the RPC client is shutting down while the + gss daemon is processing a downcall. If the RPC client manages to + shut down before the gss daemon is done, then the struct gss_auth + used in gss_release_msg() may have already been freed. + + Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com + Reported-by: John + Reported-by: Borislav Petkov + Cc: stable@vger.kernel.org # 3.12+ + Signed-off-by: Trond Myklebust + + net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++-- + 1 files changed, 11 insertions(+), 2 deletions(-) + +commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b +Author: Trond Myklebust +Date: Sun Feb 16 13:28:01 2014 -0500 + + Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27 + + SUNRPC: Fix a pipe_version reference leak + + In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we + want to release the reference to the pipe_version that was obtained + earlier in the function. + + Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...) + Signed-off-by: Trond Myklebust + + net/sunrpc/auth_gss/auth_gss.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 715c3e4109210d090282b360463aa474c978dcf5 +Author: Christoffer Dall +Date: Sun Feb 2 22:21:31 2014 +0100 + + Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a + + ARM: 7950/1: mm: Fix stage-2 device memory attributes + + The stage-2 memory attributes are distinct from the Hyp memory + attributes and the Stage-1 memory attributes. We were using the stage-1 + memory attributes for stage-2 mappings causing device mappings to be + mapped as normal memory. Add the S2 equivalent defines for memory + attributes and fix the comments explaining the defines while at it. + + Add a prot_pte_s2 field to the mem_type struct and fill out the field + for device mappings accordingly. + + Cc: [3.9+] + Acked-by: Marc Zyngier + Acked-by: Catalin Marinas + Signed-off-by: Christoffer Dall + Signed-off-by: Russell King + + Conflicts: + + arch/arm/mm/mmu.c + + arch/arm/include/asm/pgtable-3level.h | 15 +++++++++------ + arch/arm/mm/mm.h | 1 + + arch/arm/mm/mmu.c | 7 ++++++- + 3 files changed, 16 insertions(+), 7 deletions(-) + +commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab +Author: Will Deacon +Date: Fri Feb 7 19:12:20 2014 +0100 + + Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e + + ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU + + During __v{6,7}_setup, we invalidate the TLBs since we are about to + enable the MMU on return to head.S. Unfortunately, without a subsequent + dsb instruction, the invalidation is not guaranteed to have completed by + the time we write to the sctlr, potentially exposing us to junk/stale + translations cached in the TLB. + + This patch reworks the init functions so that the dsb used to ensure + completion of cache/predictor maintenance is also used to ensure + completion of the TLB invalidation. + + Cc: + Reported-by: Albin Tonnerre + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/mm/proc-v6.S | 3 ++- + arch/arm/mm/proc-v7.S | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +commit fa4b67556529451bd4489b07472f58feec35d51d +Author: Will Deacon +Date: Fri Feb 7 19:12:32 2014 +0100 + + Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be + + ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev + + When unlocking a spinlock, we require the following, strictly ordered + sequence of events: + + /* dmb */ + + /* dsb */ + + + Whilst the code does indeed reflect this in terms of the architecture, + the final + have been contracted into a single inline + asm without a "memory" clobber, therefore the compiler is at liberty to + reorder the unlock to the end of the above sequence. In such a case, + a waiting CPU may be woken up before the lock has been unlocked, leading + to extremely poor performance. + + This patch reworks the dsb_sev() function to make use of the dsb() + macro and ensure ordering against the unlock. + + Cc: + Reported-by: Mark Rutland + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/include/asm/spinlock.h | 15 +++------------ + 1 files changed, 3 insertions(+), 12 deletions(-) + +commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa +Author: Russell King +Date: Tue Feb 11 17:11:04 2014 +0000 + + Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6 + + Fix uses of dma_max_pfn() when converting to a limiting address + + We must use a 64-bit for this, otherwise overflowed bits get lost, and + that can result in a lower than intended value set. + + Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations") + Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations") + Tested-Acked-by: Santosh Shilimkar + Reviewed-by: Ulf Hansson + Signed-off-by: Russell King + + drivers/mmc/card/queue.c | 2 +- + drivers/scsi/scsi_lib.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 5a3e8a10d439ba8bcd893bf2159618908fe80384 +Author: Vinayak Kale +Date: Wed Feb 12 07:30:01 2014 +0100 + + Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0 + + ARM: 7957/1: add DSB after icache flush in __flush_icache_all() + + Add DSB after icache flush to complete the cache maintenance operation. + + Signed-off-by: Vinayak Kale + Acked-by: Catalin Marinas + Cc: + Signed-off-by: Russell King + + arch/arm/include/asm/cacheflush.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 26d22a6946dfbb4f4a760038816c43ba49504863 +Author: Linus Torvalds +Date: Mon Feb 17 12:24:45 2014 -0800 + + Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a + + printk: fix syslog() overflowing user buffer + + This is not a buffer overflow in the traditional sense: we don't + overflow any *kernel* buffers, but we do mis-count the amount of data we + copy back to user space for the SYSLOG_ACTION_READ_ALL case. + + In particular, if the user buffer is too small to hold everything, and + *if* there is a continuation line at just the right place, we can end up + giving the user more data than he asked for. + + The reason is that we first count up the number of bytes all the log + records contains, then we walk the records again until we've skipped the + records at the beginning that won't fit, and then we walk the rest of + the records and copy them to the user space buffer. + + And in between that "skip the initial records that won't fit" and the + "copy the records that *will* fit to user space", we reset the 'prev' + variable that contained the record information for the last record not + copied. That meant that when we started copying to user space, we now + had a different character count than what we had originally calculated + in the first record walk-through. + + The fix is to simply not clear the 'prev' flags value (in both cases + where we had the same logic: syslog_print_all and kmsg_dump_get_buffer: + the latter is used for pstore-like dumping) + + Reported-and-tested-by: Debabrata Banerjee + Acked-by: Kay Sievers + Cc: Greg Kroah-Hartman + Cc: Jeff Mahoney + Signed-off-by: Linus Torvalds + + kernel/printk/printk.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf +Author: Rafael Aquini +Date: Mon Feb 10 14:25:48 2014 -0800 + + Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c + + mm: fix page leak at nfs_symlink() + + Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from + __pagevec_lru_add and remove parts of pagevec API") have introduced a + call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as + now the page gets an extra refcount that is not dropped. + + Jan Stancek observed and reported the leak effect while running test8 + from Connectathon Testsuite. After several iterations over the test + case, which creates several symlinks on a NFS mountpoint, the test + system was quickly getting into an out-of-memory scenario. + + This patch fixes the page leak by dropping that extra refcount + add_to_page_cache_lru() is grabbing. + + Signed-off-by: Jan Stancek + Signed-off-by: Rafael Aquini + Acked-by: Mel Gorman + Acked-by: Rik van Riel + Cc: Jeff Layton + Cc: Trond Myklebust + Cc: [3.11.x+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/nfs/dir.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b +Author: Dan Carpenter +Date: Mon Feb 17 20:33:01 2014 -0500 + + Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4 + + jbd2: fix use after free in jbd2_journal_start_reserved() + + If start_this_handle() fails then it leads to a use after free of + "handle". + + Signed-off-by: Dan Carpenter + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org + + fs/jbd2/transaction.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2 +Author: Theodore Ts'o +Date: Sat Feb 15 22:42:25 2014 -0500 + + Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5 + + ext4: fix online resize with a non-standard blocks per group setting + + The set_flexbg_block_bitmap() function assumed that the number of + blocks in a blockgroup was sb->blocksize * 8, which is normally true, + but not always! Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block + bitmap corruption after: + + mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G + mount -t ext4 /dev/vdd /vdd + resize2fs /dev/vdd 8G + + Signed-off-by: "Theodore Ts'o" + Reported-by: Jon Bernard + Cc: stable@vger.kernel.org + + fs/ext4/resize.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 588500229af3505116b0fe05c4e54a06cabd64e4 +Author: Theodore Ts'o +Date: Sat Feb 15 21:33:13 2014 -0500 + + Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6 + + ext4: fix online resize with very large inode tables + + If a file system has a large number of inodes per block group, all of + the metadata blocks in a flex_bg may be larger than what can fit in a + single block group. Unfortunately, ext4_alloc_group_tables() in + resize.c was never tested to see if it would handle this case + correctly, and there were a large number of bugs which caused the + following sequence to result in a BUG_ON: + + kernel bug at fs/ext4/resize.c:409! + ... + call trace: + [] ext4_flex_group_add+0x1448/0x1830 + [] ext4_resize_fs+0x7b2/0xe80 + [] ext4_ioctl+0xbf0/0xf00 + [] do_vfs_ioctl+0x2dd/0x4b0 + [] ? final_putname+0x22/0x50 + [] sys_ioctl+0x81/0xa0 + [] system_call_fastpath+0x16/0x1b + code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0 + rip [] set_flexbg_block_bitmap+0x171/0x180 + + This can be reproduced with the following command sequence: + + mke2fs -t ext4 -i 4096 /dev/vdd 1G + mount -t ext4 /dev/vdd /vdd + resize2fs /dev/vdd 8G + + To fix this, we need to make sure the right thing happens when a block + group's inode table straddles two block groups, which means the + following bugs had to be fixed: + + 1) Not clearing the BLOCK_UNINIT flag in the second block group in + ext4_alloc_group_tables --- the was proximate cause of the BUG_ON. + + 2) Incorrectly determining how many block groups contained contiguous + free blocks in ext4_alloc_group_tables(). + + 3) Incorrectly setting the start of the next block range to be marked + in use after a discontinuity in setup_new_flex_group_blocks(). + + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org + + fs/ext4/resize.c | 32 ++++++++++++++++++++------------ + 1 files changed, 20 insertions(+), 12 deletions(-) + +commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04 +Author: Theodore Ts'o +Date: Wed Feb 12 12:16:04 2014 -0500 + + Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6 + + ext4: don't try to modify s_flags if the the file system is read-only + + If an ext4 file system is created by some tool other than mke2fs + (perhaps by someone who has a pathalogical fear of the GPL) that + doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags, + and that file system is then mounted read-only, don't try to modify + the s_flags field. Otherwise, if dm_verity is in use, the superblock + will change, causing an dm_verity failure. + + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org + + fs/ext4/super.c | 20 +++++++++++++------- + 1 files changed, 13 insertions(+), 7 deletions(-) + +commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b +Author: Eric Whitney +Date: Wed Feb 12 10:42:45 2014 -0500 + + Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342 + + ext4: fix xfstest generic/299 block validity failures + + Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from + ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents(). + It can be triggered by xfstest generic/299 when run on a test file + system created without a journal. This test continuously fallocates and + truncates files to which random dio/aio writes are simultaneously + performed by a separate process. The test completes successfully, but + if the test filesystem is mounted with the block_validity option, a + warning message stating that a logical block has been mapped to an + illegal physical block is posted in the kernel log. + + The bug occurs when an extent is being converted to the written state + by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents() + discovers a mapping for an existing uninitialized extent. Although it + sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to + the discovered physical block number. Because map->m_pblk is not + otherwise initialized or set by this function or its callers, its + uninitialized value is returned to ext4_map_blocks(), where it is + stored as a bogus mapping in the extent status tree. + + Since map->m_pblk can accidentally contain illegal values that are + larger than the physical size of the file system, calls to + check_block_validity() in ext4_map_blocks() that are enabled if the + block_validity mount option is used can fail, resulting in the logged + warning message. + + Signed-off-by: Eric Whitney + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org # 3.11+ + + fs/ext4/extents.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7eb52392ee886f01a5c944f35fbe95edc2169877 +Author: Zheng Liu +Date: Wed Feb 12 11:48:31 2014 -0500 + + Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3 + + ext4: fix error paths in swap_inode_boot_loader() + + In swap_inode_boot_loader() we forgot to release ->i_mutex and resume + unlocked dio for inode and inode_bl if there is an error starting the + journal handle. This commit fixes this issue. + + Reported-by: Ahmed Tamrawi + Cc: Andreas Dilger + Cc: Dr. Tilmann Bubeck + Signed-off-by: Zheng Liu + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org # v3.10+ + + fs/ext4/ioctl.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4dc90c1991032c483b11690717ba07952f4fef07 +Author: Theodore Ts'o +Date: Sun Feb 16 19:29:32 2014 -0500 + + Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02 + + ext4: don't leave i_crtime.tv_sec uninitialized + + If the i_crtime field is not present in the inode, don't leave the + field uninitialized. + + Fixes: ef7f38359 ("ext4: Add nanosecond timestamps") + Reported-by: Vegard Nossum + Tested-by: Vegard Nossum + Signed-off-by: "Theodore Ts'o" + Cc: stable@vger.kernel.org + + fs/ext4/ext4.h | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12 +Author: Brad Spengler +Date: Wed Feb 19 20:39:37 2014 -0500 + + While a Xen dom0 is technically a guest, it's perceived as a host by many + and there's really no Linux "host" for Xen, so allow PARAVIRT to be + enabled on "host" kernels only when Xen is selected + + Thanks to gaima on the forums for the report + + Conflicts: + + arch/x86/Kconfig + + arch/x86/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8ef15c34cb044db1ae729a53327e5b848631fbee +Author: Petr Písař +Date: Thu Feb 6 21:01:23 2014 +0100 + + Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7 + + vt: Fix secure clear screen + + \E[3J console code (secure clear screen) needs to update_screen(vc) + in order to write-through blanks into off-screen video memory. + + This has been removed accidentally in 3.6 by: + + commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c + Author: Jean-François Moine + Date: Thu Sep 6 19:24:13 2012 +0200 + + tty vt: Fix line garbage in virtual console on command line edition + + Signed-off-by: Petr Písař + Cc: stable # 3.6 + Signed-off-by: Greg Kroah-Hartman + + drivers/tty/vt/vt.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8568da92bd738464772c24fd68a9b300d22985b5 +Author: H. Peter Anvin +Date: Thu Feb 13 07:46:04 2014 -0800 + + Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961 + + x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off + + If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions + which are incorrect (as the AC flag doesn't matter), causing spurious + faults. + + The dynamic disabling of SMAP (nosmap on the command line) is fine + because it disables X86_FEATURE_SMAP, therefore causing the + static_cpu_has() to return false. + + Found by Fengguang Wu's test system. + + [ v3: move all predicates into smap_violation() ] + [ v2: use IS_ENABLED() instead of #ifdef ] + + Reported-by: Fengguang Wu + Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost + Signed-off-by: H. Peter Anvin + Cc: # v3.7+ + + arch/x86/mm/fault.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +commit dc68abaa1208e66be3bc07eb57855d4ab413373c +Author: H. Peter Anvin +Date: Thu Feb 13 07:34:30 2014 -0800 + + Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021 + + x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled + + If SMAP support is not compiled into the kernel, don't enable SMAP in + CR4 -- in fact, we should clear it, because the kernel doesn't contain + the proper STAC/CLAC instructions for SMAP support. + + Found by Fengguang Wu's test system. + + Reported-by: Fengguang Wu + Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost + Signed-off-by: H. Peter Anvin + Cc: # v3.7+ + + arch/x86/kernel/cpu/common.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66 +Author: Steven Noonan +Date: Wed Feb 12 23:01:07 2014 -0800 + + Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859 + + compiler/gcc4: Make quirk for asm_volatile_goto() unconditional + + I started noticing problems with KVM guest destruction on Linux + 3.12+, where guest memory wasn't being cleaned up. I bisected it + down to the commit introducing the new 'asm goto'-based atomics, + and found this quirk was later applied to those. + + Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the + known 'asm goto' bug) I am still getting some kind of + miscompilation. If I enable the asm_volatile_goto quirk for my + compiler, KVM guests are destroyed correctly and the memory is + cleaned up. + + So make the quirk unconditional for now, until bug is found + and fixed. + + Suggested-by: Linus Torvalds + Signed-off-by: Steven Noonan + Cc: Peter Zijlstra + Cc: Steven Rostedt + Cc: Jakub Jelinek + Cc: Richard Henderson + Cc: Andrew Morton + Cc: Oleg Nesterov + Cc: + Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net + Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 + Signed-off-by: Ingo Molnar + + include/linux/compiler-gcc4.h | 6 +----- + 1 files changed, 1 insertions(+), 5 deletions(-) + +commit df681ad2079c8b443dd98a66daa49a96f6803118 +Author: Brad Spengler +Date: Sat Feb 15 14:43:58 2014 -0500 + + add note on how to disable rate limiting on log messages + + grsecurity/Kconfig | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 247661801d1a9904eac479770aac8c31adfb3a03 +Merge: 294e38e 98242db +Author: Brad Spengler +Date: Thu Feb 13 20:17:09 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 98242dba193affafa9996207af8aaee0a58e237c +Author: Brad Spengler +Date: Thu Feb 13 20:16:39 2014 -0500 + + Update to pax-linux-3.13.3-test9.patch: + - forward port to 3.13.3 + - updated hash table from Emese, missing entries reported by Adam ChyÅ‚a and Matthew Thode + + kernel/sched/core.c | 2 +- + kernel/trace/ftrace.c | 8 ++++---- + tools/gcc/size_overflow_hash.data | 6 ++++++ + 3 files changed, 11 insertions(+), 5 deletions(-) + +commit 294e38ee2ac097654f11df09cfe8c5584a573b6c +Merge: d1fd1fc 990a904 +Author: Brad Spengler +Date: Thu Feb 13 18:11:12 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f +Merge: d32ab3c 7955a48 +Author: Brad Spengler +Date: Thu Feb 13 18:11:01 2014 -0500 + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + kernel/trace/ftrace.c + +commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d +Author: Brad Spengler +Date: Thu Feb 13 16:50:39 2014 -0500 + + Force off all virtualization guest options if the autoconfig choice + was not for the kernel to be used for vm guests + likewise force off Xen if it wasn't mentioned in the autoconfig + + arch/x86/Kconfig | 1 + + arch/x86/xen/Kconfig | 1 + + 2 files changed, 2 insertions(+), 0 deletions(-) + +commit 6f7fd76856916bda9145d3fb89b3462b18630c75 +Merge: 32aa9fa d32ab3c +Author: Brad Spengler +Date: Thu Feb 13 15:25:21 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d32ab3c04e157fd34738846fc1cbdbed5eab1147 +Author: Brad Spengler +Date: Thu Feb 13 15:24:57 2014 -0500 + + Update to pax-linux-3.13.2-test9.patch: + - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv for help + + tools/gcc/Makefile | 2 +- + tools/gcc/latent_entropy_plugin.c | 18 +++++++++-- + tools/gcc/size_overflow_plugin.c | 19 +++++++++-- + tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++-------- + 4 files changed, 76 insertions(+), 21 deletions(-) + +commit 32aa9fa0174969476774c472226d304f122291a5 +Author: Brad Spengler +Date: Thu Feb 13 12:35:16 2014 -0500 + + add missing header + + grsecurity/grsec_mem.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d48d8d3b1b527d8dc7a9162bda44d32608906632 +Author: Brad Spengler +Date: Thu Feb 13 12:04:44 2014 -0500 + + export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL + + Conflicts: + + grsecurity/gracl.c + grsecurity/grsec_disabled.c + grsecurity/grsec_exec.c + + grsecurity/gracl.c | 8 ++++---- + grsecurity/grsec_chroot.c | 2 +- + grsecurity/grsec_disabled.c | 4 ++-- + grsecurity/grsec_exec.c | 8 ++++---- + grsecurity/grsec_init.c | 2 +- + grsecurity/grsec_mem.c | 1 + + grsecurity/grsec_sock.c | 12 ++++++------ + grsecurity/grsec_time.c | 2 +- + 8 files changed, 20 insertions(+), 19 deletions(-) + +commit 3c05c8568522f6a660debeaacf536a99a0212342 +Author: Brad Spengler +Date: Thu Feb 13 11:28:26 2014 -0500 + + add missing header + + arch/x86/kernel/msr.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e68254d468db8b3a28fa549606136fdba9276a75 +Author: Brad Spengler +Date: Thu Feb 13 11:12:36 2014 -0500 + + fix typo + + arch/x86/kernel/msr.c | 4 ++-- + include/linux/grsecurity.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 2845d9e8598070db65f7429ecf2ac1803077ed9e +Author: Brad Spengler +Date: Thu Feb 13 10:57:06 2014 -0500 + + PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead + + tools/gcc/randomize_layout_plugin.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1cd63e6169739aa7881796ac74b43b83bdbd8626 +Author: Brad Spengler +Date: Thu Feb 13 09:23:29 2014 -0500 + + Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts. + + arch/x86/Kconfig | 1 - + arch/x86/kernel/msr.c | 9 +++++++++ + grsecurity/grsec_mem.c | 6 ++++++ + include/linux/grmsg.h | 1 + + include/linux/grsecurity.h | 1 + + 5 files changed, 17 insertions(+), 1 deletions(-) + +commit a750206a1934759fc0da5ab831852a22ce720862 +Author: Richard Yao +Date: Sat Feb 8 19:32:01 2014 -0500 + + Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8 + + 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers + + The 9p-virtio transport does zero copy on things larger than 1024 bytes + in size. It accomplishes this by returning the physical addresses of + pages to the virtio-pci device. At present, the translation is usually a + bit shift. + + That approach produces an invalid page address when we read/write to + vmalloc buffers, such as those used for Linux kernel modules. Any + attempt to load a Linux kernel module from 9p-virtio produces the + following stack. + + [] p9_virtio_zc_request+0x45e/0x510 + [] p9_client_zc_rpc.constprop.16+0xfd/0x4f0 + [] p9_client_read+0x15d/0x240 + [] v9fs_fid_readn+0x50/0xa0 + [] v9fs_file_readn+0x10/0x20 + [] v9fs_file_read+0x37/0x70 + [] vfs_read+0x9b/0x160 + [] kernel_read+0x41/0x60 + [] copy_module_from_fd.isra.34+0xfb/0x180 + + Subsequently, QEMU will die printing: + + qemu-system-x86_64: virtio: trying to map MMIO memory + + This patch enables 9p-virtio to correctly handle this case. This not + only enables us to load Linux kernel modules off virtfs, but also + enables ZFS file-based vdevs on virtfs to be used without killing QEMU. + + Special thanks to both Avi Kivity and Alexander Graf for their + interpretation of QEMU backtraces. Without their guidence, tracking down + this bug would have taken much longer. Also, special thanks to Linus + Torvalds for his insightful explanation of why this should use + is_vmalloc_addr() instead of is_vmalloc_or_module_addr(): + + https://lkml.org/lkml/2014/2/8/272 + + Signed-off-by: Richard Yao + Signed-off-by: David S. Miller + + net/9p/trans_virtio.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f +Author: Brad Spengler +Date: Thu Feb 13 08:38:14 2014 -0500 + + rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals + add a useful compile error if we try building with < gcc 4.6.4 + + tools/gcc/randomize_layout_plugin.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 596b24936ed3687455327c3d26a8a820263a1f88 +Author: Brad Spengler +Date: Tue Feb 11 17:33:49 2014 -0500 + + [PATCH] random: fix overflow for big nbits values in credit_entropy_bits() + + Commit 30e37ec516ae "random: account for entropy loss due to overwrites" + introduced an overflow in the arithmetics of credit_entropy_bits() when + CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool + size and therefore invalidates the assumptions of the "nifty" formula. + + Fix the overflow by using 64bit arithmetics. + + Reported-by: Torsten Hilbrich + Signed-off-by: Mathias Krause + + This bug is at worst a privileged DoS -- with RANDNET enabled, an admin + with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once + can cause less than expected entropy to be credited (but this doesn't + affect how much is actually added). For specific buffer sizes, this + can result in 0 entropy being credited and end in a situation in which + the kernel can't recover, causing future reads from /dev/random to stall. + + Many thanks to Torsten and Mathias for the report! + + drivers/char/random.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 04f9fc1040b96a623cca444b330a3a96c104d3af +Author: Brad Spengler +Date: Sun Feb 9 11:30:53 2014 -0500 + + just ignore the seed file, the hash is in a different dir + + tools/gcc/.gitignore | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit eaddc3f039b57731d04d90e334cf75c6cdde895d +Author: Brad Spengler +Date: Sun Feb 9 11:27:22 2014 -0500 + + Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead + + Documentation/dontdiff | 2 +- + Makefile | 4 +--- + include/linux/vermagic.h | 1 + + tools/gcc/.gitignore | 4 ++-- + tools/gcc/Makefile | 9 ++++----- + tools/gcc/gen-random-seed.sh | 3 ++- + 6 files changed, 11 insertions(+), 12 deletions(-) + +commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202 +Author: Brad Spengler +Date: Sat Feb 8 22:03:25 2014 -0500 + + update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT + + Documentation/dontdiff | 4 ++-- + tools/gcc/.gitignore | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +commit 3e96d2ad6f7e3373a978767099f3b3bb12890644 +Author: Brad Spengler +Date: Sat Feb 8 20:02:12 2014 -0500 + + don't divide cputime by HZ as some architectures can't handle this + use proper task_cputime and cputime_to_secs wrappers + Thanks to Michael Tremer for the report + + grsecurity/gracl.c | 23 ++++++++++++----------- + 1 files changed, 12 insertions(+), 11 deletions(-) + +commit bff837da26077ae243118561da6e31e8d2ef83b7 +Author: Brad Spengler +Date: Thu Feb 6 21:26:51 2014 -0500 + + gcc 4.9 update for RANDSTRUCT plugin part 1 + + tools/gcc/randomize_layout_plugin.c | 7 +------ + 1 files changed, 1 insertions(+), 6 deletions(-) + +commit 58eee46f846245affdc86a1fd057bc7802bfef63 +Merge: 954a136 2b56794 +Author: Brad Spengler +Date: Thu Feb 6 20:36:18 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 2b56794a375594b35d2984d0950059977624a5ed +Author: Brad Spengler +Date: Thu Feb 6 20:35:40 2014 -0500 + + Update to pax-linux-3.13.2-test8.patch: + - fixed compile errors on arm due to constification, reported by Michael Tremer + - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender + - added a new header to gcc-common.h, reported by spender + - some useful backports from upstream 3.14: + - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c + - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9 + + Makefile | 8 +++++++- + arch/arm/mach-omap2/powerdomains43xx_data.c | 5 ++++- + arch/x86/include/asm/tlbflush.h | 1 - + drivers/gpu/drm/armada/armada_drv.c | 10 +--------- + drivers/gpu/drm/tegra/hdmi.c | 2 +- + drivers/misc/eeprom/sunxi_sid.c | 4 +++- + drivers/mmc/host/sdhci-esdhc-imx.c | 7 +++++-- + include/drm/drmP.h | 1 + + include/drm/ttm/ttm_page_alloc.h | 1 + + tools/gcc/gcc-common.h | 1 + + 10 files changed, 24 insertions(+), 16 deletions(-) + +commit 954a136c7f2ce3a76f9a8b148c49614092554b5b +Author: Brad Spengler +Date: Thu Feb 6 20:20:41 2014 -0500 + + Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2 + + security/selinux/ss/services.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit a16066ea179a4f15b368cd5003d9c3638aa7f48e +Author: Brad Spengler +Date: Thu Feb 6 20:16:57 2014 -0500 + + don't pass the seed via build commandline, store it in a header file instead + and build it into the RANDSTRUCT plugin. + set up proper dependencies for the generated files used by the RANDSTRUCT plugin, + fixing some race conditions in the build process + support O= argument to make and place generated files in the target directory tree + update RANDSTRUCT documentation + + Makefile | 6 ++---- + grsecurity/Kconfig | 2 +- + scripts/gen-random-seed.sh | 8 -------- + tools/gcc/Makefile | 10 +++++++++- + tools/gcc/gen-random-seed.sh | 7 +++++++ + tools/gcc/randomize_layout_plugin.c | 23 ++++++++--------------- + 6 files changed, 27 insertions(+), 29 deletions(-) + +commit 79cb2972d4d5e61a831e8eae996b286f433afd10 +Author: Brad Spengler +Date: Thu Feb 6 18:15:24 2014 -0500 + + make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make' + + grsecurity/Makefile | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 10a483b7ae687f15e3836234175920518ec50fa7 +Merge: 95e6c94 5a87ea7 +Author: Brad Spengler +Date: Thu Feb 6 17:21:02 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5a87ea74aab86c3c211612d1ae7cac26694b736d +Merge: 1554390 fd82174 +Author: Brad Spengler +Date: Thu Feb 6 17:19:50 2014 -0500 + + Merge branch 'linux-3.13.y' into pax-test + + Conflicts: + net/compat.c + +commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6 +Author: Brad Spengler +Date: Wed Feb 5 23:43:27 2014 -0500 + + avoid printing jibberish in some instances with RANDSTRUCT and modules + built with other seeds, as the kernel's module loader trusts the + module layout + + kernel/module.c | 25 +++++++++++++++++++++++++ + 1 files changed, 25 insertions(+), 0 deletions(-) + +commit 71ff747386915adda2113b08c47b0ccb1683dea5 +Author: Brad Spengler +Date: Wed Feb 5 23:32:26 2014 -0500 + + Introduce the non-performance mode -- the performance mode had previously been + inadvertently forced on regardless of config setting + + Resolve an issue with gcc completing declarations for recently finished + types *before* the plugin's finish_type being called to randomize that structure. + This resulted in too small a structure size being emitted for this_module + and generally crashes whenever modules were loaded. + + Makefile | 2 +- + tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletions(-) + +commit e17b47e4f837bb769f5159b928f5accce5131514 +Author: Brad Spengler +Date: Mon Feb 3 17:30:32 2014 -0500 + + select DEBUG_KERNEL in addition to DEBUG_LIST + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4 +Merge: 5fb88fe 1554390 +Author: Brad Spengler +Date: Sun Feb 2 21:25:11 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1554390d0c012ebcbe8734216913fcb94681db2b +Author: Brad Spengler +Date: Sun Feb 2 21:24:45 2014 -0500 + + update plugin start_unit names + + tools/gcc/latent_entropy_plugin.c | 2 +- + tools/gcc/size_overflow_plugin.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 5fb88febacff2f061c9aad406d107177acc3f950 +Author: Brad Spengler +Date: Sun Feb 2 21:23:30 2014 -0500 + + update copyright date + + grsecurity/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f4d392661ab08166ed1aa81d4f1d90fec146f761 +Author: Brad Spengler +Date: Sun Feb 2 21:23:08 2014 -0500 + + update copyright message + + grsecurity/Makefile | 22 ++++++++++++++++------ + 1 files changed, 16 insertions(+), 6 deletions(-) + +commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35 +Author: Brad Spengler +Date: Sat Feb 1 19:53:04 2014 -0500 + + update RANDSTRUCT plugin to eliminate false posities on struct type mismatches + resulting from an IS_ERR() sequence + add checks for bad casts in local and global variable initializers + use the main variant when comparing types + + tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++-- + 1 files changed, 144 insertions(+), 6 deletions(-) + +commit 5349795dd080969318409078672c2c53c0645354 +Author: Brad Spengler +Date: Sat Feb 1 15:13:06 2014 -0500 + + remove unnecessary TODO_* flags for our passive bad cast gimple pass + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba +Author: Brad Spengler +Date: Sat Feb 1 10:55:36 2014 -0500 + + fix RANDSTRUCT plugin compatibility with gcc 4.9 + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b +Author: Brad Spengler +Date: Fri Jan 31 21:52:14 2014 -0500 + + sanity check to make sure we never randomize a struct in include/uapi/* + + scripts/gen-random-seed.sh | 2 +- + tools/gcc/randomize_layout_plugin.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletions(-) + +commit d2057f02e759a707a700bc9c80d1f7f55afa89f1 +Author: Brad Spengler +Date: Fri Jan 31 18:11:51 2014 -0500 + + force on modversion support if RANDSTRUCT is enabled so that we're sure + no modules can be loaded that were built with a different seed + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b +Author: Brad Spengler +Date: Thu Jan 30 16:47:31 2014 -0500 + + Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced + in 3.4 with the addition of X32 support. Hopefully most users haven't enabled this + option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected) + the chance is more likely for those importing base configs from such a distro. + + I would recommend you disable X32 support, especially if you're not using it. As + this bug could have been discovered with even a completely dumb syscall fuzzer, it + should be clear what level of testing went into X32 support. + + Normally we would have fixed this immediately, announced it, and moved on, but + this was not my bug and not my choice. So I got to wait for the likes of linux-distros + and security@kernel.org to decide when it could be fixed, while I had to continue + releasing grsecurity patches without the fix for a serious vulnerability I was aware + of for two days. I'm not happy at all about this, and this is exactly why I refuse + to work in any kind of situation where I would become aware of something that I + couldn't fix immediately. Hopefully this is the last time this will happen. + + Credits to the PaX Team for finding the bug and writing the fix. This is CVE-2014-0038. + + net/compat.c | 9 ++------- + 1 files changed, 2 insertions(+), 7 deletions(-) + +commit 9d599455aa9fb272a7160c3f8276771a5af7c74a +Merge: 6aeb51b f93afd1 +Author: Brad Spengler +Date: Wed Jan 29 21:49:00 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit f93afd1627ef450a96e96bdb2b984aefb66cb531 +Author: Brad Spengler +Date: Wed Jan 29 21:48:24 2014 -0500 + + Update to pax-linux-3.13.1-test6.patch: + - forward port to 3.13.1 + - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres + + arch/x86/include/asm/uaccess_64.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 18727190851782d5ee2b5fe579e4a4c379303a34 +Merge: b9c766b 07ecf16 +Author: Brad Spengler +Date: Wed Jan 29 21:41:57 2014 -0500 + + Merge branch 'linux-3.13.y' into pax-test + +commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc +Author: Weston Andros Adamson +Date: Tue Dec 17 12:16:11 2013 -0500 + + Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d + + sunrpc: Fix infinite loop in RPC state machine + + When a task enters call_refreshresult with status 0 from call_refresh and + !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting + or max number of retries. + + Instead of trying forever, make use of the retry path that other errors use. + + This only seems to be possible when the crrefresh callback is gss_refresh_null, + which only happens when destroying the context. + + To reproduce: + + 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific + operations). + + 2) reboot - the client will be stuck and will need to be hard rebooted + + BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46] + Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy + irq event stamp: 195724 + hardirqs last enabled at (195723): [] restore_args+0x0/0x30 + hardirqs last disabled at (195724): [] apic_timer_interrupt+0x6a/0x80 + softirqs last enabled at (195722): [] __do_softirq+0x1df/0x276 + softirqs last disabled at (195717): [] irq_exit+0x53/0x9a + CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 + Workqueue: rpciod rpc_async_schedule [sunrpc] + task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000 + RIP: 0010:[] [] __rpc_execute+0x8a/0x362 [sunrpc] + RSP: 0018:ffff880079003d18 EFLAGS: 00000246 + RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007 + RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900 + RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7 + R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e + R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900 + FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0 + Stack: + ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830 + ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260 + ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000 + Call Trace: + [] ? trace_hardirqs_on_caller+0x145/0x1a1 + [] rpc_async_schedule+0x27/0x32 [sunrpc] + [] process_one_work+0x211/0x3a5 + [] ? process_one_work+0x172/0x3a5 + [] worker_thread+0x134/0x202 + [] ? rescuer_thread+0x280/0x280 + [] ? rescuer_thread+0x280/0x280 + [] kthread+0xc9/0xd1 + [] ? __kthread_parkme+0x61/0x61 + [] ret_from_fork+0x7c/0xb0 + [] ? __kthread_parkme+0x61/0x61 + Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00 + + And the output of "rpcdebug -m rpc -s all": + + RPC: 61 call_refresh (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refreshresult (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refreshresult (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refresh (status 0) + RPC: 61 call_refreshresult (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refreshresult (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refresh (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + RPC: 61 call_refreshresult (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 call_refresh (status 0) + RPC: 61 call_refreshresult (status 0) + RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 + + Signed-off-by: Weston Andros Adamson + Cc: stable@vger.kernel.org # 2.6.37+ + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3 +Author: Scott Mayhew +Date: Fri Jan 17 15:12:05 2014 -0500 + + Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24 + + nfs: always make sure page is up-to-date before extending a write to cover the entire page + + We should always make sure the cached page is up-to-date when we're + determining whether we can extend a write to cover the full page -- even + if we've received a write delegation from the server. + + Commit c7559663 added logic to skip this check if we have a write + delegation, which can lead to data corruption such as the following + scenario if client B receives a write delegation from the NFS server: + + Client A: + # echo 123456789 > /mnt/file + + Client B: + # echo abcdefghi >> /mnt/file + # cat /mnt/file + 0�D0�abcdefghi + + Just because we hold a write delegation doesn't mean that we've read in + the entire page contents. + + Cc: # v3.11+ + Signed-off-by: Scott Mayhew + Signed-off-by: Trond Myklebust + + fs/nfs/write.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit d6a427afc951e705a45d18fe513b4a9644b54586 +Author: Trond Myklebust +Date: Fri Jan 17 17:03:41 2014 -0500 + + Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b + + NFSv4.1: Handle errors correctly in nfs41_walk_client_list + + Both nfs41_walk_client_list and nfs40_walk_client_list expect the + 'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID + if the loop fails to find a match. + The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes + the value of 'status', and sets it either to the value '0' (which + indicates success), or to the value EINTR. + + Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4client.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +commit f7c465156fdef12a66d0a59114582dc4d4d7f406 +Author: Weston Andros Adamson +Date: Sun Jan 19 22:45:36 2014 -0500 + + Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041 + + nfs4: fix discover_server_trunking use after free + + If clp is new (cl_count = 1) and it matches another client in + nfs4_discover_server_trunking, the nfs_put_client will free clp before + ->cl_preserve_clid is set. + + Cc: stable@vger.kernel.org # 3.7+ + Signed-off-by: Weston Andros Adamson + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4client.c | 10 ++++------ + 1 files changed, 4 insertions(+), 6 deletions(-) + +commit d3737c02af42ac32da97dc30dac94ae7343cec14 +Author: Heiko Carstens +Date: Mon Jan 27 17:07:19 2014 -0800 + + Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d + + compat: fix sys_fanotify_mark + + Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to + COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall + to be used by all architectures. + + Unfortunately the unified version merges the split mask parameter in a + wrong way: the lower and higher word got swapped. + + This was discovered with glibc's tst-fanotify test case. + + Signed-off-by: Heiko Carstens + Reported-by: Andreas Krebbel + Cc: "James E.J. Bottomley" + Acked-by: "David S. Miller" + Acked-by: Al Viro + Cc: Benjamin Herrenschmidt + Cc: Ingo Molnar + Cc: Ralf Baechle + Cc: [3.10+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/notify/fanotify/fanotify_user.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit ae72596a96d46255c781f07ee2de05abe57d43ff +Merge: 5254ff7 b9c766b +Author: Brad Spengler +Date: Tue Jan 28 18:23:25 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b9c766bc9706fcfe5bbe0df099178e8eaa643327 +Author: Brad Spengler +Date: Tue Jan 28 18:22:46 2014 -0500 + + Update to pax-linux-3.13-test6.patch: + - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli + - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs + + arch/x86/kernel/entry_64.S | 22 ++++++++++++---------- + include/linux/skbuff.h | 2 +- + 2 files changed, 13 insertions(+), 11 deletions(-) + +commit 5254ff73f13759d893213092da5fd654ca22960f +Merge: 7e5aad2 c956349 +Author: Brad Spengler +Date: Mon Jan 27 22:52:22 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit c956349a3335c72308d1bce7524f2e0f521ff709 +Author: Brad Spengler +Date: Mon Jan 27 22:51:57 2014 -0500 + + Update to pax-linux-3.13-test5.patch: + - new size overflow hash table from spender + - backported http://git.kernel.org/linus/34228d473ef + - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86 + - fixed the size overflow plugin for gcc 4.9, by Emese Revfy + + arch/x86/include/asm/pgtable_types.h | 2 +- + mm/mmap.c | 12 +++++++++- + tools/gcc/gcc-common.h | 2 + + tools/gcc/size_overflow_hash.data | 33 ++++++++++++++++++++++++++-- + tools/gcc/size_overflow_plugin.c | 38 +++++++++++++++++----------------- + 5 files changed, 62 insertions(+), 25 deletions(-) + +commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a +Author: Brad Spengler +Date: Mon Jan 27 21:12:59 2014 -0500 + + update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 9583ac30e401a97397c5a4a30564521bc2d8afeb +Author: Brad Spengler +Date: Mon Jan 27 20:33:30 2014 -0500 + + Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8 +Author: Brad Spengler +Date: Mon Jan 27 20:30:10 2014 -0500 + + Make all grsecurity code GPLv2 only for future releases. Not really + important as grsecurity is a derivative work of the Linux kernel and + thus forced to be GPLv2, the "or higher" was superfluous. + + grsecurity/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 718e2b2400f29a7fa414c6c5d383f82658a3457f +Author: Brad Spengler +Date: Sun Jan 26 22:22:52 2014 -0500 + + update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit a4369fd780e658a9d26bedc53415261286caefe5 +Merge: c93ceb8 f3b1213 +Author: Brad Spengler +Date: Sun Jan 26 21:24:43 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5 +Author: Brad Spengler +Date: Sun Jan 26 21:24:17 2014 -0500 + + Update to pax-linux-3.13-test4.patch: + - fixed a constify plugin regression, reported by spender + - updated gcc-common.h + + tools/gcc/constify_plugin.c | 4 +- + tools/gcc/gcc-common.h | 68 +++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 65 insertions(+), 7 deletions(-) + +commit 962a3acff3d42cf360932f438a666224b8597012 +Author: Brad Spengler +Date: Sun Jan 26 21:24:01 2014 -0500 + + Revert "fix an assert triggering in constify plugin update, real fix coming later" + + This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203. + + tools/gcc/constify_plugin.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0 +Author: Brad Spengler +Date: Sun Jan 26 21:18:31 2014 -0500 + + update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 19 ++++++++++++++++++- + 1 files changed, 18 insertions(+), 1 deletions(-) + +commit b42c965a52f58915c8fd048749c1dc5bcf373339 +Merge: 663306e 899baaf +Author: Brad Spengler +Date: Sun Jan 26 20:35:52 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 899baaf06fdd79f9b9b410a414695ba7b80f6203 +Author: Brad Spengler +Date: Sun Jan 26 20:34:49 2014 -0500 + + fix an assert triggering in constify plugin update, real fix coming later + + tools/gcc/constify_plugin.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1 +Author: Brad Spengler +Date: Sun Jan 26 18:24:44 2014 -0500 + + fix typo + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4539e5f2729719d07095cf267ea426524f7dc8f9 +Author: Brad Spengler +Date: Sun Jan 26 18:22:33 2014 -0500 + + Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h + + tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++---------------- + 1 files changed, 42 insertions(+), 35 deletions(-) + +commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582 +Merge: ff96162 0b83e85 +Author: Brad Spengler +Date: Sun Jan 26 18:04:38 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157 +Author: Brad Spengler +Date: Sun Jan 26 18:03:50 2014 -0500 + + Update to pax-linux-3.13-test3.patch: + - gcc plugin updates + - ported them to gcc trunk (future 4.9) + - introduced gcc-common.h to simplify gcc version dependencies + - updated size overflow hash table from spender + - fixed kallocstat to detect constant size arguments early + - fixed constify to preserve type qualifiers on pointer-to-self fields + - added a few sparse/checker annotations and changes to satisfy gcc's address space logic + - fixed the TRACE_IRQFLAGS problem reported by minipli again + + arch/x86/ia32/ia32_signal.c | 6 +- + arch/x86/include/asm/uaccess_64.h | 4 +- + arch/x86/kernel/entry_64.S | 112 ++++---- + arch/x86/kernel/preempt.S | 3 + + arch/x86/kernel/tboot.c | 2 +- + arch/x86/kernel/xsave.c | 8 +- + arch/x86/lib/thunk_64.S | 2 +- + block/compat_ioctl.c | 2 +- + drivers/gpu/drm/drm_crtc.c | 2 +- + drivers/gpu/drm/qxl/qxl_ioctl.c | 6 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 +- + drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 2 +- + drivers/mmc/card/block.c | 2 +- + drivers/net/macvtap.c | 2 +- + drivers/vhost/vringh.c | 18 +- + drivers/video/fbmem.c | 2 +- + fs/compat_ioctl.c | 2 +- + fs/exec.c | 2 +- + fs/proc/vmcore.c | 4 +- + include/uapi/linux/videodev2.h | 2 +- + ipc/compat.c | 2 +- + kernel/compat.c | 2 +- + kernel/kmod.c | 4 +- + net/9p/client.c | 6 +- + net/compat.c | 2 +- + net/core/filter.c | 2 +- + net/netfilter/nft_compat.c | 4 +- + net/socket.c | 6 +- + net/tipc/subscr.c | 2 +- + sound/pci/hda/hda_codec.c | 2 +- + tools/gcc/Makefile | 2 +- + tools/gcc/checker_plugin.c | 30 +-- + tools/gcc/colorize_plugin.c | 62 +++-- + tools/gcc/constify_plugin.c | 105 ++++---- + tools/gcc/gcc-common.h | 207 +++++++++++++++ + tools/gcc/kallocstat_plugin.c | 164 +++++++------ + tools/gcc/kernexec_plugin.c | 333 ++++++++++++++---------- + tools/gcc/latent_entropy_plugin.c | 146 +++++------ + tools/gcc/size_overflow_hash.data | 68 +++++- + tools/gcc/size_overflow_plugin.c | 348 +++++++++++-------------- + tools/gcc/stackleak_plugin.c | 236 +++++++++-------- + tools/gcc/structleak_plugin.c | 90 +++---- + 43 files changed, 1149 insertions(+), 871 deletions(-) + +commit ff9616214c2e875db763bd395dce11df378df896 +Author: Brad Spengler +Date: Sun Jan 26 13:35:44 2014 -0500 + + pass hashed seed define as a string + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 39961e3ad1abacccc8a2de280868bcfe52a1edff +Author: Brad Spengler +Date: Sun Jan 26 12:44:21 2014 -0500 + + add a sha256-hashed version of the seed to modversion to ensure no + modules compiled with another seed can be loaded + + Documentation/dontdiff | 1 + + Makefile | 4 +++- + include/linux/vermagic.h | 8 +++++++- + scripts/gen-random-seed.sh | 2 +- + tools/gcc/.gitignore | 1 + + 5 files changed, 13 insertions(+), 3 deletions(-) + +commit 1df9ff15112f3713997ac10e915b99ad99d2e33a +Author: Brad Spengler +Date: Sun Jan 26 11:26:44 2014 -0500 + + Force HIDESYM on if RANDSTRUCT is used, just in case there is a user + who already isn't enabling it (to prevent the seed from potentially being + visible to other users if compiled on the same machine). + Suggested by minipli + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 5ee75cac712d37f79de1e6f509a18749258b2085 +Author: Brad Spengler +Date: Sun Jan 26 01:01:31 2014 -0500 + + Update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 19 +++++++++++++++++-- + 1 files changed, 17 insertions(+), 2 deletions(-) + +commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c +Author: Brad Spengler +Date: Sat Jan 25 22:19:55 2014 -0500 + + update to new mount_lock + + grsecurity/gracl.c | 24 +++++++++++------------- + 1 files changed, 11 insertions(+), 13 deletions(-) + +commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5 +Author: Brad Spengler +Date: Sat Jan 25 19:05:59 2014 -0500 + + compile fix + + init/main.c | 4 ---- + 1 files changed, 0 insertions(+), 4 deletions(-) + +commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40 +Author: Brad Spengler +Date: Sat Jan 25 19:00:50 2014 -0500 + + resync random code with 3.13 + + include/linux/random.h | 4 ++++ + include/uapi/linux/random.h | 7 ------- + 2 files changed, 4 insertions(+), 7 deletions(-) + +commit 3d168ee50cb706276c805ae1d6a5e8417a91067a +Author: Brad Spengler +Date: Sat Jan 25 14:54:11 2014 -0500 + + Fix another compiler error caught by RANDSTRUCT + + Signed-off-by: Brad Spengler + + sound/isa/sb/emu8000_synth.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit bc4a5595404b985a2b17e84d29765b7af7e968ca +Author: Brad Spengler +Date: Sat Jan 25 14:34:12 2014 -0500 + + Fix another compiler error caught by RANDSTRUCT + + Signed-off-by: Brad Spengler + + drivers/net/wan/z85230.c | 24 ++++++++++++------------ + 1 files changed, 12 insertions(+), 12 deletions(-) + +commit 0f0da7cb40431fe816aa356499bff026452cfc44 +Author: Brad Spengler +Date: Sat Jan 25 14:30:46 2014 -0500 + + fix compilation with RANDSTRUCT plugin + + Signed-off-by: Brad Spengler + + sound/drivers/opl4/opl4_seq.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7 +Author: Brad Spengler +Date: Sat Jan 25 14:16:18 2014 -0500 + + avoid problems by just building our fake field decl node from scratch + + Signed-off-by: Brad Spengler + + tools/gcc/randomize_layout_plugin.c | 10 +++++----- + 1 files changed, 5 insertions(+), 5 deletions(-) + +commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca +Author: Brad Spengler +Date: Sat Jan 25 13:45:18 2014 -0500 + + while in non-debug mode, don't emit notes for non-randomized struct types + + clear all signs from our fake field decl of being a bitfield + + Signed-off-by: Brad Spengler + + tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 35909486eebb6c1ab27956ef6cc35e19e19282a2 +Author: Brad Spengler +Date: Sat Jan 25 12:56:05 2014 -0500 + + revert change to read-only marking of fake struct field + + Signed-off-by: Brad Spengler + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit bbd5d12c912390e0bdb6ddde81279b579fc94edb +Author: Brad Spengler +Date: Sat Jan 25 12:42:48 2014 -0500 + + Update RANDSTRUCT plugin help + + Signed-off-by: Brad Spengler + + tools/gcc/randomize_layout_plugin.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 0d829e61f501ae59387a6e1d0f9060d5555ac588 +Author: Brad Spengler +Date: Sat Jan 25 12:25:43 2014 -0500 + + Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures + + automatically enabled by GRKERNSEC_CONFIG_AUTO + performance mode is activated if the config priority is set to performance + + Signed-off-by: Brad Spengler + + Documentation/dontdiff | 1 + + Makefile | 12 +- + arch/x86/include/asm/floppy.h | 20 +- + arch/x86/include/asm/paravirt_types.h | 23 +- + arch/x86/include/asm/processor.h | 2 +- + drivers/acpi/acpica/hwxfsleep.c | 11 +- + drivers/block/cciss.h | 30 +- + drivers/block/drbd/drbd_interval.c | 6 +- + drivers/block/smart1,2.h | 40 +- + drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- + drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- + drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- + drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- + drivers/infiniband/hw/nes/nes_cm.c | 22 +- + drivers/isdn/gigaset/bas-gigaset.c | 32 +- + drivers/isdn/gigaset/ser-gigaset.c | 32 +- + drivers/isdn/gigaset/usb-gigaset.c | 32 +- + drivers/isdn/i4l/isdn_concap.c | 6 +- + drivers/isdn/i4l/isdn_x25iface.c | 16 +- + drivers/misc/sgi-xp/xp_main.c | 12 +- + drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- + drivers/net/wan/lmc/lmc_media.c | 97 ++-- + drivers/scsi/bfa/bfa_fcs.c | 19 +- + drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- + drivers/scsi/bfa/bfa_modules.h | 12 +- + drivers/scsi/hpsa.h | 20 +- + drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- + drivers/staging/lustre/lustre/libcfs/module.c | 10 +- + drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- + drivers/video/matrox/matroxfb_DAC1064.c | 10 +- + drivers/video/matrox/matroxfb_Ti3026.c | 5 +- + fs/mount.h | 4 +- + fs/proc/internal.h | 4 +- + fs/reiserfs/item_ops.c | 24 +- + grsecurity/Kconfig | 31 +- + include/linux/compiler-gcc4.h | 5 + + include/linux/compiler.h | 8 + + include/linux/cred.h | 4 +- + include/linux/dcache.h | 2 +- + include/linux/fs.h | 14 +- + include/linux/fs_struct.h | 2 +- + include/linux/ipc_namespace.h | 2 +- + include/linux/kobject.h | 2 +- + include/linux/mm_types.h | 4 +- + include/linux/module.h | 4 +- + include/linux/mount.h | 2 +- + include/linux/pid_namespace.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/rbtree_augmented.h | 4 +- + include/linux/sched.h | 6 +- + include/linux/sysctl.h | 2 +- + include/linux/tty.h | 2 +- + include/linux/tty_driver.h | 2 +- + include/linux/user_namespace.h | 2 +- + include/linux/utsname.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 2 +- + lib/rbtree.c | 4 +- + net/atm/lec.c | 6 +- + net/atm/mpoa_caches.c | 42 +- + net/decnet/dn_dev.c | 2 +- + net/vmw_vsock/vmci_transport_notify.c | 30 +- + net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- + net/x25/sysctl_net_x25.c | 2 +- + scripts/Makefile | 2 + + scripts/gen-random-seed.sh | 8 + + sound/core/seq/oss/seq_oss.c | 4 +- + sound/core/seq/seq_midi.c | 4 +- + sound/drivers/opl3/opl3_seq.c | 4 +- + sound/pci/emu10k1/emu10k1_synth.c | 4 +- + sound/synth/emux/emux_seq.c | 14 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 2 + + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ + 74 files changed, 1222 insertions(+), 390 deletions(-) + +commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6 +Author: Brad Spengler +Date: Sun Jan 19 09:00:56 2014 -0500 + + compile fix + + Signed-off-by: Brad Spengler + + include/linux/random.h | 4 ---- + include/uapi/linux/random.h | 7 +++++++ + 2 files changed, 7 insertions(+), 4 deletions(-) + +commit b79910431008b8ce731d45aa3aecc75fe33c928c +Author: Hannes Frederic Sowa +Date: Mon Nov 11 12:20:34 2013 +0100 + + Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 + + random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized + + The Tausworthe PRNG is initialized at late_initcall time. At that time the + entropy pool serving get_random_bytes is not filled sufficiently. This + patch adds an additional reseeding step as soon as the nonblocking pool + gets marked as initialized. + + On some machines it might be possible that late_initcall gets called after + the pool has been initialized. In this situation we won't reseed again. + + (A call to prandom_seed_late blocks later invocations of early reseed + attempts.) + + Joint work with Daniel Borkmann. + + Cc: Eric Dumazet + Cc: Theodore Ts'o + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: Daniel Borkmann + Acked-by: "Theodore Ts'o" + Signed-off-by: David S. Miller + + Conflicts: + + lib/random32.c + Signed-off-by: Brad Spengler + + drivers/char/random.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 31dee23268ac47eaaafacb186229bc14fb84fa9b +Author: Brad Spengler +Date: Sat Jan 18 20:43:43 2014 -0500 + + Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls + + Signed-off-by: Brad Spengler + + net/socket.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit ffccf022adef560230b6a641c612f33600ce0e6b +Author: Brad Spengler +Date: Wed Jan 8 20:24:27 2014 -0500 + + zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it + + Signed-off-by: Brad Spengler + + fs/proc/stat.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0 +Author: Brad Spengler +Date: Wed Jan 8 18:13:15 2014 -0500 + + fix typo + + Signed-off-by: Brad Spengler + + mm/vmstat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1 +Author: Brad Spengler +Date: Wed Jan 8 18:06:53 2014 -0500 + + provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened + + Signed-off-by: Brad Spengler + + mm/vmstat.c | 21 +++++++++++++++------ + 1 files changed, 15 insertions(+), 6 deletions(-) + +commit e0d003dfd4911828f08fa93da2138c9f3be4f352 +Author: Brad Spengler +Date: Wed Jan 8 17:46:46 2014 -0500 + + back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers + + Signed-off-by: Brad Spengler + + drivers/pci/pci-sysfs.c | 9 --------- + drivers/pci/proc.c | 3 --- + 2 files changed, 0 insertions(+), 12 deletions(-) + +commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260 +Author: Brad Spengler +Date: Thu Jan 2 17:05:39 2014 -0500 + + add missing #include + + Signed-off-by: Brad Spengler + + fs/proc/stat.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 867c7a59c12374d99c59b9c99a1bf8214583baad +Author: Brad Spengler +Date: Thu Jan 2 17:02:24 2014 -0500 + + Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) + + Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 + checks currently + + Signed-off-by: Brad Spengler + + drivers/pci/pci-sysfs.c | 17 +++++++---------- + drivers/pci/proc.c | 13 ++----------- + drivers/pci/syscall.c | 4 ---- + 3 files changed, 9 insertions(+), 25 deletions(-) + +commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed +Author: Brad Spengler +Date: Tue Dec 31 10:30:20 2013 -0500 + + Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry + + Signed-off-by: Brad Spengler + + fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- + 1 files changed, 24 insertions(+), 10 deletions(-) + +commit 7a559ce128070d9d79bf4490a258dba677fa741e +Author: Brad Spengler +Date: Mon Dec 30 11:19:53 2013 -0500 + + Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 + + Signed-off-by: Brad Spengler + + fs/proc/interrupts.c | 4 ++++ + fs/proc/stat.c | 4 ++++ + 2 files changed, 8 insertions(+), 0 deletions(-) + +commit 3898c8157466ff87ef613785f207c019ba8174cb +Author: Brad Spengler +Date: Mon Dec 30 11:13:49 2013 -0500 + + Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 16 ++++++++++------ + grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- + include/linux/grmsg.h | 2 +- + ipc/util.c | 3 ++- + 4 files changed, 42 insertions(+), 11 deletions(-) + +commit 2a5eb70e0981fd24168be9e5d1c30735a922edca +Author: Brad Spengler +Date: Thu Dec 26 19:20:26 2013 -0500 + + add missing #include + + Signed-off-by: Brad Spengler + + grsecurity/grsec_mount.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7d66c996e754d41be945e7a2997b364643a13977 +Author: Brad Spengler +Date: Thu Dec 26 15:51:51 2013 -0500 + + Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65 +Author: Brad Spengler +Date: Thu Dec 26 15:35:31 2013 -0500 + + Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + grsecurity/grsec_mount.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0 +Author: Brad Spengler +Date: Wed Dec 25 16:37:02 2013 -0500 + + Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 + + Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not + the other way around (to produce more secure settings when distro + configs are used as a base) + + Signed-off-by: Brad Spengler + + drivers/acpi/custom_method.c | 4 ++++ + drivers/pci/pci-sysfs.c | 12 ++++++++++++ + drivers/pci/proc.c | 12 ++++++++++++ + drivers/pci/syscall.c | 4 ++++ + drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ + kernel/power/Kconfig | 2 ++ + security/Kconfig | 1 - + 7 files changed, 46 insertions(+), 1 deletions(-) + +commit c70c49f956beb3d785ca20466c4e5c1d84d7356b +Author: Brad Spengler +Date: Wed Dec 25 15:11:51 2013 -0500 + + remove unused 'dentry' variable + + Signed-off-by: Brad Spengler + + fs/xattr.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18 +Author: Brad Spengler +Date: Wed Dec 25 15:03:13 2013 -0500 + + Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. + + Signed-off-by: Brad Spengler + + fs/xattr.c | 18 +++++++++++------- + grsecurity/gracl_fs.c | 6 ++++++ + grsecurity/grsec_disabled.c | 6 ++++++ + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 2 ++ + 5 files changed, 27 insertions(+), 8 deletions(-) + +commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164 +Author: Brad Spengler +Date: Fri Dec 20 20:18:56 2013 -0500 + + compile fix + + Signed-off-by: Brad Spengler + + fs/stat.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 038cc5994b483905c9c0b9e6259a84f7333becc2 +Author: Brad Spengler +Date: Fri Dec 13 19:39:54 2013 -0500 + + Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) + + In practice this causes bogus auditing messages for / and could potentially + cause a subject without executable shared memory support to permit executable + shared memory (if PaX is disabled on the binary). + + Instead just allocate these two special objects with kzalloc at enable time + and free them at disable time. + + Thanks to nyt@countercultured.net for the report + + Signed-off-by: Brad Spengler + + grsecurity/gracl_policy.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit b67b5e4666934693bb1fc4804ca60724f98a54d7 +Author: Brad Spengler +Date: Wed Dec 4 18:15:02 2013 -0500 + + Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2 + + Signed-off-by: Brad Spengler + + fs/coredump.c | 7 +++++-- + grsecurity/grsec_sig.c | 14 ++------------ + include/linux/grsecurity.h | 2 +- + 3 files changed, 8 insertions(+), 15 deletions(-) + +commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7 +Author: Brad Spengler +Date: Tue Dec 3 19:39:04 2013 -0500 + + Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. + + Disable KEXEC when GRKERNSEC_KMEM is enabled: + http://mjg59.dreamwidth.org/28746.html + + Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning + -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present + + Signed-off-by: Brad Spengler + + arch/arm/Kconfig | 1 + + arch/ia64/Kconfig | 1 + + arch/mips/Kconfig | 1 + + arch/powerpc/Kconfig | 1 + + arch/tile/Kconfig | 1 + + arch/x86/Kconfig | 1 + + arch/x86/kernel/ioport.c | 12 ++++++------ + grsecurity/Kconfig | 27 +++++++++++---------------- + 8 files changed, 23 insertions(+), 22 deletions(-) + +commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599 +Author: Brad Spengler +Date: Tue Nov 26 15:16:48 2013 -0500 + + Fix null deref on application of the shutdown role, reported by zakalwe + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- + grsecurity/gracl_policy.c | 58 ++++----------------------------------------- + 2 files changed, 62 insertions(+), 54 deletions(-) + +commit 1f894d3a1357fa9c7b2f849079546115fc797fd8 +Author: Brad Spengler +Date: Tue Nov 26 13:04:07 2013 -0500 + + Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root + + Signed-off-by: Brad Spengler + + kernel/kmod.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21 +Author: Brad Spengler +Date: Tue Nov 26 12:59:00 2013 -0500 + + Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe + + Signed-off-by: Brad Spengler + + grsecurity/gracl_policy.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b031d4f071e25462e94f742166b0ea6b8874dae4 +Author: Brad Spengler +Date: Mon Nov 25 22:33:33 2013 -0500 + + compile fix + + Signed-off-by: Brad Spengler + + kernel/kmod.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9 +Author: Brad Spengler +Date: Mon Nov 25 12:01:21 2013 -0500 + + Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity + + Signed-off-by: Brad Spengler + + kernel/kmod.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7177ab477fcc5d670718dafba3f6a454ed2e121e +Author: Brad Spengler +Date: Sun Nov 24 22:49:05 2013 -0500 + + Revert "HID: multitouch: validate feature report details" + + This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. + + Signed-off-by: Brad Spengler + + drivers/hid/hid-multitouch.c | 25 +++++-------------------- + 1 files changed, 5 insertions(+), 20 deletions(-) + +commit f0d33fb85de097278d1ae605c3d98fc99b578d56 +Author: Brad Spengler +Date: Sun Nov 24 22:48:49 2013 -0500 + + Revert "HID: lenovo-tpkbd: validate output report details" + + This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. + + Signed-off-by: Brad Spengler + + drivers/hid/hid-lenovo-tpkbd.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit 0c2a1258705b5c90732c2895664965da6a16bebc +Author: Brad Spengler +Date: Sun Nov 24 22:48:33 2013 -0500 + + Revert "HID: steelseries: validate output report details" + + This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. + + Signed-off-by: Brad Spengler + + drivers/hid/hid-steelseries.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit b17b436bd1781a43866931ce6b6ba2811882ade5 +Author: Brad Spengler +Date: Sun Nov 24 22:08:33 2013 -0500 + + add missing header + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b +Author: Brad Spengler +Date: Sun Nov 24 22:04:55 2013 -0500 + + Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 804611c10dcd6e9486cf374fcbfb2053a80f918d +Author: Brad Spengler +Date: Sun Nov 24 17:50:21 2013 -0500 + + remove unnecessary code/comments after new reload method + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ---- + grsecurity/gracl_policy.c | 13 ------------- + 2 files changed, 0 insertions(+), 17 deletions(-) + +commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872 +Author: Brad Spengler +Date: Sun Nov 24 16:05:01 2013 -0500 + + Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) + + Introduce new atomic RBAC reload method, developed as part of sponsorship + by EIG + + This is accompanied by an updated 3.0 gradm which will use the new reload + method when -R is passed to gradm. The old method will still be available + via gradm -r (which is what a 2.9.1 gradm will continue to use). + + The new RBAC reload method is atomic in the sense that at no point in the + reload process will the system not be covered by a coherent full policy. + In contrast to previous reload behavior, it also preserves inherited subjects + and special roles. + + The old RBAC reload method has also been made atomic. Both methods have + been updated to perform role_allowed_ip checks only against the IP tagged + to the task at the time its role was first applied or changed. This resolves + long-standing usability problems with the use of role_allowed_ip and matches + the policies created by learning. + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 2 +- + grsecurity/gracl.c | 3903 +++++++++++++------------------------------ + grsecurity/gracl_alloc.c | 42 +- + grsecurity/gracl_compat.c | 3 +- + grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ + grsecurity/gracl_segv.c | 12 +- + grsecurity/grsec_disabled.c | 7 - + grsecurity/grsec_init.c | 15 - + include/linux/gracl.h | 43 +- + include/linux/grinternal.h | 1 - + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 2 + + 12 files changed, 3082 insertions(+), 2787 deletions(-) + +commit cdfd01e44815f0e0cb700b5597b3b2eb44352903 +Author: Brad Spengler +Date: Sun Nov 24 15:08:28 2013 -0500 + + compile fix for recent GRKERNSEC_CHROOT_INITRD change + + Signed-off-by: Brad Spengler + + init/main.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8 +Author: Brad Spengler +Date: Sat Nov 23 18:27:37 2013 -0500 + + Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path + + Signed-off-by: Brad Spengler + + include/linux/kmod.h | 3 +++ + kernel/kmod.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e +Author: Brad Spengler +Date: Sat Nov 23 17:20:15 2013 -0500 + + Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. + + Reported by acez on IRC + + Signed-off-by: Brad Spengler + + arch/arm/mm/fault.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit 9b5ffb45694e2381a73275b029d1cde3ba090555 +Author: Brad Spengler +Date: Sat Nov 23 16:56:46 2013 -0500 + + Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. + + Conflicts: + + init/main.c + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 2 +- + init/main.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1 +Author: Brad Spengler +Date: Sat Nov 23 16:33:20 2013 -0500 + + limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected + + Signed-off-by: Brad Spengler + + kernel/kmod.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 36895fdbcf3b528221475a894076611c6340bc6f +Author: Brad Spengler +Date: Sat Nov 23 16:02:01 2013 -0500 + + perform USERCOPY kernel text checks against the linear mapping on amd64 as well + + Signed-off-by: Brad Spengler + + fs/exec.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b +Author: Brad Spengler +Date: Fri Nov 22 20:31:37 2013 -0500 + + Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" + + This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. + + It caused errors with traceroute, reported to upstream and fixed with + http://patchwork.ozlabs.org/patch/293614/ + But there's no reason for us to maintain this backport as we're + already impervious to recvmsg/msg_name infoleaks + + Conflicts: + + net/ipv4/ping.c + + Signed-off-by: Brad Spengler + + net/ieee802154/dgram.c | 3 ++- + net/ipv4/ping.c | 11 +++++++++-- + net/ipv4/raw.c | 4 +++- + net/ipv4/udp.c | 7 ++++++- + net/ipv6/raw.c | 4 +++- + net/ipv6/udp.c | 5 ++++- + net/l2tp/l2tp_ip.c | 4 +++- + net/phonet/datagram.c | 9 +++++---- + 8 files changed, 35 insertions(+), 12 deletions(-) + +commit 8aeb360164c3165b8d843b90776f92748cb0826f +Author: Brad Spengler +Date: Thu Nov 14 20:15:51 2013 -0500 + + GRKERNSEC_HARDEN_IPC should depend on SYSVIPC + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 65982aa12f534a722a92dd211e9b2461cac099cd +Author: Brad Spengler +Date: Thu Nov 14 19:07:11 2013 -0500 + + Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows + + Signed-off-by: Brad Spengler + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c07ac5819bfcbb29fe75896f409517acc95f09d0 +Author: Brad Spengler +Date: Thu Nov 14 19:01:59 2013 -0500 + + Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + + Will let this sit in -test for a while to weed out any app incompatibilities + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 +++++++++++++++++ + grsecurity/Makefile | 2 +- + grsecurity/grsec_init.c | 4 ++++ + grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ + grsecurity/grsec_sysctl.c | 9 +++++++++ + include/linux/grinternal.h | 1 + + include/linux/grmsg.h | 1 + + ipc/util.c | 5 +++++ + 8 files changed, 60 insertions(+), 1 deletions(-) + +commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9 +Author: Brad Spengler +Date: Mon Nov 11 10:48:10 2013 -0500 + + Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c + + Signed-off-by: Brad Spengler + + drivers/video/arcfb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1822dec9af44fef43a2092fbb98d986d40688e92 +Author: Brad Spengler +Date: Sun Nov 10 22:01:33 2013 -0500 + + Add missing include + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 252aafc936113beb2c4b654c51ca4f69e34e7ece +Author: Brad Spengler +Date: Sun Nov 10 17:50:12 2013 -0500 + + add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND + + Signed-off-by: Brad Spengler + + arch/arm/mm/Kconfig | 2 +- + grsecurity/Kconfig | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletions(-) + +commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b +Author: Brad Spengler +Date: Sun Nov 10 15:19:27 2013 -0500 + + On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. + + Thanks to acez from IRC for debugging. + + Signed-off-by: Brad Spengler + + mm/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 521a19248a7f3ae875854835be586208d7e94362 +Author: Brad Spengler +Date: Sun Nov 10 13:54:25 2013 -0500 + + Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own + + This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's + networking + + Thanks to ncopa from IRC for testing + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 88abc9f686cef116d741924e96c8264c6feeb280 +Author: Brad Spengler +Date: Wed Nov 6 16:23:36 2013 -0500 + + Force on DEBUG_LIST so all users can benefit from safe linking/unlinking + + Conflicts: + + security/Kconfig + + Signed-off-by: Brad Spengler + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit ca2e0bc771e1868a1b993013d725ab602d8e0454 +Author: Brad Spengler +Date: Wed Nov 6 16:19:21 2013 -0500 + + change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence + + Conflicts: + + lib/list_debug.c + + Signed-off-by: Brad Spengler + + lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- + 1 files changed, 42 insertions(+), 23 deletions(-) + +commit 9f9fda5bdad944095d49943719343439cebceb34 +Author: Linus Torvalds +Date: Tue Oct 29 10:21:34 2013 -0700 + + Fixed a little differently than Linus... + + Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 + + Fix a few incorrectly checked [io_]remap_pfn_range() calls + + Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that + really should use the vm_iomap_memory() helper. This trivially converts + two of them to the helper, and comments about why the third one really + needs to continue to use remap_pfn_range(), and adds the missing size + check. + + Reported-by: Nico Golde + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/uio/uio.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b +Author: Brad Spengler +Date: Fri Sep 27 21:06:17 2013 -0400 + + Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change + + Signed-off-by: Brad Spengler + + grsecurity/gracl_ip.c | 7 +++---- + net/socket.c | 26 +++++++++++++++----------- + 2 files changed, 18 insertions(+), 15 deletions(-) + +commit d6aeef5cb3bbaa011f74eb38133043965302cc32 +Author: Brad Spengler +Date: Sun Sep 22 18:14:07 2013 -0400 + + Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" + + This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. + + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 02b18c56607ff93f00659ee100517bba70972aca +Author: Brad Spengler +Date: Sun Sep 15 09:19:21 2013 -0400 + + remove unnecessary check from when protocol was signed + + Signed-off-by: Brad Spengler + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c8991fc98b032a2338b9fda708d2dad227fbcd83 +Author: Brad Spengler +Date: Sat Sep 14 21:12:45 2013 -0400 + + Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) + + Signed-off-by: Brad Spengler + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c63230b915355cea2649fac21c9469a8c3f88876 +Author: Brad Spengler +Date: Sat Sep 14 19:16:48 2013 -0400 + + Fix a bad git merge, re-applied a previously reverted patch + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb +Author: Brad Spengler +Date: Sat Sep 14 16:56:37 2013 -0400 + + finish porting namei.c + + Signed-off-by: Brad Spengler + + fs/namei.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +commit 89d5374f91319363bb79c916764c747f3229759c +Author: Brad Spengler +Date: Sat Sep 14 16:44:08 2013 -0400 + + cred->user -> current_user() + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245 +Author: Brad Spengler +Date: Sat Sep 14 16:36:24 2013 -0400 + + Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533 +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6 +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299 +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + 3 files changed, 20 insertions(+), 2 deletions(-) + +commit 979cb67c276ef34486ed64bb58ed30020bc8a53f +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit d259a636db5500db5e3ddacab82857db244bf46f +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + Signed-off-by: Brad Spengler + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 73872d212f992833add967be12de9628941bdd5b +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it + + Signed-off-by: Brad Spengler + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 57a621395b231025d33da789f7593da0e9c591a4 +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit efb7731d700d5b4568871670ac0841a84f003029 +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs + + Signed-off-by: Brad Spengler + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 3469d59da7f6bd0c5838764e5b06bad97193f628 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 03b91bfc983379670fd439b2b3fbec633ea6468d +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + Signed-off-by: Brad Spengler + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 8953b010e785f55d35e96de6d7913b7e6791d9f9 +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit 346b6fb51f351bc8a2e52c158794c863b88c730b +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages + + Signed-off-by: Brad Spengler + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 5a95c583a8e74e8b980ae810c3755d7490f9f208 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 + + Signed-off-by: Brad Spengler + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + Signed-off-by: Brad Spengler + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 17 deletions(-) + +commit bf41ff82977f5629d76e58b4eec76e78b6e0794c +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 80c4d845fa846426a226c1807310670fdc3f4fb9 +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs + + Signed-off-by: Brad Spengler + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 29f82c7cc74a11260863cea855cb7bb7b79506db +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + Signed-off-by: Brad Spengler + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit b313d3d863fe87ecf4f79f61e9670955df66685e +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + Signed-off-by: Brad Spengler + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit e0b580d61744ac72ba2275fb5211de2bfc570058 +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping + + Signed-off-by: Brad Spengler + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit 2860f00640ffc0745e102fc8eea1b4787747a34f +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 271a28185b48e1c659c497837e26350f0b98b56b +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 506d84be8c4e9db0b655d3f6da2cec92482b610f +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 7b7d053d1c9209c6810ee0e82d902d633df55114 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit 4d203a112c51248189db81e89926ed2ccbbf3727 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + Signed-off-by: Brad Spengler + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 98cc5ab35c0f012765475db240189e0d72e9e936 +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit aa8d1edbfb648b1b942996d59fa446fd830df989 +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3 +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit 91c416711e2e713d870dc52ce17af0607a82cb75 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 99cad551389634d849387cf5e2054d9aa2c1c1b4 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90 +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit dd368be2aef36cae4f997fc798087069fb64d442 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 8970e77a91e35ddac604cf96462c600651e94baa +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit d5711d44bf668cdc5d29383e5e16ff884f1991ee +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit afb88b8065edeb572c4d7992c6916d19a8bbc483 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 981fbde7260e575f99c7c9fc83239fca752cb543 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5 +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 5f3672544ae20bb1a595a849b304d1c168254e2b +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + Signed-off-by: Brad Spengler + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f892f6cf3070e516828ef6b81c39abdec77d7e93 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 +++++------ + 1 files changed, 5 insertions(+), 6 deletions(-) + +commit bacca56a4c5ce1734004a310588d710ab642c14d +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit bb802e55264979a3517687cc4e3ea4043187a4d6 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 80af0d78732fcd1345751765d6bdba75e4453096 +Author: Brad Spengler +Date: Sat Sep 14 16:15:10 2013 -0400 + + Initial port of grsecurity to 3.11 using new git method + + Signed-off-by: Brad Spengler + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 13 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 14 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 1 + + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 3 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 11 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 218 ++- + fs/namespace.c | 16 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 166 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 2 +- + grsecurity/gracl_fs.c | 6 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 40 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/locking/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 69 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 341 +++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 229 files changed, 4100 insertions(+), 2025 deletions(-) + +commit 75586073addae35174967d77e1b985e6b534e3f8 +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + Signed-off-by: Brad Spengler + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 0100435c11a01cfbedea13ac5aebd38fb03309b4 +Author: Brad Spengler +Date: Sat Jan 25 17:32:18 2014 -0500 + + Initial import of pax-linux-3.13-test2.patch + + Documentation/dontdiff | 47 +- + Documentation/kernel-parameters.txt | 23 + + Makefile | 102 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 442 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 3 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 54 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 95 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-common.S | 40 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 3 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/module.c | 31 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/process.c | 42 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 35 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 24 +- + arch/arm/kvm/arm.c | 8 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 4 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 6 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/cache-l2x0.c | 2 +- + arch/arm/mm/context.c | 10 +- + arch/arm/mm/fault.c | 140 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 185 +- + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 728 +++- + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/local.h | 57 + + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/include/asm/smtc_proc.h | 2 +- + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/irq.c | 6 +- + arch/mips/kernel/process.c | 12 - + arch/mips/kernel/smtc-proc.c | 6 +- + arch/mips/kernel/smtc.c | 2 +- + arch/mips/kernel/sync-r4k.c | 24 +- + arch/mips/kernel/traps.c | 13 +- + arch/mips/mm/fault.c | 25 + + arch/mips/mm/mmap.c | 51 +- + arch/mips/sgi-ip27/ip27-nmi.c | 6 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 15 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap.c | 16 + + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/smp_64.c | 12 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 52 +- + arch/sparc/kernel/traps_64.c | 27 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/sparc/mm/init_64.c | 10 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 16 +- + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 2 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 6 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 106 +- + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 173 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 269 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 166 +- + arch/x86/include/asm/bitops.h | 18 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/calling.h | 118 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 16 +- + arch/x86/include/asm/desc.h | 78 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 8 +- + arch/x86/include/asm/futex.h | 20 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 106 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 136 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 15 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 124 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/preempt.h | 2 +- + arch/x86/include/asm/processor.h | 79 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rmwcc.h | 84 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 29 +- + arch/x86/include/asm/smap.h | 64 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/tlbflush.h | 74 +- + arch/x86/include/asm/uaccess.h | 162 +- + arch/x86/include/asm/uaccess_32.h | 24 +- + arch/x86/include/asm/uaccess_64.h | 177 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xen/page.h | 2 +- + arch/x86/include/asm/xsave.h | 14 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/include/uapi/asm/ptrace-abi.h | 1 - + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 69 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 132 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 356 ++- + arch/x86/kernel/entry_64.S | 736 +++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 228 +- + arch/x86/kernel/head_64.S | 136 +- + arch/x86/kernel/i386_ksyms_32.c | 12 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 67 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/jump_label.c | 8 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 20 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 42 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 5 +- + arch/x86/kernel/setup.c | 63 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 28 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 12 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/tracepoint.c | 4 +- + arch/x86/kernel/traps.c | 62 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 6 +- + arch/x86/kernel/x86_init.c | 6 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 63 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 20 +- + arch/x86/lib/copy_user_64.S | 81 +- + arch/x86/lib/copy_user_nocache_64.S | 14 + + arch/x86/lib/csum-copy_64.S | 18 +- + arch/x86/lib/csum-wrappers_64.c | 8 +- + arch/x86/lib/getuser.S | 74 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 10 +- + arch/x86/lib/memmove_64.S | 4 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 2 + + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 12 +- + arch/x86/lib/usercopy_32.c | 357 +- + arch/x86/lib/usercopy_64.c | 18 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 564 ++- + arch/x86/mm/gup.c | 6 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 101 +- + arch/x86/mm/init_32.c | 111 +- + arch/x86/mm/init_64.c | 45 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 36 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 151 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/mm/uderef_64.c | 37 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 38 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/intel_mid_pci.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/intel-mid/intel-mid.c | 3 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 3 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 45 +- + arch/x86/xen/mmu.c | 11 +- + arch/x86/xen/smp.c | 21 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-cgroup.c | 4 +- + block/blk-iopoll.c | 2 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 2 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 9 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 29 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 2 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/ghes.c | 4 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 12 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_nl.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/null_blk.c | 27 +- + drivers/block/pktcdvd.c | 4 +- + drivers/bluetooth/btwilink.c | 2 +- + drivers/bus/arm-cci.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 43 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 12 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clk/socfpga/clk.c | 9 +- + drivers/cpufreq/acpi-cpufreq.c | 13 +- + drivers/cpufreq/cpufreq.c | 11 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 4 +- + drivers/cpufreq/cpufreq_ondemand.c | 10 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/intel_pstate.c | 25 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/driver.c | 2 +- + drivers/cpuidle/governor.c | 2 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/crypto/hifn_795x.c | 4 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdmac.c | 2 +- + drivers/edac/edac_device.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci.c | 4 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 6 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 2 +- + drivers/firmware/efi/cper.c | 8 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 12 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 26 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- + drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- + drivers/gpu/drm/qxl/qxl_drv.h | 8 +- + drivers/gpu/drm/qxl/qxl_irq.c | 16 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 61 +- + drivers/gpu/drm/tegra/dc.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/gpu/vga/vga_switcheroo.c | 4 +- + drivers/hid/hid-core.c | 4 +- + drivers/hid/uhid.c | 6 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hv_balloon.c | 18 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/nct6775.c | 6 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mcg.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- + drivers/infiniband/hw/mthca/mthca_main.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- + drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/misc/ims-pcu.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/input/serio/serio_raw.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_common.c | 2 + + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/isdn/mISDN/dsp_cmx.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stats.c | 6 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 4 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/platform/vivi.c | 4 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 +- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-device.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 67 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/max8925-i2c.c | 2 +- + drivers/mfd/tps65910.c | 2 +- + drivers/mfd/twl4030-irq.c | 9 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/mmci.c | 4 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_netlink.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/usb/sierra_net.c | 4 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wimax/i2400m/rx.c | 2 +- + drivers/net/wireless/airo.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath10k/htc.c | 7 +- + drivers/net/wireless/ath/ath10k/htc.h | 4 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/b43/phy_lp.c | 2 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/nfc/nfcwilink.c | 2 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 6 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/chrome/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/msi-wmi.c | 2 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/powercap/powercap_sys.c | 136 +- + drivers/regulator/core.c | 4 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/android/timed_output.c | 6 +- + drivers/staging/gdm724x/gdm_tty.c | 2 +- + drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- + drivers/staging/lustre/lnet/selftest/framework.c | 4 - + drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- + drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- + drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/target/sbp/sbp_target.c | 4 +- + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/hvc/hvsi.c | 12 +- + drivers/tty/hvc/hvsi_lib.c | 4 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 5 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/ioc4_serial.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/msm_serial.c | 4 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 8 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 15 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/devio.c | 10 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 6 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/dwc3/gadget.c | 2 - + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/host/ehci-hub.c | 4 +- + drivers/usb/misc/appledisplay.c | 4 +- + drivers/usb/serial/console.c | 8 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vfio/vfio.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbmem.c | 6 +- + drivers/video/hyperv_fb.c | 4 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/omap2/dss/display.c | 8 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/afs/inode.c | 4 +- + fs/aio.c | 2 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 6 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 678 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/delayed-inode.c | 6 +- + fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/super.c | 2 +- + fs/buffer.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/ceph/super.c | 4 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/file.c | 10 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 4 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 16 +- + fs/dcache.c | 5 +- + fs/ecryptfs/inode.c | 2 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext2/xattr.c | 5 +- + fs/ext3/xattr.c | 5 +- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/ext4/xattr.c | 5 +- + fs/fhandle.c | 3 +- + fs/file.c | 4 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 40 +- + fs/fscache/internal.h | 200 +- + fs/fscache/object.c | 26 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/hostfs/hostfs_kern.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 12 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 16 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 2 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 2 +- + fs/ntfs/super.c | 6 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 59 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 4 +- + fs/splice.c | 41 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 16 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_readdir.c | 7 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 212 +- + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/bitops/__fls.h | 2 +- + include/asm-generic/bitops/fls.h | 2 +- + include/asm-generic/bitops/fls64.h | 4 +- + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 16 + + include/asm-generic/uaccess.h | 16 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 15 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/i915_pciids.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/audit.h | 2 +- + include/linux/binfmts.h | 3 +- + include/linux/bitops.h | 6 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 8 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 12 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fdtable.h | 2 +- + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 4 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 6 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 12 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/jiffies.h | 12 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/linkage.h | 1 + + include/linux/list.h | 15 + + include/linux/math64.h | 10 +- + include/linux/mempolicy.h | 7 + + include/linux/mm.h | 118 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/padata.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/pm.h | 1 + + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/preempt.h | 19 + + include/linux/proc_ns.h | 2 +- + include/linux/quota.h | 2 +- + include/linux/random.h | 23 +- + include/linux/rculist.h | 20 +- + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 68 +- + include/linux/sched/sysctl.h | 1 + + include/linux/security.h | 2 - + include/linux/semaphore.h | 2 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 48 +- + include/linux/slab_def.h | 14 +- + include/linux/slub_def.h | 2 +- + include/linux/smp.h | 2 + + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 18 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 9 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vga_switcheroo.h | 8 +- + include/linux/vmalloc.h | 7 +- + include/linux/vmstat.h | 24 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-device.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 17 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 20 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 4 +- + include/net/netns/ipv6.h | 4 +- + include/net/ping.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/checksum.h | 4 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 8 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 13 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 2 - + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 78 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 10 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/events/internal.h | 10 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 4 +- + kernel/fork.c | 166 +- + kernel/futex.c | 11 +- + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 2 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 +- + kernel/locking/lockdep.c | 7 +- + kernel/locking/mutex-debug.c | 12 +- + kernel/locking/mutex-debug.h | 4 +- + kernel/locking/mutex.c | 10 +- + kernel/locking/rtmutex-tester.c | 24 +- + kernel/module.c | 337 +- + kernel/notifier.c | 17 +- + kernel/padata.c | 4 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 24 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcu/srcu.c | 4 +- + kernel/rcu/tiny.c | 4 +- + kernel/rcu/torture.c | 56 +- + kernel/rcu/tree.c | 76 +- + kernel/rcu/tree.h | 26 +- + kernel/rcu/tree_plugin.h | 40 +- + kernel/rcu/tree_trace.c | 22 +- + kernel/rcu/update.c | 4 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/completion.c | 6 +- + kernel/sched/core.c | 43 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 14 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 34 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_clock.c | 4 +- + kernel/trace/trace_events.c | 1 - + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/percpu-refcount.c | 2 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 10 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 3 +- + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 28 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 25 + + mm/mlock.c | 15 +- + mm/mmap.c | 583 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 42 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 44 +- + mm/shmem.c | 19 +- + mm/slab.c | 106 +- + mm/slab.h | 15 +- + mm/slab_common.c | 60 +- + mm/slob.c | 206 +- + mm/slub.c | 88 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 2 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 75 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/fragmentation.c | 2 +- + net/batman-adv/soft-interface.c | 6 +- + net/batman-adv/types.h | 6 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 4 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/ceph/messenger.c | 4 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/netpoll.c | 4 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/skbuff.c | 8 +- + net/core/sock.c | 28 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 20 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 14 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 20 +- + net/ipv4/sysctl_net_ipv4.c | 37 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 18 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/af_inet6.c | 2 +- + net/ipv6/datagram.c | 2 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ip6_vti.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/output_core.c | 15 +- + net/ipv6/ping.c | 28 +- + net/ipv6/raw.c | 17 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 6 +- + net/ipv6/xfrm6_policy.c | 17 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 10 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 8 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 8 +- + net/socket.c | 18 +- + net/sunrpc/auth_gss/svcauth_gss.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/svcauth_unix.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 22 +- + net/xfrm/xfrm_state.c | 33 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/module-common.lds | 4 + + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 689 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/security.c | 9 +- + security/selinux/avc.c | 6 +- + security/selinux/hooks.c | 11 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/hda/hda_codec.c | 8 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + sound/soc/soc-core.c | 6 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 557 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 474 ++ + tools/gcc/latent_entropy_plugin.c | 335 ++ + tools/gcc/size_overflow_hash.data | 5618 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 4072 ++++++++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 277 + + tools/lib/lk/Makefile | 2 +- + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 44 +- + 1716 files changed, 34523 insertions(+), 8024 deletions(-) +commit 512ab625d6d34c2f8602a044454bb1366b80b98e +Author: Brad Spengler +Date: Sat Jan 25 14:54:11 2014 -0500 + + Fix another compiler error caught by RANDSTRUCT + + sound/isa/sb/emu8000_synth.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 43bd0a97d977b78f2a54045bbf98ee967209c144 +Author: Brad Spengler +Date: Sat Jan 25 14:34:12 2014 -0500 + + Fix another compiler error caught by RANDSTRUCT + + drivers/net/wan/z85230.c | 24 ++++++++++++------------ + 1 files changed, 12 insertions(+), 12 deletions(-) + +commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131 +Author: Brad Spengler +Date: Sat Jan 25 14:30:46 2014 -0500 + + fix compilation with RANDSTRUCT plugin + + sound/drivers/opl4/opl4_seq.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d +Author: Brad Spengler +Date: Sat Jan 25 14:16:18 2014 -0500 + + avoid problems by just building our fake field decl node from scratch + + tools/gcc/randomize_layout_plugin.c | 10 +++++----- + 1 files changed, 5 insertions(+), 5 deletions(-) + +commit 9345145bb31148c2fb4918fe989d45bbf1219373 +Author: Brad Spengler +Date: Sat Jan 25 13:45:18 2014 -0500 + + while in non-debug mode, don't emit notes for non-randomized struct types + + clear all signs from our fake field decl of being a bitfield + + tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4 +Author: Brad Spengler +Date: Sat Jan 25 12:56:05 2014 -0500 + + revert change to read-only marking of fake struct field + + tools/gcc/randomize_layout_plugin.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3 +Author: Brad Spengler +Date: Sat Jan 25 12:42:48 2014 -0500 + + Update RANDSTRUCT plugin help + + tools/gcc/randomize_layout_plugin.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a +Author: Brad Spengler +Date: Sat Jan 25 12:25:43 2014 -0500 + + Introduce GRKERNSEC_RANDSTRUCT: + automatic structure layout randomization of pure ops structs + randomization of marked sensitive kernel structures + + automatically enabled by GRKERNSEC_CONFIG_AUTO + performance mode is activated if the config priority is set to performance + + Documentation/dontdiff | 1 + + Makefile | 12 +- + arch/x86/include/asm/floppy.h | 20 +- + arch/x86/include/asm/paravirt_types.h | 23 +- + arch/x86/include/asm/processor.h | 2 +- + drivers/acpi/acpica/hwxfsleep.c | 11 +- + drivers/block/cciss.h | 30 +- + drivers/block/drbd/drbd_interval.c | 6 +- + drivers/block/smart1,2.h | 40 +- + drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- + drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- + drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- + drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- + drivers/infiniband/hw/nes/nes_cm.c | 22 +- + drivers/isdn/gigaset/bas-gigaset.c | 32 +- + drivers/isdn/gigaset/ser-gigaset.c | 32 +- + drivers/isdn/gigaset/usb-gigaset.c | 32 +- + drivers/isdn/i4l/isdn_concap.c | 6 +- + drivers/isdn/i4l/isdn_x25iface.c | 16 +- + drivers/misc/sgi-xp/xp_main.c | 12 +- + drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- + drivers/net/wan/lmc/lmc_media.c | 97 ++-- + drivers/scsi/bfa/bfa_fcs.c | 19 +- + drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- + drivers/scsi/bfa/bfa_modules.h | 12 +- + drivers/scsi/hpsa.h | 20 +- + drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- + drivers/staging/lustre/lustre/libcfs/module.c | 10 +- + drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- + drivers/video/matrox/matroxfb_DAC1064.c | 10 +- + drivers/video/matrox/matroxfb_Ti3026.c | 5 +- + fs/mount.h | 4 +- + fs/proc/internal.h | 4 +- + fs/reiserfs/item_ops.c | 24 +- + grsecurity/Kconfig | 31 +- + include/linux/compiler-gcc4.h | 5 + + include/linux/compiler.h | 8 + + include/linux/cred.h | 4 +- + include/linux/dcache.h | 2 +- + include/linux/fs.h | 14 +- + include/linux/fs_struct.h | 2 +- + include/linux/ipc_namespace.h | 2 +- + include/linux/kobject.h | 2 +- + include/linux/mm_types.h | 4 +- + include/linux/module.h | 4 +- + include/linux/mount.h | 2 +- + include/linux/pid_namespace.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/rbtree_augmented.h | 4 +- + include/linux/sched.h | 6 +- + include/linux/sysctl.h | 2 +- + include/linux/tty.h | 2 +- + include/linux/tty_driver.h | 2 +- + include/linux/user_namespace.h | 2 +- + include/linux/utsname.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 2 +- + lib/rbtree.c | 4 +- + net/atm/lec.c | 6 +- + net/atm/mpoa_caches.c | 42 +- + net/decnet/dn_dev.c | 2 +- + net/vmw_vsock/vmci_transport_notify.c | 30 +- + net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- + net/x25/sysctl_net_x25.c | 2 +- + scripts/Makefile | 2 + + scripts/gen-random-seed.sh | 8 + + sound/core/seq/oss/seq_oss.c | 4 +- + sound/core/seq/seq_midi.c | 4 +- + sound/drivers/opl3/opl3_seq.c | 4 +- + sound/pci/emu10k1/emu10k1_synth.c | 4 +- + sound/synth/emux/emux_seq.c | 14 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 2 + + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ + 74 files changed, 1222 insertions(+), 390 deletions(-) + +commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d +Author: Brad Spengler +Date: Sun Jan 19 09:27:31 2014 -0500 + + add PRNG self-tests + + lib/random32.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 files changed, 197 insertions(+), 10 deletions(-) + +commit 7780c290ada57bac294c5a7e5b0286dd604920c5 +Author: Brad Spengler +Date: Sun Jan 19 09:00:56 2014 -0500 + + compile fix + + include/linux/random.h | 4 ---- + include/uapi/linux/random.h | 2 +- + 2 files changed, 1 insertions(+), 5 deletions(-) + +commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0 +Author: Daniel Borkmann +Date: Mon Nov 11 12:20:36 2013 +0100 + + Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f + + random32: upgrade taus88 generator to taus113 from errata paper + + Since we use prandom*() functions quite often in networking code + i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG + from Pierre L'Ecuyer's original paper "Maximally Equidistributed + Combined Tausworthe Generators", Mathematics of Computation, 65, + 213 (1996), 203--213 to the version published in his errata paper [1]. + + The Tausworthe generator is a maximally-equidistributed generator, + that is fast and has good statistical properties [1]. + + The version presented there upgrades the 3 state LFSR to a 4 state + LFSR with increased periodicity from about 2^88 to 2^113. The + algorithm is presented in [1] by the very same author who also + designed the original algorithm in [2]. + + Also, by increasing the state, we make it a bit harder for attackers + to "guess" the PRNGs internal state. See also discussion in [3]. + + Now, as we use this sort of weak initialization discussed in [3] + only between core_initcall() until late_initcall() time [*] for + prandom32*() users, namely in prandom_init(), it is less relevant + from late_initcall() onwards as we overwrite seeds through + prandom_reseed() anyways with a seed source of higher entropy, that + is, get_random_bytes(). In other words, a exhaustive keysearch of + 96 bit would be needed. Now, with the help of this patch, this + state-search increases further to 128 bit. Initialization needs + to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127. + + taus88 and taus113 algorithm is also part of GSL. I added a test + case in the next patch to verify internal behaviour of this patch + with GSL and ran tests with the dieharder 3.31.1 RNG test suite: + + $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88 + $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113 + + With this seed configuration, in order to compare both, we get + the following differences: + + algorithm taus88 taus113 + rands/second [**] 1.61e+08 1.37e+08 + sts_serial(4, 1st run) WEAK PASSED + sts_serial(9, 2nd run) WEAK PASSED + rgb_lagged_sum(31) WEAK PASSED + + We took out diehard_sums test as according to the authors it is + considered broken and unusable [4]. Despite that and the slight + decrease in performance (which is acceptable), taus113 here passes + all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED). + In general, taus/taus113 is considered "very good" by the authors + of dieharder [5]. + + The papers [1][2] states a single warm-up step is sufficient by + running quicktaus once on each state to ensure proper initialization + of ~s_{0}: + + Our selection of (s) according to Table 1 of [1] row 1 holds the + condition L - k <= r - s, that is, + + (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13) + + with r = k - q and q = (6 2 13 3) as also stated by the paper. + So according to [2] we are safe with one round of quicktaus for + initialization. However we decided to include the warm-up phase + of the PRNG as done in GSL in every case as a safety net. We also + use the warm up phase to make the output of the RNG easier to + verify by the GSL output. + + In prandom_init(), we also mix random_get_entropy() into it, just + like drivers/char/random.c does it, jiffies ^ random_get_entropy(). + random-get_entropy() is get_cycles(). xor is entropy preserving so + it is fine if it is not implemented by some architectures. + + Note, this PRNG is *not* used for cryptography in the kernel, but + rather as a fast PRNG for various randomizations i.e. in the + networking code, or elsewhere for debugging purposes, for example. + + [*]: In order to generate some "sort of pseduo-randomness", since + get_random_bytes() is not yet available for us, we use jiffies and + initialize states s1 - s3 with a simple linear congruential generator + (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit + initialization from s1. So the above quote from [3] accounts only + for the time from core to late initcall, not afterwards. + [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U + + [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps + [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps + [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/ + [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20 + [5] http://www.phy.duke.edu/~rgb/General/dieharder.php + + Joint work with Hannes Frederic Sowa. + + Cc: Florian Weimer + Cc: Theodore Ts'o + Signed-off-by: Daniel Borkmann + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + Conflicts: + + include/linux/random.h + + include/linux/random.h | 13 +++++-- + lib/random32.c | 80 +++++++++++++++++++++++++++-------------------- + 2 files changed, 55 insertions(+), 38 deletions(-) + +commit 53dd59a26859c9b98cadcad65791c951b162e91e +Author: Hannes Frederic Sowa +Date: Mon Nov 11 12:20:33 2013 +0100 + + Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494 + + random32: add periodic reseeding + + The current Tausworthe PRNG is never reseeded with truly random data after + the first attempt in late_initcall. As this PRNG is used for some critical + random data as e.g. UDP port randomization we should try better and reseed + the PRNG once in a while with truly random data from get_random_bytes(). + + When we reseed with prandom_seed we now make also sure to throw the first + output away. This suffices the reseeding procedure. + + The delay calculation is based on a proposal from Eric Dumazet. + + Joint work with Daniel Borkmann. + + Cc: Eric Dumazet + Cc: Theodore Ts'o + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + Conflicts: + + lib/random32.c + + lib/random32.c | 22 ++++++++++++++++++++++ + 1 files changed, 22 insertions(+), 0 deletions(-) + +commit 9deef5d021000495e04a730ba1880fb4b8951d45 +Author: Hannes Frederic Sowa +Date: Mon Nov 11 12:20:34 2013 +0100 + + Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 + + random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized + + The Tausworthe PRNG is initialized at late_initcall time. At that time the + entropy pool serving get_random_bytes is not filled sufficiently. This + patch adds an additional reseeding step as soon as the nonblocking pool + gets marked as initialized. + + On some machines it might be possible that late_initcall gets called after + the pool has been initialized. In this situation we won't reseed again. + + (A call to prandom_seed_late blocks later invocations of early reseed + attempts.) + + Joint work with Daniel Borkmann. + + Cc: Eric Dumazet + Cc: Theodore Ts'o + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: Daniel Borkmann + Acked-by: "Theodore Ts'o" + Signed-off-by: David S. Miller + + Conflicts: + + lib/random32.c + + drivers/char/random.c | 5 ++++- + include/linux/random.h | 1 + + lib/random32.c | 24 +++++++++++++++++++++++- + 3 files changed, 28 insertions(+), 2 deletions(-) + +commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286 +Author: Brad Spengler +Date: Sat Jan 18 20:43:43 2014 -0500 + + Since the reworking of recvmsg handlers by Hannes Frederic Sowa, + it should be safe to revert our workaround for large number of + infoleaks the previous interface made possible, restoring some + performance to these syscalls + + net/socket.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e +Author: Eric Dumazet +Date: Wed Jan 15 06:50:07 2014 -0800 + + Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2 + + bpf: do not use reciprocal divide + + At first Jakub Zawadzki noticed that some divisions by reciprocal_divide + were not correct. (off by one in some cases) + http://www.wireshark.org/~darkjames/reciprocal-buggy.c + + He could also show this with BPF: + http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c + + The reciprocal divide in linux kernel is not generic enough, + lets remove its use in BPF, as it is not worth the pain with + current cpus. + + Signed-off-by: Eric Dumazet + Reported-by: Jakub Zawadzki + Cc: Mircea Gherzan + Cc: Daniel Borkmann + Cc: Hannes Frederic Sowa + Cc: Matt Evans + Cc: Martin Schwidefsky + Cc: Heiko Carstens + Cc: David S. Miller + Signed-off-by: David S. Miller + + Conflicts: + + arch/x86/net/bpf_jit_comp.c + + arch/arm/net/bpf_jit_32.c | 6 +++--- + arch/powerpc/net/bpf_jit_comp.c | 7 ++++--- + arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++----- + arch/sparc/net/bpf_jit_comp.c | 17 ++++++++++++++--- + arch/x86/net/bpf_jit_comp.c | 16 ++++++++++------ + net/core/filter.c | 30 ++---------------------------- + 6 files changed, 45 insertions(+), 48 deletions(-) + +commit 6986871c84f81084d5c8723538ccefc5c401b31c +Author: Jie Liu +Date: Wed Jan 1 19:28:03 2014 +0800 + + Upstream commit: bba719b5004234e55737e7074b81b337210c511d + + xfs: fix off-by-one error in xfs_attr3_rmt_verify + + With CRC check is enabled, if trying to set an attributes value just + equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote + attr write verification procedure failure, which would yield the back + trace like below: + + + XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c + + Call Trace: + [] dump_stack+0x45/0x56 + [] xfs_error_report+0x3b/0x40 [xfs] + [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] + [] xfs_corruption_error+0x55/0x80 [xfs] + [] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs] + [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] + [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] + [] _xfs_buf_ioapply+0x6d/0x390 [xfs] + [] ? vm_map_ram+0x31a/0x460 + [] ? wake_up_state+0x20/0x20 + [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] + [] xfs_buf_iorequest+0x6b/0xc0 [xfs] + [] xfs_bdstrat_cb+0x55/0xb0 [xfs] + [] xfs_bwrite+0x46/0x80 [xfs] + [] xfs_attr_rmtval_set+0x334/0x490 [xfs] + [] xfs_attr_leaf_addname+0x24a/0x410 [xfs] + [] xfs_attr_set_int+0x223/0x470 [xfs] + [] xfs_attr_set+0x96/0xb0 [xfs] + [] xfs_xattr_set+0x42/0x70 [xfs] + [] generic_setxattr+0x62/0x80 + [] __vfs_setxattr_noperm+0x63/0x1b0 + [] ? evm_inode_setxattr+0xe/0x10 + [] vfs_setxattr+0xb5/0xc0 + [] setxattr+0x12e/0x1c0 + [] ? final_putname+0x22/0x50 + [] ? putname+0x2b/0x40 + [] ? user_path_at_empty+0x5f/0x90 + [] ? __sb_start_write+0x49/0xe0 + [] ? vm_mmap_pgoff+0x99/0xc0 + [] SyS_setxattr+0x8f/0xe0 + [] system_call_fastpath+0x1a/0x1f + + Tests: + setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile + + This patch fix it to check the remote EA size is greater than the + XATTR_SIZE_MAX rather than more than or equal to it, because it's + valid if the specified EA value size is equal to the limitation as + per VFS setxattr interface. + + Signed-off-by: Jie Liu + Reviewed-by: Mark Tinguely + Signed-off-by: Ben Myers + + (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7) + + fs/xfs/xfs_attr_remote.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703 +Author: Steven Rostedt +Date: Thu Jan 9 21:46:34 2014 -0500 + + Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be + + SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() + + While running stress tests on adding and deleting ftrace instances I hit + this bug: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: selinux_inode_permission+0x85/0x160 + PGD 63681067 PUD 7ddbe067 PMD 0 + Oops: 0000 [#1] PREEMPT + CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20 + Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006 + task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000 + RIP: 0010:[] [] selinux_inode_permission+0x85/0x160 + RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840 + RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000 + RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54 + R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000 + R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000 + FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M + CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0 + Call Trace: + security_inode_permission+0x1c/0x30 + __inode_permission+0x41/0xa0 + inode_permission+0x18/0x50 + link_path_walk+0x66/0x920 + path_openat+0xa6/0x6c0 + do_filp_open+0x43/0xa0 + do_sys_open+0x146/0x240 + SyS_open+0x1e/0x20 + system_call_fastpath+0x16/0x1b + Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff + RIP selinux_inode_permission+0x85/0x160 + CR2: 0000000000000020 + + Investigating, I found that the inode->i_security was NULL, and the + dereference of it caused the oops. + + in selinux_inode_permission(): + + isec = inode->i_security; + + rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); + + Note, the crash came from stressing the deletion and reading of debugfs + files. I was not able to recreate this via normal files. But I'm not + sure they are safe. It may just be that the race window is much harder + to hit. + + What seems to have happened (and what I have traced), is the file is + being opened at the same time the file or directory is being deleted. + As the dentry and inode locks are not held during the path walk, nor is + the inodes ref counts being incremented, there is nothing saving these + structures from being discarded except for an rcu_read_lock(). + + The rcu_read_lock() protects against freeing of the inode, but it does + not protect freeing of the inode_security_struct. Now if the freeing of + the i_security happens with a call_rcu(), and the i_security field of + the inode is not changed (it gets freed as the inode gets freed) then + there will be no issue here. (Linus Torvalds suggested not setting the + field to NULL such that we do not need to check if it is NULL in the + permission check). + + Note, this is a hack, but it fixes the problem at hand. A real fix is + to restructure the destroy_inode() to call all the destructor handlers + from the RCU callback. But that is a major job to do, and requires a + lot of work. For now, we just band-aid this bug with this fix (it + works), and work on a more maintainable solution in the future. + + Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home + Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home + + Cc: stable@vger.kernel.org + Signed-off-by: Steven Rostedt + Signed-off-by: Linus Torvalds + + security/selinux/hooks.c | 20 ++++++++++++++++++-- + security/selinux/include/objsec.h | 5 ++++- + 2 files changed, 22 insertions(+), 3 deletions(-) + +commit e19ed2ef10ac8fb5539ff49890f149230ba504a2 +Author: Hugh Dickins +Date: Sun Jan 12 01:25:21 2014 -0800 + + Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c + + thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only + + We see General Protection Fault on RSI in copy_page_rep: that RSI is + what you get from a NULL struct page pointer. + + RIP: 0010:[] [] copy_page_rep+0x5/0x10 + RSP: 0000:ffff880136e15c00 EFLAGS: 00010286 + RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200 + RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000 + RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c + R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001 + R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0 + Call Trace: + copy_user_huge_page+0x93/0xab + do_huge_pmd_wp_page+0x710/0x815 + handle_mm_fault+0x15d8/0x1d70 + __do_page_fault+0x14d/0x840 + do_page_fault+0x2f/0x90 + page_fault+0x22/0x30 + + do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but + since shrink_huge_zero_page() can free the huge_zero_page, and we have + no hold of our own on it here (except where the fourth test holds + page_table_lock and has checked pmd_same), it's possible for it to + answer yes the first time, but no to the second or third test. Change + all those last three to tests for NULL page. + + (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG + in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin + in https://lkml.org/lkml/2013/3/29/103. I believe that one is due + to the source page being split, and a tail page freed, while copy + is in progress; and not a problem without DEBUG_PAGEALLOC, since + the pmd_same check will prevent a miscopy from being made visible.) + + Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page") + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12 + Signed-off-by: Linus Torvalds + + mm/huge_memory.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 49bf1cc12db4954afc0a3e9a4506325a53259c13 +Author: Christian Engelmayer +Date: Sat Jan 11 22:19:30 2014 +0100 + + Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299 + + ieee802154: Fix memory leak in ieee802154_add_iface() + + Fix a memory leak in the ieee802154_add_iface() error handling path. + Detected by Coverity: CID 710490. + + Signed-off-by: Christian Engelmayer + Signed-off-by: David S. Miller + + net/ieee802154/nl-phy.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84 +Author: Hannes Frederic Sowa +Date: Mon Jan 13 02:45:22 2014 +0100 + + Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e + + net: avoid reference counter overflows on fib_rules in multicast forwarding + + Bob Falken reported that after 4G packets, multicast forwarding stopped + working. This was because of a rule reference counter overflow which + freed the rule as soon as the overflow happend. + + This patch solves this by adding the FIB_LOOKUP_NOREF flag to + fib_rules_lookup calls. This is safe even from non-rcu locked sections + as in this case the flag only implies not taking a reference to the rule, + which we don't need at all. + + Rules only hold references to the namespace, which are guaranteed to be + available during the call of the non-rcu protected function reg_vif_xmit + because of the interface reference which itself holds a reference to + the net namespace. + + Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") + Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") + Reported-by: Bob Falken + Cc: Patrick McHardy + Cc: Thomas Graf + Cc: Julian Anastasov + Cc: Eric Dumazet + Signed-off-by: Hannes Frederic Sowa + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/ipmr.c | 7 +++++-- + net/ipv6/ip6mr.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit 427e1a47ccd092da8d3834ec889bbf899bf02994 +Author: NeilBrown +Date: Mon Jan 6 10:35:34 2014 +1100 + + Upstream commit: e8b849158508565e0cd6bc80061124afc5879160 + + md/raid10: fix bug when raid10 recovery fails to recover a block. + + commit e875ecea266a543e643b19e44cf472f1412708f9 + md/raid10 record bad blocks as needed during recovery. + + added code to the "cannot recover this block" path to record a bad + block rather than fail the whole recovery. + Unfortunately this new case was placed *after* r10bio was freed rather + than *before*, yet it still uses r10bio. + This is will crash with a null dereference. + + So move the freeing of r10bio down where it is safe. + + Cc: stable@vger.kernel.org (v3.1+) + Fixes: e875ecea266a543e643b19e44cf472f1412708f9 + Reported-by: Damian Nowak + URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 + Signed-off-by: NeilBrown + + drivers/md/raid10.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 528bc79bf4b9414269c3468527a1fb93992888ec +Author: NeilBrown +Date: Mon Jan 6 13:19:42 2014 +1100 + + Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6 + + md/raid5: Fix possible confusion when multiple write errors occur. + + commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c + md: raid5 crash during degradation + + Fixed a crash in an overly simplistic way which could leave + R5_WriteError or R5_MadeGood set in the stripe cache for devices + for which it is no longer relevant. + When those devices are removed and spares added the flags are still + set and can cause incorrect behaviour. + + commit 14a75d3e07c784c004b4b44b34af996b8e4ac453 + md/raid5: preferentially read from replacement device if possible. + + Fixed the same bug if a more effective way, so we can now revert + the original commit. + + Reported-and-tested-by: Alexander Lyakas + Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though) + Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c + Signed-off-by: NeilBrown + + drivers/md/raid5.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 65e365f661bcc034ce8da73be4521dde4088cbc6 +Author: NeilBrown +Date: Tue Jan 14 10:38:09 2014 +1100 + + Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1 + + md/raid10: fix two bugs in handling of known-bad-blocks. + + If we discover a bad block when reading we split the request and + potentially read some of it from a different device. + + The code path of this has two bugs in RAID10. + 1/ we get a spin_lock with _irq, but unlock without _irq!! + 2/ The calculation of 'sectors_handled' is wrong, as can be clearly + seen by comparison with raid1.c + + This leads to at least 2 warnings and a probable crash is a RAID10 + ever had known bad blocks. + + Cc: stable@vger.kernel.org (v3.1+) + Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160 + Reported-by: Damian Nowak + URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 + Signed-off-by: NeilBrown + + drivers/md/raid10.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 648634ea6eaa98407d5cee468eea365addf784d7 +Author: Andreas Rohner +Date: Tue Jan 14 17:56:36 2014 -0800 + + Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a + + nilfs2: fix segctor bug that causes file system corruption + + There is a bug in the function nilfs_segctor_collect, which results in + active data being written to a segment, that is marked as clean. It is + possible, that this segment is selected for a later segment + construction, whereby the old data is overwritten. + + The problem shows itself with the following kernel log message: + + nilfs_sufile_do_cancel_free: segment 6533 must be clean + + Usually a few hours later the file system gets corrupted: + + NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0 + NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660) + + The issue can be reproduced with a file system that is nearly full and + with the cleaner running, while some IO intensive task is running. + Although it is quite hard to reproduce. + + This is what happens: + + 1. The cleaner starts the segment construction + 2. nilfs_segctor_collect is called + 3. sc_stage is on NILFS_ST_SUFILE and segments are freed + 4. sc_stage is on NILFS_ST_DAT current segment is full + 5. nilfs_segctor_extend_segments is called, which + allocates a new segment + 6. The new segment is one of the segments freed in step 3 + 7. nilfs_sufile_cancel_freev is called and produces an error message + 8. Loop around and the collection starts again + 9. sc_stage is on NILFS_ST_SUFILE and segments are freed + including the newly allocated segment, which will contain active + data and can be allocated at a later time + 10. A few hours later another segment construction allocates the + segment and causes file system corruption + + This can be prevented by simply reordering the statements. If + nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments + the freed segments are marked as dirty and cannot be allocated any more. + + Signed-off-by: Andreas Rohner + Reviewed-by: Ryusuke Konishi + Tested-by: Andreas Rohner + Signed-off-by: Ryusuke Konishi + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/nilfs2/segment.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +commit 380b201967bbe5769291311e5195a603006d391c +Author: Mikulas Patocka +Date: Tue Jan 14 17:56:40 2014 -0800 + + Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02 + + mm: fix crash when using XFS on loopback + + Commit 8456a648cf44 ("slab: use struct page for slab management") causes + a crash in the LVM2 testsuite on PA-RISC (the crashing test is + fsadm.sh). The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and + later. + + Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d) + CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5 + task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI + PSW: 00001000000001101111100100001110 Not tainted + r00-03 000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0 + r04-07 00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40 + r08-11 0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000 + r12-15 0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000 + r16-19 000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001 + r20-23 0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080 + r24-27 00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0 + r28-31 202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001 + sr00-03 000000000532c000 0000000000000000 0000000000000000 000000000532c000 + sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430 + IIR: 539c0030 ISR: 00000000202d6000 IOR: 000006202224647d + CPU: 3 CR30: 000000413edd8000 CR31: 0000000000000000 + ORIG_R28: 00000000405a95e0 + IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48 + IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48 + RP(r2): flush_dcache_page+0x128/0x388 + Backtrace: + flush_dcache_page+0x128/0x388 + lo_splice_actor+0x90/0x148 [loop] + splice_from_pipe_feed+0xc0/0x1d0 + __splice_from_pipe+0xac/0xc0 + lo_direct_splice_actor+0x1c/0x70 [loop] + splice_direct_to_actor+0xec/0x228 + lo_receive+0xe4/0x298 [loop] + loop_thread+0x478/0x640 [loop] + kthread+0x134/0x168 + end_fault_vector+0x20/0x28 + xfs_setsize_buftarg+0x0/0x90 [xfs] + + Kernel panic - not syncing: Bad Address (null pointer deref?) + + Commit 8456a648cf44 changes the page structure so that the slab + subsystem reuses the page->mapping field. + + The crash happens in the following way: + * XFS allocates some memory from slab and issues a bio to read data + into it. + * the bio is sent to the loopback device. + * lo_receive creates an actor and calls splice_direct_to_actor. + * lo_splice_actor copies data to the target page. + * lo_splice_actor calls flush_dcache_page because the page may be + mapped by userspace. In that case we need to flush the kernel cache. + * flush_dcache_page asks for the list of userspace mappings, however + that page->mapping field is reused by the slab subsystem for a + different purpose. This causes the crash. + + Note that other architectures without coherent caches (sparc, arm, mips) + also call page_mapping from flush_dcache_page, so they may crash in the + same way. + + This patch fixes this bug by testing if the page is a slab page in + page_mapping and returning NULL if it is. + + The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in + earlier kernels in the same scenario on architectures without cache + coherence when CONFIG_DEBUG_VM is enabled - so it should be backported + to stable kernels. + + In the old kernels, the function page_mapping is placed in + include/linux/mm.h, so you should modify the patch accordingly when + backporting it. + + Signed-off-by: Mikulas Patocka + Cc: John David Anglin ] + Cc: Andi Kleen + Cc: Christoph Lameter + Acked-by: Pekka Enberg + Reviewed-by: Joonsoo Kim + Cc: Helge Deller + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/util.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit e71bfbceaa0246366fe3753a893c660f22568bb9 +Merge: 83b84f4 e8219cf +Author: Brad Spengler +Date: Sat Jan 18 17:30:14 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7 +Author: Brad Spengler +Date: Sat Jan 18 17:30:05 2014 -0500 + + Revert "Revert recent PaX marking change that broke a significant number" + + This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19. + + fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- + 1 files changed, 30 insertions(+), 23 deletions(-) + +commit e8219cf65fbb6e3763c4298831239929d1c1f9fa +Author: Brad Spengler +Date: Sat Jan 18 17:29:19 2014 -0500 + + Update to pax-linux-3.12.8-test15.patch: + - reworked the interaction between the various PaX control flag mechanisms for better consistency + - fixed type attribute handling in the constify plugin, reported by spender + + fs/binfmt_elf.c | 144 +++++++++++++++++++++++------------------- + include/linux/sched.h | 1 + + include/uapi/linux/sysctl.h | 6 -- + tools/gcc/constify_plugin.c | 20 +++--- + 4 files changed, 89 insertions(+), 82 deletions(-) + +commit 88474da15f3f3f5d93848102d03bb4983b9a0b78 +Merge: 59672b7 dbe1b0b28 +Author: Brad Spengler +Date: Thu Jan 16 07:00:51 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit dbe1b0b28973953b8919fbfc479054d527066737 +Merge: 229fa99 97f15f1 +Author: Brad Spengler +Date: Thu Jan 16 07:00:16 2014 -0500 + + Update to pax-linux-3.12.8-test14.patch: + - added a generated file to dontdiff, reported by Emese + - removed duplicated code due to a mismerge + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + arch/x86/include/asm/fpu-internal.h + +commit 59672b779a7ef3857bb9335c668f671ea04c8a19 +Author: Brad Spengler +Date: Thu Dec 26 19:23:25 2013 -0500 + + Revert recent PaX marking change that broke a significant number + of existing systems. The marking system will be revamped in a later + patch to fix softmode support while making XT markings more usable. + + fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ + 1 files changed, 23 insertions(+), 30 deletions(-) + +commit 528d5554e49536241bdf98c59ac3daedf2855a11 +Merge: f17b6ff 229fa99 +Author: Brad Spengler +Date: Sun Jan 12 07:56:10 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 229fa990d096324284db79ed69b336d19df28afb +Author: Brad Spengler +Date: Sun Jan 12 07:55:36 2014 -0500 + + update to newer size_overflow hash table + + tools/gcc/size_overflow_hash.data | 150 +++++++++++++++++++++---------------- + 1 files changed, 84 insertions(+), 66 deletions(-) + +commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292 +Merge: 93e7728 6e027b9 +Author: Brad Spengler +Date: Sat Jan 11 17:38:57 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 6e027b9f1196ed76313c256f8f962afd334d999f +Author: Brad Spengler +Date: Sat Jan 11 17:38:28 2014 -0500 + + Update to pax-linux-3.12.7-test12.patch: + - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem + - fixed incorrent module parameter type in vivi, caught by the size overflow plugin + + drivers/media/platform/vivi.c | 4 +- + tools/gcc/size_overflow_hash.data | 120 ++++++++++++++++++------------------ + tools/gcc/size_overflow_plugin.c | 64 +++++++++++++------- + 3 files changed, 105 insertions(+), 83 deletions(-) + +commit 93e7728fe0c37e00421e82cc43f8d467d5161751 +Merge: 41ac3ff eadfb9b +Author: Brad Spengler +Date: Thu Jan 9 17:47:29 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit eadfb9b1066d32ee537369fd67683297eb791ed0 +Merge: bccc569 4301b7a +Author: Brad Spengler +Date: Thu Jan 9 17:46:48 2014 -0500 + + Update to pax-linux-3.12.7-test11.patch: + - fixed powerpc compilation, by Purushothama Siddaiah + - updated size overflow hash table from Emese, reported by Brian Haslett + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + include/linux/reboot.h + mm/fremap.c + mm/memory-failure.c + scripts/link-vmlinux.sh + +commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec +Author: Brad Spengler +Date: Wed Jan 8 20:24:27 2014 -0500 + + zeroing out btime from /proc/stat breaks ps aux, it's the seconds of + uptime for the system, information which is also available elsewhere + (/proc/uptime), so there's no reason to limit it + + fs/proc/stat.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a1c966be13a8cfa254a6814c8a79caed3b421f0a +Author: Brad Spengler +Date: Wed Jan 8 18:13:15 2014 -0500 + + fix typo + + mm/vmstat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7 +Author: Brad Spengler +Date: Wed Jan 8 18:06:53 2014 -0500 + + provide a zeroed out /proc/vmstat to unprivileged users instead of + denied access, some poorly-written desktop apps bail out completely + when it can't be opened + + mm/vmstat.c | 21 +++++++++++++++------ + 1 files changed, 15 insertions(+), 6 deletions(-) + +commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52 +Merge: ecdc265 bccc569 +Author: Brad Spengler +Date: Wed Jan 8 17:55:50 2014 -0500 + + Merge branch 'pax-test' into grsec-test + +commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd +Author: Brad Spengler +Date: Wed Jan 8 17:55:08 2014 -0500 + + Update to pax-linux-3.12.6-test10.patch: + - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904) + - Emese worked around a few intentional overflows that triggered the size overflow plugin + - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907) + - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905) + + drivers/tty/n_tty.c | 2 +- + drivers/usb/core/devio.c | 2 +- + security/Kconfig | 1 - + tools/gcc/size_overflow_plugin.c | 173 ++++++++++++++++++++++++++++++++------ + 4 files changed, 150 insertions(+), 28 deletions(-) + +commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2 +Author: Brad Spengler +Date: Wed Jan 8 17:46:46 2014 -0500 + + back out recently-added capability checks to various pci write methods + as they break Xorg radeon drivers + + drivers/pci/pci-sysfs.c | 9 --------- + drivers/pci/proc.c | 3 --- + 2 files changed, 0 insertions(+), 12 deletions(-) + +commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7 +Author: Brad Spengler +Date: Thu Jan 2 17:05:39 2014 -0500 + + add missing #include + + fs/proc/stat.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0 +Author: Brad Spengler +Date: Thu Jan 2 17:02:24 2014 -0500 + + Back off recent PCI BAR restrictions as they break various existing + necessary functionality (Xorg with VMware video driver, etc) + + Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 + checks currently + + drivers/pci/pci-sysfs.c | 17 +++++++---------- + drivers/pci/proc.c | 13 ++----------- + drivers/pci/syscall.c | 4 ---- + 3 files changed, 9 insertions(+), 25 deletions(-) + +commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a +Author: Brad Spengler +Date: Tue Dec 31 10:30:20 2013 -0500 + + Resolve compatibility with libgtop and recent restriction of + /proc/stat, reported by KacKurx. We now provide a properly-formatted + but zeroed /proc/stat instead of denying unpriv access to the entry + + fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- + 1 files changed, 24 insertions(+), 10 deletions(-) + +commit fb5263307b4892bbaefc83427412b54c12a4e422 +Author: Brad Spengler +Date: Mon Dec 30 11:19:53 2013 -0500 + + Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy + Kulikov: + http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 + + fs/proc/interrupts.c | 4 ++++ + fs/proc/stat.c | 4 ++++ + 2 files changed, 8 insertions(+), 0 deletions(-) + +commit e5f67af1a42dbde9aae812c25e2498b908919689 +Author: Brad Spengler +Date: Mon Dec 30 11:13:49 2013 -0500 + + Update to phase two of the IPC hardening. I've heard no complaints about + the patch I released, but including it here will generate better information. + + grsecurity/Kconfig | 16 ++++++++++------ + grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- + include/linux/grmsg.h | 2 +- + ipc/util.c | 3 ++- + 4 files changed, 42 insertions(+), 11 deletions(-) + +commit a5a7395ebf9054496b21fd84978daba0a9bfde5d +Merge: b07a1fc bfce0d4 +Author: Brad Spengler +Date: Thu Dec 26 19:24:39 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit bfce0d4c8f94977de165b9a559c531759d031b4b +Author: Brad Spengler +Date: Thu Dec 26 19:23:25 2013 -0500 + + Revert recent PaX marking change that broke a significant number + of existing systems. The marking system will be revamped in a later + patch to fix softmode support while making XT markings more usable. + + fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ + 1 files changed, 23 insertions(+), 30 deletions(-) + +commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6 +Author: Brad Spengler +Date: Thu Dec 26 19:20:26 2013 -0500 + + add missing #include + + grsecurity/grsec_mount.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 5fbe9de8e020fdf6b911a2368e41ba88df554343 +Author: Brad Spengler +Date: Thu Dec 26 15:51:51 2013 -0500 + + Update config help to reflect requirements for proper security, similar + to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM + + grsecurity/Kconfig | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit d26ce94a15a14d44494fd3e307baebc2511a09b8 +Author: Brad Spengler +Date: Thu Dec 26 15:35:31 2013 -0500 + + Whenever we perform checks against block devices we should also test for + raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, + Linux's raw device support has been obsoleted many years ago and is unlikely + to be present in a given kernel config (modulo an allyesconfig). + + grsecurity/gracl.c | 2 +- + grsecurity/grsec_mount.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +commit 4bbb922e6241dad03e37919f66e9f422743f5b5e +Author: Brad Spengler +Date: Wed Dec 25 16:37:02 2013 -0500 + + Add some of the more obscure, config-dependent kernel modification + defenses to GRKERNSEC_KMEM, to be split out into a separate option + if this causes any compatibility problems. From Matthew Garrett: + https://lkml.org/lkml/2013/9/9/532 + + Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not + the other way around (to produce more secure settings when distro + configs are used as a base) + + drivers/acpi/custom_method.c | 4 ++++ + drivers/pci/pci-sysfs.c | 12 ++++++++++++ + drivers/pci/proc.c | 12 ++++++++++++ + drivers/pci/syscall.c | 4 ++++ + drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ + kernel/power/Kconfig | 2 ++ + security/Kconfig | 1 - + 7 files changed, 46 insertions(+), 1 deletions(-) + +commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e +Author: Chad Hanson +Date: Mon Dec 23 17:45:01 2013 -0500 + + Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc + + selinux: fix broken peer recv check + + Fix a broken networking check. Return an error if peer recv fails. If + secmark is active and the packet recv succeeds the peer recv error is + ignored. + + Signed-off-by: Chad Hanson + Cc: stable@vger.kernel.org + Signed-off-by: Paul Moore + + security/selinux/hooks.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit c870e769c2d34bff7a0eba239c092bb115bb9d71 +Author: Oleg Nesterov +Date: Mon Dec 23 17:45:01 2013 -0500 + + Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe + + selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() + + selinux_setprocattr() does ptrace_parent(p) under task_lock(p), + but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, + this looks confusing and triggers the "suspicious RCU usage" + warning because ptrace_parent() does rcu_dereference_check(). + + And in theory this is wrong, spin_lock()->preempt_disable() + doesn't necessarily imply rcu_read_lock() we need to access + the ->parent. + + Reported-by: Evan McNabb + Signed-off-by: Oleg Nesterov + Cc: stable@vger.kernel.org + Signed-off-by: Paul Moore + + security/selinux/hooks.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 717544da98db68da8cf1b902e33eefc098170128 +Author: Benjamin LaHaise +Date: Sat Dec 21 15:49:28 2013 -0500 + + Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0 + + aio: fix kioctx leak introduced by "aio: Fix a trinity splat" + + e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference + counting to correct a bug trinity found. Unfortunately, the change lead + to kioctxes being leaked because there was no final reference count to + put. Add that reference count back in to fix things. + + Signed-off-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + + fs/aio.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 21649f0e322166802adf5872f2affc38a0d6eb18 +Author: Jianguo Wu +Date: Wed Dec 18 17:08:59 2013 -0800 + + Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747 + + mm/hugetlb: check for pte NULL pointer in __page_check_address() + + In __page_check_address(), if address's pud is not present, + huge_pte_offset() will return NULL, we should check the return value. + + Signed-off-by: Jianguo Wu + Cc: Naoya Horiguchi + Cc: Mel Gorman + Cc: qiuxishi + Cc: Hanjun Guo + Acked-by: Kirill A. Shutemov + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + mm/rmap.c + + mm/rmap.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 184b047d4bc06f058aadb07393270e5d972af3aa +Author: Kirill A. Shutemov +Date: Fri Dec 20 15:10:03 2013 +0200 + + Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178 + + mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support + + Sasha Levin found a NULL pointer dereference that is due to a missing + page table lock, which in turn is due to the pmd entry in question being + a transparent huge-table entry. + + The code - introduced in commit 1998cc048901 ("mm: make + madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks + for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it + turns out that that function doesn't work correctly. + + pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would + trigger if the transparent hugepage bit was set, but it doesn't do that + if pmd_numa() is also set. Note that the NUMA bit only gets set on real + NUMA machines, so people trying to reproduce this on most normal + development systems would never actually trigger this. + + Fix it by removing the very subtle (and subtly incorrect) expectation, + and instead just checking pmd_trans_huge() explicitly. + + Reported-by: Sasha Levin + Acked-by: Andrea Arcangeli + [ Additionally remove the now stale test for pmd_trans_huge() inside the + pmd_bad() case - Linus ] + Signed-off-by: Linus Torvalds + + include/asm-generic/pgtable.h | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 1d769ef5d57f3bb616929c7e3c600852e20d575e +Author: Daniel Borkmann +Date: Tue Dec 17 00:38:39 2013 +0100 + + Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f + + net: inet_diag: zero out uninitialized idiag_{src,dst} fields + + Jakub reported while working with nlmon netlink sniffer that parts of + the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. + That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. + + In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] + memory through this. At least, in udp_dump_one(), we allocate a skb in ... + + rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); + + ... and then pass that to inet_sk_diag_fill() that puts the whole struct + inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], + r->id.idiag_dst[0] and leave the rest untouched: + + r->id.idiag_src[0] = inet->inet_rcv_saddr; + r->id.idiag_dst[0] = inet->inet_daddr; + + struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / + fully filled out in IPv6 case, but for IPv4 not. + + So just zero them out by using plain memset (for this little amount of + bytes it's probably not worth the extra check for idiag_family == AF_INET). + + Similarly, fix also other places where we fill that out. + + Reported-by: Jakub Zawadzki + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv4/inet_diag.c + + net/ipv4/inet_diag.c | 16 ++++++++++++++++ + 1 files changed, 16 insertions(+), 0 deletions(-) + +commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737 +Author: Wenliang Fan +Date: Tue Dec 17 11:25:28 2013 +0800 + + Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a + + drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() + + The local variable 'bi' comes from userspace. If userspace passed a + large number to 'bi.data.calibrate', there would be an integer overflow + in the following line: + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; + + Signed-off-by: Wenliang Fan + Signed-off-by: David S. Miller + + drivers/net/hamradio/hdlcdrv.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e162be84a9971452943c1d85a59c866a5486222b +Author: Ard Biesheuvel +Date: Mon Dec 23 18:49:30 2013 +0100 + + Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5 + + auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE + + Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new + AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE + accordingly. + + Signed-off-by: Ard Biesheuvel + Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry) + Cc: stable@vger.kernel.org + Acked-by: Michael Neuling + Cc: Nishanth Aravamudan + Cc: Benjamin Herrenschmidt + Signed-off-by: Linus Torvalds + + include/linux/auxvec.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3 +Author: Brad Spengler +Date: Wed Dec 25 15:11:51 2013 -0500 + + remove unused 'dentry' variable + + fs/xattr.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit d6e290d23c8c47c19536ed84f403eb81f224ed67 +Author: Brad Spengler +Date: Wed Dec 25 15:03:13 2013 -0500 + + Add RBAC mediation of *removexattr(), as this has security implications + in the case of PaX with softmode enabled or the rare case of RBAC+SELinux + use. + + fs/xattr.c | 18 +++++++++++------- + grsecurity/gracl_fs.c | 6 ++++++ + grsecurity/grsec_disabled.c | 6 ++++++ + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 2 ++ + 5 files changed, 27 insertions(+), 8 deletions(-) + +commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e +Merge: e45d1dd 846d19a +Author: Brad Spengler +Date: Sun Dec 22 10:36:48 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 846d19aa4207282ce5ac54237517e54324eda092 +Author: Brad Spengler +Date: Sun Dec 22 10:35:16 2013 -0500 + + Update to pax-linux-3.12.6-test9.patch: + - updated size overflow hash table from spender + - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899) + + virt/kvm/kvm_main.c | 13 +++++++++++-- + 1 files changed, 11 insertions(+), 2 deletions(-) + +commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4 +Merge: b5c87f6 6754393 +Author: Brad Spengler +Date: Sat Dec 21 07:53:42 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd +Author: Brad Spengler +Date: Sat Dec 21 07:53:22 2013 -0500 + + Update size_overflow hash table + + tools/gcc/size_overflow_hash.data | 119 +++++++++++++++++++------------------ + 1 files changed, 60 insertions(+), 59 deletions(-) + +commit b5c87f632d1cf19639a94c36276f96955221c77a +Author: Brad Spengler +Date: Fri Dec 20 20:18:56 2013 -0500 + + compile fix + + fs/stat.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 47618a93b003d648b5704040d1e502f76de07093 +Merge: ba0eeed 37eeb47 +Author: Brad Spengler +Date: Fri Dec 20 20:18:18 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 37eeb473486a08e3beae62841b19169aef36564d +Author: Brad Spengler +Date: Fri Dec 20 20:17:46 2013 -0500 + + Update to pax-linux-3.12.6-test8.patch: + - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877) + - updated size overflow hash table from spender + + fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- + 1 files changed, 30 insertions(+), 23 deletions(-) + +commit ba0eeed0532b602905d87e9bf25aad3664c3f36b +Merge: 453a7f1 9dda34c +Author: Brad Spengler +Date: Fri Dec 20 19:17:33 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be +Merge: 63ebe2d2 d0266db +Author: Brad Spengler +Date: Fri Dec 20 19:17:18 2013 -0500 + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + arch/x86/boot/Makefile + +commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5 +Merge: bb777f5 63ebe2d2 +Author: Brad Spengler +Date: Thu Dec 19 22:48:02 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd +Author: Brad Spengler +Date: Thu Dec 19 22:47:35 2013 -0500 + + add 42 functions to the size_overflow hash table + + tools/gcc/size_overflow_hash.data | 59 +++++++++++++++++++++++++++++------- + 1 files changed, 47 insertions(+), 12 deletions(-) + +commit bb777f517e6c2a53909351245d7d2009d8ad4c5b +Merge: cc59b1f a03d29c +Author: Brad Spengler +Date: Thu Dec 19 17:12:01 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81 +Author: Brad Spengler +Date: Thu Dec 19 17:11:19 2013 -0500 + + Update to pax-linux-3.12.5-test7.patch: + - fixed some more size overflow reports + - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898) + - better fix for the gcc induced intentional overflow in usbdev_read + + arch/x86/include/asm/atomic.h | 6 +++--- + arch/x86/include/asm/atomic64_32.h | 2 +- + arch/x86/include/asm/atomic64_64.h | 2 +- + drivers/usb/core/devio.c | 2 +- + fs/file.c | 4 ++-- + include/asm-generic/atomic-long.h | 2 +- + tools/gcc/size_overflow_hash.data | 3 --- + 7 files changed, 9 insertions(+), 12 deletions(-) + +commit cc59b1fbe8989a6f99d229b34653e40a84d871f4 +Merge: 44842d2 6ffdbdf +Author: Brad Spengler +Date: Sun Dec 15 10:40:14 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61 +Author: Brad Spengler +Date: Sun Dec 15 10:38:59 2013 -0500 + + Update to pax-linux-3.12.5-test6.patch: + - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver + + tools/gcc/size_overflow_plugin.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9 +Merge: c2c9b35 f85d978 +Author: Brad Spengler +Date: Sat Dec 14 10:58:46 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c +Author: Brad Spengler +Date: Sat Dec 14 10:58:14 2013 -0500 + + Update to pax-linux-3.12.5-test5.patch: + - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html) + + mm/fremap.c | 10 +++++----- + 1 files changed, 5 insertions(+), 5 deletions(-) + +commit c2c9b35fca510f7e29f80efa2999695448083b52 +Author: Linus Torvalds +Date: Thu Dec 12 09:38:42 2013 -0800 + + Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c + + futex: fix handling of read-only-mapped hugepages + + The hugepage code had the exact same bug that regular pages had in + commit 7485d0d3758e ("futexes: Remove rw parameter from + get_futex_key()"). + + The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix + regression with read only mappings"), but the transparent hugepage case + (added in a5b338f2b0b1: "thp: update futex compound knowledge") case + remained broken. + + Found by Dave Jones and his trinity tool. + + Reported-and-tested-by: Dave Jones + Cc: stable@kernel.org # v2.6.38+ + Acked-by: Thomas Gleixner + Cc: Mel Gorman + Cc: Darren Hart + Cc: Andrea Arcangeli + Cc: Oleg Nesterov + Signed-off-by: Linus Torvalds + + kernel/futex.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7fe4be2ce4c49484298f71455cdcac08149985cb +Author: Andy Honig +Date: Mon Nov 18 16:09:22 2013 -0800 + + Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96 + + KVM: Improve create VCPU parameter (CVE-2013-4587) + + In multiple functions the vcpu_id is used as an offset into a bitfield. Ag + malicious user could specify a vcpu_id greater than 255 in order to set or + clear bits in kernel memory. This could be used to elevate priveges in the + kernel. This patch verifies that the vcpu_id provided is less than 255. + The api documentation already specifies that the vcpu_id must be less than + max_vcpus, but this is currently not checked. + + Reported-by: Andrew Honig + Cc: stable@vger.kernel.org + Signed-off-by: Andrew Honig + Signed-off-by: Paolo Bonzini + + virt/kvm/kvm_main.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c +Author: Andy Honig +Date: Tue Nov 19 14:12:18 2013 -0800 + + Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c + + KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) + + Under guest controllable circumstances apic_get_tmcct will execute a + divide by zero and cause a crash. If the guest cpuid support + tsc deadline timers and performs the following sequence of requests + the host will crash. + - Set the mode to periodic + - Set the TMICT to 0 + - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) + - Set the TMICT to non-zero. + Then the lapic_timer.period will be 0, but the TMICT will not be. If the + guest then reads from the TMCCT then the host will perform a divide by 0. + + This patch ensures that if the lapic_timer.period is 0, then the division + does not occur. + + Reported-by: Andrew Honig + Cc: stable@vger.kernel.org + Signed-off-by: Andrew Honig + Signed-off-by: Paolo Bonzini + + arch/x86/kvm/lapic.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 2b8e6adf070a8938133e318e9a6e2f633095f038 +Author: Andy Honig +Date: Wed Nov 20 10:23:22 2013 -0800 + + Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd + + KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) + + In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the + potential to corrupt kernel memory if userspace provides an address that + is at the end of a page. This patches concerts those functions to use + kvm_write_guest_cached and kvm_read_guest_cached. It also checks the + vapic_address specified by userspace during ioctl processing and returns + an error to userspace if the address is not a valid GPA. + + This is generally not guest triggerable, because the required write is + done by firmware that runs before the guest. Also, it only affects AMD + processors and oldish Intel that do not have the FlexPriority feature + (unless you disable FlexPriority, of course; then newer processors are + also affected). + + Fixes: b93463aa59d6 ('KVM: Accelerated apic support') + + Reported-by: Andrew Honig + Cc: stable@vger.kernel.org + Signed-off-by: Andrew Honig + Signed-off-by: Paolo Bonzini + + arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ + arch/x86/kvm/lapic.h | 4 ++-- + arch/x86/kvm/x86.c | 40 +--------------------------------------- + 3 files changed, 18 insertions(+), 53 deletions(-) + +commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479 +Author: Gleb Natapov +Date: Thu Dec 12 21:20:08 2013 +0100 + + Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271 + + KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) + + A guest can cause a BUG_ON() leading to a host kernel crash. + When the guest writes to the ICR to request an IPI, while in x2apic + mode the following things happen, the destination is read from + ICR2, which is a register that the guest can control. + + kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the + cluster id. A BUG_ON is triggered, which is a protection against + accessing map->logical_map with an out-of-bounds access and manages + to avoid that anything really unsafe occurs. + + The logic in the code is correct from real HW point of view. The problem + is that KVM supports only one cluster with ID 0 in clustered mode, but + the code that has the bug does not take this into account. + + Reported-by: Lars Bull + Cc: stable@vger.kernel.org + Signed-off-by: Gleb Natapov + Signed-off-by: Paolo Bonzini + + arch/x86/kvm/lapic.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit beb27f127ef300b52f8c20402d053b05bab7f4e3 +Merge: 82c673f b8daf53 +Author: Brad Spengler +Date: Fri Dec 13 20:11:22 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/parisc/kernel/sys_parisc.c + +commit b8daf537ab923daf14f38d283ca5361424154fa8 +Merge: 7689612 156c758 +Author: Brad Spengler +Date: Fri Dec 13 20:07:08 2013 -0500 + + Update to pax-linux-3.12.5-test4.patch: + - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus + - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro + (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293) + - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30) + - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver + - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887) + turns out that it was fixed upstream already but never marked for stable backport: + - https://bugzilla.kernel.org/show_bug.cgi?id=66661 + - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597 + - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz SÅ‚awiÅ„ski (https://bugs.gentoo.org/show_bug.cgi?id=487938) + - the mask register has been changed from r10 (used by DRAP) to r12 + - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible) + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + arch/parisc/kernel/sys_parisc.c + fs/pipe.c + +commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca +Author: Brad Spengler +Date: Fri Dec 13 19:39:54 2013 -0500 + + Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent + atomic reload improvement. These two objects are used only for "files" private + to the kernel which don't exist on any mounted filesystem and have no visible + path. Only the mode field of these objects is ever used, and we would never + attempt to free these objects a second time (due to their being allocated + into the memory manager associated with the initial policy) + + In practice this causes bogus auditing messages for / and could potentially + cause a subject without executable shared memory support to permit executable + shared memory (if PaX is disabled on the binary). + + Instead just allocate these two special objects with kzalloc at enable time + and free them at disable time. + + Thanks to nyt@countercultured.net for the report + + grsecurity/gracl_policy.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf +Merge: 4c60da7 7689612 +Author: Brad Spengler +Date: Sun Dec 8 17:07:04 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/ipv4/ping.c + +commit 7689612bef2f353f37a2fe94ff0ef8c72634b522 +Merge: 2f004b8 289b6c7 +Author: Brad Spengler +Date: Sun Dec 8 17:05:58 2013 -0500 + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + net/compat.c + net/ipv4/ping.c + net/ipv6/sit.c + net/socket.c + +commit 4c60da771d2fba442fe7831d590277e6fe80e908 +Author: Brad Spengler +Date: Sun Dec 8 16:12:01 2013 -0500 + + Backport of: + + If we allocate less than sizeof(struct attrlist) then we end up + corrupting memory or doing a ZERO_PTR_SIZE dereference. + + This can only be triggered with CAP_SYS_ADMIN. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + + fs/xfs/xfs_ioctl.c | 3 ++- + fs/xfs/xfs_ioctl32.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2 +Author: Hannes Frederic Sowa +Date: Thu Dec 5 23:29:19 2013 +0100 + + Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc + + net: clear local_df when passing skb between namespaces + + We must clear local_df when passing the skb between namespaces as the + packet is not local to the new namespace any more and thus may not get + fragmented by local rules. Fred Templin noticed that other namespaces + do fragment IPv6 packets while forwarding. Instead they should have send + back a PTB. + + The same problem should be present when forwarding DF-IPv4 packets + between namespaces. + + Reported-by: Templin, Fred L + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/core/skbuff.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7803212c99050491bd0a2618e039f62c825f82e5 +Author: Linus Torvalds +Date: Mon Dec 2 11:50:37 2013 -0800 + + Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d + + uio: we cannot mmap unaligned page contents + + In commit 7314e613d5ff ("Fix a few incorrectly checked + [io_]remap_pfn_range() calls") the uio driver started more properly + checking the passed-in user mapping arguments against the size of the + actual uio driver data. + + That in turn exposed that some driver authors apparently didn't realize + that mmap can only work on a page granularity, and had tried to use it + with smaller mappings, with the new size check catching that out. + + So since it's not just the user mmap() arguments that can be confused, + make the uio mmap code also verify that the uio driver has the memory + allocated at page boundaries in order for mmap to work. If the device + memory isn't properly aligned, we return + + [ENODEV] + The fildes argument refers to a file whose type is not supported by mmap(). + + as per the open group documentation on mmap. + + Reported-by: Holger Brunck + Acked-by: Greg KH + Signed-off-by: Linus Torvalds + + drivers/uio/uio.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e5fb91d26cb825c36042d62373c0a32a176cfe2d +Merge: 6b9d9e2 2f004b8 +Author: Brad Spengler +Date: Sun Dec 8 10:18:49 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + mm/mmap.c + +commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb +Merge: c04a09b 81605d3 +Author: Brad Spengler +Date: Sun Dec 8 10:16:53 2013 -0500 + + Update to pax-linux-3.12.3-test2.patch: + - forward port to 3.12.3 + - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp + - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer + - changed the constify plugin to give better error messages + - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889) + - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885 + - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender + - updated size overflow plugin from Emese, coverage will increase further + + Merge branch 'linux-3.12.y' into pax-test + + Conflicts: + kernel/trace/ftrace.c + mm/mmap.c + +commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8 +Author: David Herrmann +Date: Tue Nov 26 13:58:18 2013 +0100 + + Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6 + + HID: uhid: fix leak for 64/32 UHID_CREATE + + UHID allows short writes so user-space can omit unused fields. We + automatically set them to 0 in the kernel. However, the 64/32 bit + compat-handler didn't do that in the UHID_CREATE fallback. This will + reveal random kernel heap data (of random size, even) to user-space. + + Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems') + + Reported-by: Ben Hutchings + Signed-off-by: David Herrmann + Cc: stable@vger.kernel.org + Signed-off-by: Jiri Kosina + + drivers/hid/uhid.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae +Author: Brad Spengler +Date: Wed Dec 4 18:15:02 2013 -0500 + + Don't duplicate __get_dumpable, also make sure we check against + SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing + detection when suid_dumpable was set to 2 + + fs/coredump.c | 7 +++++-- + grsecurity/grsec_sig.c | 14 ++------------ + include/linux/grsecurity.h | 2 +- + 3 files changed, 8 insertions(+), 15 deletions(-) + +commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb +Merge: 0f023d5 c04a09b +Author: Brad Spengler +Date: Tue Dec 3 21:41:57 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5 +Author: Brad Spengler +Date: Tue Dec 3 21:41:20 2013 -0500 + + fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp + + kernel/rcutree_plugin.h | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6 +Author: Brad Spengler +Date: Tue Dec 3 19:39:04 2013 -0500 + + Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, + see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 + The previous info was many years outdated. + + Disable KEXEC when GRKERNSEC_KMEM is enabled: + http://mjg59.dreamwidth.org/28746.html + + Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning + -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present + + arch/arm/Kconfig | 1 + + arch/ia64/Kconfig | 1 + + arch/mips/Kconfig | 1 + + arch/powerpc/Kconfig | 1 + + arch/tile/Kconfig | 1 + + arch/x86/Kconfig | 1 + + arch/x86/kernel/ioport.c | 12 ++++++------ + grsecurity/Kconfig | 27 +++++++++++---------------- + 8 files changed, 23 insertions(+), 22 deletions(-) + +commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61 +Merge: fed624e 1395b8f +Author: Brad Spengler +Date: Mon Dec 2 17:33:01 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1395b8f8832d179a0c73e890754534c9d5442201 +Author: Brad Spengler +Date: Mon Dec 2 17:31:35 2013 -0500 + + Forward-ported the following fix from 3.2: + - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885) + + This caused filesystem corruption in the reported XFS case, problem + introduced with Nov 24th patch (IPA-based size overflow plugin) + + arch/x86/include/asm/atomic64_32.h | 2 +- + arch/x86/include/asm/atomic64_64.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0 +Author: Brad Spengler +Date: Mon Dec 2 17:20:00 2013 -0500 + + Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline + + init/main.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a72ed588cbbda00d356529507b6bdca56c19d4c3 +Merge: 3f201fe db6d69f +Author: Brad Spengler +Date: Sat Nov 30 10:46:15 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/dcache.c + ipc/shm.c + net/sunrpc/clnt.c + +commit db6d69f61412f929242423f92d52f4c2c74bab5d +Merge: 1f411d7 050dcf4 +Author: Brad Spengler +Date: Sat Nov 30 10:40:33 2013 -0500 + + Merge branch 'linux-3.12.y' into pax-test + +commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c +Author: Brad Spengler +Date: Tue Nov 26 15:16:48 2013 -0500 + + Fix null deref on application of the shutdown role, reported by zakalwe + + grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- + grsecurity/gracl_policy.c | 58 ++++----------------------------------------- + 2 files changed, 62 insertions(+), 54 deletions(-) + +commit f5648d16a7cc79abe6de7ae62e284fa511bb750a +Author: Brad Spengler +Date: Tue Nov 26 13:04:07 2013 -0500 + + Add system library paths to allowed areas for usermode helper calls, + later we will also add checks to ensure the file is owned by root + + kernel/kmod.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c +Author: Brad Spengler +Date: Tue Nov 26 12:59:00 2013 -0500 + + Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer + causing a NULL deref on RBAC reload, reported by zakalwe + + grsecurity/gracl_policy.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4026c926f19d7642c1f89895b556fe2addaef239 +Author: Al Viro +Date: Wed Nov 13 07:45:40 2013 -0500 + + Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68 + + prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts + + ... and equivalent is needed in 3.12; it's broken there as well + + Signed-off-by: Al Viro + + Conflicts: + + fs/dcache.c + + fs/dcache.c | 10 +++++++--- + 1 files changed, 7 insertions(+), 3 deletions(-) + +commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc +Merge: 94b560b 1f411d7 +Author: Brad Spengler +Date: Mon Nov 25 23:09:47 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1 +Merge: 5f17cd8 6beb1be +Author: Brad Spengler +Date: Mon Nov 25 23:09:34 2013 -0500 + + Merge branch 'linux-3.12.y' into pax-test + +commit 94b560b0163a20b9eab9ec77b83f0bff853fe601 +Author: Brad Spengler +Date: Mon Nov 25 22:33:33 2013 -0500 + + compile fix + + kernel/kmod.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 58c014d37769d384c2e3c06ce5f60fe54f855b24 +Merge: 48ac6ac 5f17cd8 +Author: Brad Spengler +Date: Mon Nov 25 22:27:00 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + +commit 5f17cd87d5c7faf606255f061dd394f6761e38df +Author: Brad Spengler +Date: Mon Nov 25 22:25:42 2013 -0500 + + Update to pax-linux-3.12.1-test2.patch: + - made arm/UDEREF violation reports more consistent, reported by acez and spender + - added a bit more amd64 kernel page table hardening + - fixed some constify related compiler errors + - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli + - updated the size overflow hash table + + arch/arm/mm/fault.c | 16 ++- + arch/x86/include/asm/paravirt_types.h | 2 +- + arch/x86/kernel/head_64.S | 18 ++- + drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- + drivers/gpu/vga/vga_switcheroo.c | 4 +- + drivers/hwmon/nct6775.c | 6 +- + drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- + drivers/staging/lustre/lnet/selftest/framework.c | 4 - + drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- + drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- + drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- + drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- + include/linux/hwmon-sysfs.h | 1 + + include/linux/pm.h | 1 + + include/linux/vga_switcheroo.h | 8 +- + net/core/sysctl_net_core.c | 2 +- + scripts/link-vmlinux.sh | 4 +- + sound/soc/soc-core.c | 6 +- + tools/gcc/size_overflow_hash.data | 142 ++++++++++++-------- + 21 files changed, 145 insertions(+), 111 deletions(-) + +commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f +Author: Brad Spengler +Date: Mon Nov 25 12:01:21 2013 -0500 + + Conventions exist for a reason -- systemd knows better though + and decides to put security-sensitive system administration utilities + into /usr/lib/systemd in contrast to *every* other user of usermode + helpers. Work around this stupidity + + kernel/kmod.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9ed081196dcaa72bae91d5a31329e35bd480d92b +Author: Brad Spengler +Date: Sun Nov 24 22:49:05 2013 -0500 + + Revert "HID: multitouch: validate feature report details" + + This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. + + drivers/hid/hid-multitouch.c | 25 +++++-------------------- + 1 files changed, 5 insertions(+), 20 deletions(-) + +commit 801d69b26655ea7240df45ad14f96054e4d9803a +Author: Brad Spengler +Date: Sun Nov 24 22:48:49 2013 -0500 + + Revert "HID: lenovo-tpkbd: validate output report details" + + This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. + + drivers/hid/hid-lenovo-tpkbd.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23 +Author: Brad Spengler +Date: Sun Nov 24 22:48:33 2013 -0500 + + Revert "HID: steelseries: validate output report details" + + This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. + + drivers/hid/hid-steelseries.c | 5 ----- + 1 files changed, 0 insertions(+), 5 deletions(-) + +commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7 +Author: Brad Spengler +Date: Sun Nov 24 22:22:03 2013 -0500 + + remove __no_const from pv_lock_ops as it's not constified by the plugin + + arch/x86/include/asm/paravirt_types.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a94e46e08a9d8236544f881faa9cccecfe9c702b +Author: Brad Spengler +Date: Sun Nov 24 22:08:33 2013 -0500 + + add missing header + + fs/proc/proc_sysctl.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit f0018c34f5ef840fffac10eb60fed9048317832f +Author: Brad Spengler +Date: Sun Nov 24 22:04:55 2013 -0500 + + Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace + + fs/proc/proc_sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 99a6a515bf625395fa31892f46311c3877a3fa93 +Author: Brad Spengler +Date: Sun Nov 24 17:50:21 2013 -0500 + + remove unnecessary code/comments after new reload method + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ---- + grsecurity/gracl_policy.c | 13 ------------- + 2 files changed, 0 insertions(+), 17 deletions(-) + +commit 10b6650a259b9a5911a33fc9aaf6677920830eee +Author: Brad Spengler +Date: Sun Nov 24 16:05:01 2013 -0500 + + Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) + + Introduce new atomic RBAC reload method, developed as part of sponsorship + by EIG + + This is accompanied by an updated 3.0 gradm which will use the new reload + method when -R is passed to gradm. The old method will still be available + via gradm -r (which is what a 2.9.1 gradm will continue to use). + + The new RBAC reload method is atomic in the sense that at no point in the + reload process will the system not be covered by a coherent full policy. + In contrast to previous reload behavior, it also preserves inherited subjects + and special roles. + + The old RBAC reload method has also been made atomic. Both methods have + been updated to perform role_allowed_ip checks only against the IP tagged + to the task at the time its role was first applied or changed. This resolves + long-standing usability problems with the use of role_allowed_ip and matches + the policies created by learning. + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 2 +- + grsecurity/gracl.c | 3903 +++++++++++++------------------------------ + grsecurity/gracl_alloc.c | 42 +- + grsecurity/gracl_compat.c | 3 +- + grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ + grsecurity/gracl_segv.c | 12 +- + grsecurity/grsec_disabled.c | 7 - + grsecurity/grsec_init.c | 15 - + include/linux/gracl.h | 43 +- + include/linux/grinternal.h | 1 - + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 2 + + 12 files changed, 3082 insertions(+), 2787 deletions(-) + +commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e +Author: Brad Spengler +Date: Sun Nov 24 15:08:28 2013 -0500 + + compile fix for recent GRKERNSEC_CHROOT_INITRD change + + Signed-off-by: Brad Spengler + + init/main.c | 12 +++--------- + 1 files changed, 3 insertions(+), 9 deletions(-) + +commit a898fff136a97e265c63375a2a03ebd91c9c1286 +Author: Brad Spengler +Date: Sat Nov 23 18:27:37 2013 -0500 + + Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path + + Signed-off-by: Brad Spengler + + include/linux/kmod.h | 3 +++ + kernel/kmod.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +commit 1ae8347eb782c4e961210052e2de554bfdb52980 +Author: Brad Spengler +Date: Sat Nov 23 17:20:15 2013 -0500 + + Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. + + Reported by acez on IRC + + Signed-off-by: Brad Spengler + + arch/arm/mm/fault.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 71643b46e6b67e76e52153559d0dc4004c402141 +Author: Brad Spengler +Date: Sat Nov 23 16:56:46 2013 -0500 + + Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. + + Conflicts: + + init/main.c + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 2 +- + init/main.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +commit e357e72d769e5c35167e2bf934c722fc825ee2cd +Author: Brad Spengler +Date: Sat Nov 23 16:33:20 2013 -0500 + + limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected + + Signed-off-by: Brad Spengler + + kernel/kmod.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54 +Author: Brad Spengler +Date: Sat Nov 23 16:02:01 2013 -0500 + + perform USERCOPY kernel text checks against the linear mapping on amd64 as well + + Signed-off-by: Brad Spengler + + fs/exec.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d +Author: Brad Spengler +Date: Fri Nov 22 20:31:37 2013 -0500 + + Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" + + This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. + + It caused errors with traceroute, reported to upstream and fixed with + http://patchwork.ozlabs.org/patch/293614/ + But there's no reason for us to maintain this backport as we're + already impervious to recvmsg/msg_name infoleaks + + Conflicts: + + net/ipv4/ping.c + + Signed-off-by: Brad Spengler + + net/ieee802154/dgram.c | 3 ++- + net/ipv4/ping.c | 11 +++++++++-- + net/ipv4/raw.c | 4 +++- + net/ipv4/udp.c | 7 ++++++- + net/ipv6/raw.c | 4 +++- + net/ipv6/udp.c | 5 ++++- + net/l2tp/l2tp_ip.c | 4 +++- + net/phonet/datagram.c | 9 +++++---- + 8 files changed, 35 insertions(+), 12 deletions(-) + +commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917 +Author: Hannes Frederic Sowa +Date: Mon Nov 18 07:07:45 2013 +0100 + + Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 + + ping: prevent NULL pointer dereference on write to msg_name + + A plain read() on a socket does set msg->msg_name to NULL. So check for + NULL pointer first. + + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/ipv4/ping.c | 34 +++++++++++++++++++--------------- + 1 files changed, 19 insertions(+), 15 deletions(-) + +commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1 +Author: Hannes Frederic Sowa +Date: Mon Nov 18 04:20:45 2013 +0100 + + Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 + + inet: prevent leakage of uninitialized memory to user in recv syscalls + + Only update *addr_len when we actually fill in sockaddr, otherwise we + can return uninitialized memory from the stack to the caller in the + recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) + checks because we only get called with a valid addr_len pointer either + from sock_common_recvmsg or inet_recvmsg. + + If a blocking read waits on a socket which is concurrently shut down we + now return zero and set msg_msgnamelen to 0. + + Reported-by: mpb + Suggested-by: Eric Dumazet + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/ieee802154/dgram.c | 3 +-- + net/ipv4/ping.c | 19 +++++++------------ + net/ipv4/raw.c | 4 +--- + net/ipv4/udp.c | 7 +------ + net/ipv6/raw.c | 4 +--- + net/ipv6/udp.c | 5 +---- + net/l2tp/l2tp_ip.c | 4 +--- + net/phonet/datagram.c | 9 ++++----- + 8 files changed, 17 insertions(+), 38 deletions(-) + +commit 0db1e136415d5696b2342b953361ef7c3017247d +Author: Jeff Layton +Date: Wed Nov 13 09:08:21 2013 -0500 + + Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 + + nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once + + Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or + NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. + There is no guarantee that doing so will work however, so we can end up + retrying the call in an infinite loop. + + Worse yet, we create the new client using rpc_clone_client_set_auth, + which creates the new client as a child of the old one. Thus, we can end + up with a *very* long lineage of rpc_clnts. When we go to put all of the + references to them, we can end up with a long call chain that can smash + the stack as each rpc_free_client() call can recurse back into itself. + + This patch fixes this by simply ensuring that the SETCLIENTID call will + only be retried in this situation if the last attempt did not use + RPC_AUTH_UNIX. + + Note too that with this change, we don't need the (i > 2) check in the + -EACCES case since we now have a more reliable test as to whether we + should reattempt. + + Cc: stable@vger.kernel.org # v3.10+ + Cc: Chuck Lever + Tested-by/Acked-by: Weston Andros Adamson + Signed-off-by: Jeff Layton + Signed-off-by: Trond Myklebust + Signed-off-by: Brad Spengler + + fs/nfs/nfs4state.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 74d59ef1b28635f588c47b270777cd69b0e8291f +Author: Trond Myklebust +Date: Tue Nov 12 17:24:36 2013 -0500 + + Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b + + SUNRPC: Avoid deep recursion in rpc_release_client + + In cases where an rpc client has a parent hierarchy, then + rpc_free_client may end up calling rpc_release_client() on the + parent, thus recursing back into rpc_free_client. If the hierarchy + is deep enough, then we can get into situations where the stack + simply overflows. + + The fix is to have rpc_release_client() loop so that it can take + care of the parent rpc client hierarchy without needing to + recurse. + + Reported-by: Jeff Layton + Reported-by: Weston Andros Adamson + Reported-by: Bruce Fields + Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com + Cc: stable@vger.kernel.org + Signed-off-by: Trond Myklebust + Signed-off-by: Brad Spengler + + net/sunrpc/clnt.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit 8ae59cf66f3a302d45578171337df2d8fe35458c +Author: Trond Myklebust +Date: Fri Nov 8 16:03:50 2013 -0500 + + Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 + + SUNRPC: Fix a data corruption issue when retransmitting RPC calls + + The following scenario can cause silent data corruption when doing + NFS writes. It has mainly been observed when doing database writes + using O_DIRECT. + + 1) The RPC client uses sendpage() to do zero-copy of the page data. + 2) Due to networking issues, the reply from the server is delayed, + and so the RPC client times out. + + 3) The client issues a second sendpage of the page data as part of + an RPC call retransmission. + + 4) The reply to the first transmission arrives from the server + _before_ the client hardware has emptied the TCP socket send + buffer. + 5) After processing the reply, the RPC state machine rules that + the call to be done, and triggers the completion callbacks. + 6) The application notices the RPC call is done, and reuses the + pages to store something else (e.g. a new write). + + 7) The client NIC drains the TCP socket send buffer. Since the + page data has now changed, it reads a corrupted version of the + initial RPC call, and puts it on the wire. + + This patch fixes the problem in the following manner: + + The ordering guarantees of TCP ensure that when the server sends a + reply, then we know that the _first_ transmission has completed. Using + zero-copy in that situation is therefore safe. + If a time out occurs, we then send the retransmission using sendmsg() + (i.e. no zero-copy), We then know that the socket contains a full copy of + the data, and so it will retransmit a faithful reproduction even if the + RPC call completes, and the application reuses the O_DIRECT buffer in + the meantime. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + Signed-off-by: Brad Spengler + + net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- + 1 files changed, 21 insertions(+), 7 deletions(-) + +commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6 +Author: Dan Carpenter +Date: Thu Nov 14 11:21:10 2013 +0300 + + Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 + + isdnloop: use strlcpy() instead of strcpy() + + These strings come from a copy_from_user() and there is no way to be + sure they are NUL terminated. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +commit a7a1549064b332e878efa22fdebed32035cc8f07 +Author: Eric Dumazet +Date: Thu Nov 14 13:37:54 2013 -0800 + + Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf + + ipv4: fix possible seqlock deadlock + + ip4_datagram_connect() being called from process context, + it should use IP_INC_STATS() instead of IP_INC_STATS_BH() + otherwise we can deadlock on 32bit arches, or get corruptions of + SNMP counters. + + Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") + Signed-off-by: Eric Dumazet + Reported-by: Dave Jones + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/ipv4/datagram.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 96b7719c933229c8619f8ad207c141dcc70d546e +Author: Brad Spengler +Date: Thu Nov 14 20:15:51 2013 -0500 + + GRKERNSEC_HARDEN_IPC should depend on SYSVIPC + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab +Author: Brad Spengler +Date: Thu Nov 14 19:07:11 2013 -0500 + + Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows + + Signed-off-by: Brad Spengler + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 05ae94add600530e3ae98f9a153cb6423b91e46a +Author: Brad Spengler +Date: Thu Nov 14 19:01:59 2013 -0500 + + Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + + Will let this sit in -test for a while to weed out any app incompatibilities + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 +++++++++++++++++ + grsecurity/Makefile | 2 +- + grsecurity/grsec_init.c | 4 ++++ + grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ + grsecurity/grsec_sysctl.c | 9 +++++++++ + include/linux/grinternal.h | 1 + + include/linux/grmsg.h | 1 + + ipc/util.c | 5 +++++ + 8 files changed, 60 insertions(+), 1 deletions(-) + +commit f5be6d902d5b36c0fb40aabb61f686e510a2d887 +Author: Brad Spengler +Date: Mon Nov 11 10:48:10 2013 -0500 + + Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c + + Signed-off-by: Brad Spengler + + drivers/video/arcfb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e60c412c422f72a52c819465db8b81991d861390 +Author: Brad Spengler +Date: Sun Nov 10 22:01:33 2013 -0500 + + Add missing include + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a +Author: Brad Spengler +Date: Sun Nov 10 17:50:12 2013 -0500 + + add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND + + Signed-off-by: Brad Spengler + + arch/arm/mm/Kconfig | 2 +- + grsecurity/Kconfig | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletions(-) + +commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa +Author: Brad Spengler +Date: Sun Nov 10 15:19:27 2013 -0500 + + On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. + + Thanks to acez from IRC for debugging. + + Signed-off-by: Brad Spengler + + mm/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 197a69f1783917091d60db2a3ffd7ff14d41489d +Author: Brad Spengler +Date: Sun Nov 10 13:54:25 2013 -0500 + + Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own + + This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's + networking + + Thanks to ncopa from IRC for testing + + Signed-off-by: Brad Spengler + + fs/proc/proc_sysctl.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 010702a965acb2aea4d81510f99d788ab6564123 +Author: Brad Spengler +Date: Wed Nov 6 16:23:36 2013 -0500 + + Force on DEBUG_LIST so all users can benefit from safe linking/unlinking + + Conflicts: + + security/Kconfig + + Signed-off-by: Brad Spengler + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362 +Author: Brad Spengler +Date: Wed Nov 6 16:19:21 2013 -0500 + + change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence + + Conflicts: + + lib/list_debug.c + + Signed-off-by: Brad Spengler + + lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- + 1 files changed, 42 insertions(+), 23 deletions(-) + +commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55 +Author: Jason Wang +Date: Fri Nov 1 15:01:10 2013 +0800 + + Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd + + net: flow_dissector: fail on evil iph->ihl + + We don't validate iph->ihl which may lead a dead loop if we meet a IPIP + skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl + is evil (less than 5). + + This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae + (rps: support IPIP encapsulation). + + Cc: Eric Dumazet + Cc: Petr Matousek + Cc: Michael S. Tsirkin + Cc: Daniel Borkmann + Signed-off-by: Jason Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/core/flow_dissector.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7 +Author: Linus Torvalds +Date: Tue Oct 29 10:21:34 2013 -0700 + + Fixed a little differently than Linus... + + Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 + + Fix a few incorrectly checked [io_]remap_pfn_range() calls + + Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that + really should use the vm_iomap_memory() helper. This trivially converts + two of them to the helper, and comments about why the third one really + needs to continue to use remap_pfn_range(), and adds the missing size + check. + + Reported-by: Nico Golde + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/uio/uio.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +commit 187b4936fbaaafd087556919bae3b719e67536b8 +Author: Brad Spengler +Date: Wed Oct 16 18:36:25 2013 -0400 + + From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests + + We leak 4 bytes of kernel stack in response to an AUDIT_GET request as + we miss to initialize the mask member of status_set. Fix that. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ + Signed-off-by: Mathias Krause + Signed-off-by: Brad Spengler + + kernel/audit.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0e48ab30113de43958987e9f0d20fb816892c090 +Author: Brad Spengler +Date: Wed Oct 16 19:02:32 2013 -0400 + + add 2nd chunk of audit nlmsg_len() fix from minipli + + Signed-off-by: Brad Spengler + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8 +Author: Brad Spengler +Date: Wed Oct 16 18:37:59 2013 -0400 + + From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length + + Using the nlmsg_len member of the netlink header to test if the message + is valid is wrong as it includes the size of the netlink header itself. + Thereby allowing to send short netlink messages that pass those checks. + + Use nlmsg_len() instead to test for the right message length. The result + of nlmsg_len() is guaranteed to be non-negative as the netlink message + already passed the checks of nlmsg_ok(). + + Also switch to min_t() to please checkpatch.pl. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd + + Signed-off-by: Brad Spengler + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit dfb491ad409ee7efadcb00041cd31e9e411efebb +Author: Brad Spengler +Date: Wed Oct 16 18:41:01 2013 -0400 + + From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Bart De Schuymer + Signed-off-by: Mathias Krause + + Conflicts: + + net/bridge/netfilter/ebt_ulog.c + Signed-off-by: Brad Spengler + + net/bridge/netfilter/ebt_ulog.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit 637ef6f911201af0136b794b5b602eb14efb6b7c +Author: Brad Spengler +Date: Wed Oct 16 18:43:01 2013 -0400 + + From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Pablo Neira Ayuso + Cc: Patrick McHardy + Cc: Jozsef Kadlecsik + Signed-off-by: Mathias Krause + + Conflicts: + + net/ipv4/netfilter/ipt_ULOG.c + Signed-off-by: Brad Spengler + + net/ipv4/netfilter/ipt_ULOG.c | 7 +------ + 1 files changed, 1 insertions(+), 6 deletions(-) + +commit 103af82880576436f1fceafec93da69f0d55d019 +Author: Brad Spengler +Date: Fri Sep 27 21:06:17 2013 -0400 + + Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change + + Signed-off-by: Brad Spengler + + grsecurity/gracl_ip.c | 7 +++---- + net/socket.c | 26 +++++++++++++++----------- + 2 files changed, 18 insertions(+), 15 deletions(-) + +commit 7749496c3667613ea505823948c0f4f4d9c1d90c +Author: Brad Spengler +Date: Sun Sep 22 18:14:07 2013 -0400 + + Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" + + This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. + + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 4463e68a60d4fb557d37f993f42e3039041550fc +Author: Brad Spengler +Date: Sun Sep 15 09:19:21 2013 -0400 + + remove unnecessary check from when protocol was signed + + Signed-off-by: Brad Spengler + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e +Author: Brad Spengler +Date: Sun Sep 15 08:53:27 2013 -0400 + + resync with PaX + + Signed-off-by: Brad Spengler + + security/selinux/hooks.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7 +Author: Brad Spengler +Date: Sat Sep 14 21:12:45 2013 -0400 + + Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) + + Signed-off-by: Brad Spengler + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc +Author: Brad Spengler +Date: Sat Sep 14 19:16:48 2013 -0400 + + Fix a bad git merge, re-applied a previously reverted patch + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit c5f66cfeabad4b64a521d1442f7ea9149c011320 +Author: Brad Spengler +Date: Sat Sep 14 16:56:37 2013 -0400 + + finish porting namei.c + + Signed-off-by: Brad Spengler + + fs/namei.c | 50 +++++++++++--------------------------------------- + 1 files changed, 11 insertions(+), 39 deletions(-) + +commit c264c5b4c33c462b41d224091602fe5c9acb163b +Author: Brad Spengler +Date: Sat Sep 14 16:44:08 2013 -0400 + + cred->user -> current_user() + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit af7bdc7d41a1a8b631802772088968ceacd0d6b4 +Author: Brad Spengler +Date: Sat Sep 14 16:36:24 2013 -0400 + + Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 00eb4028fcc737e2451332e3177705913c9b1bb1 +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8 +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + 3 files changed, 20 insertions(+), 2 deletions(-) + +commit 92745146ec948d5761ac00f98c4a1612c8e6037e +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit eac5b7076235de7b21757cab257415ab779cc7c8 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + Signed-off-by: Brad Spengler + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04 +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it + + Signed-off-by: Brad Spengler + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 0996966348dc3c3f7515567d3245292785d484fc +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 91bfda18a5711db32c984c632f47fa57458d993a +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 8aeb7645473b408fc6b2bd78a72671351fc8e684 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs + + Signed-off-by: Brad Spengler + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit acca67efb4aeee03672b5d2947da311dcfc2a1d6 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8 +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 72e55282becb58c925f9034fe717cad96f7fc51d +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + Signed-off-by: Brad Spengler + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7 +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages + + Signed-off-by: Brad Spengler + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 81c244a4d186918eb5bde824945878803fb5aeeb +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 + + Signed-off-by: Brad Spengler + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0f32f992d91442e87628fa805f488c2431930df7 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + Signed-off-by: Brad Spengler + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 17 deletions(-) + +commit b570e8d61ff1670d0737acd9919316ac32fce732 +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f580da3b1ddbecc3f65a7957986742bea34c5851 +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs + + Signed-off-by: Brad Spengler + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2b23c36d322e9ebea5621652b77ad2569a3826d +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + Signed-off-by: Brad Spengler + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + Signed-off-by: Brad Spengler + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit a2d7b00383303a5d537e64519dbd31d51645d28e +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping + + Signed-off-by: Brad Spengler + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0 +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 1975575638ae15faba25f749a9040345a73e12e1 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 1282e76e8da58821760a5519cd7bd2510ad7deaf +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + Signed-off-by: Brad Spengler + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 176f65b9498eb83576294934d94bb80f3830e99a +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit f039eddf22e143d336421325eb689a76227956b3 +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 4594be163c41c9a400f0b377e6c35d8fb5599387 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 166e0c9ff369a931bec65abda32811bb0b548506 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit ee1e4712f5b32f43da0130efedbeb158d7f63562 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit a629a151f557380fed415b226fe5e0e234a285eb +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 218c33ffd6a34fe09037784138dda02b817c1c20 +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 527c8e008b6729ad595c652119128c0a858c0f7e +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 0a6c24237be46318780bd5aa0a0c37837336e40a +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 0c11bf85db37db5667cfb61caf0c72e8437e4197 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit c32fb26e578c2b1b98654e72ceeafc58906acf06 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 80bb153435dac25476b0da4a61238b229ba2b631 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 00e035016762dfa49b15cf310ab57fc7011fb4dd +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + Signed-off-by: Brad Spengler + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 +++++------ + 1 files changed, 5 insertions(+), 6 deletions(-) + +commit 26dd795769f903add193b605f051bed55bf95507 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit c441e54c74284d2dac3aaaf282391f6572239e24 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit ecea885713f4d818032182d839c86dc74ac95b04 +Author: Brad Spengler +Date: Sat Sep 14 16:15:10 2013 -0400 + + Initial port of grsecurity to 3.11 using new git method + + Signed-off-by: Brad Spengler + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 12 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 128 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 256 ++- + fs/namespace.c | 16 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 166 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 29 + + kernel/capability.c | 40 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 69 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 341 +++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 228 files changed, 4141 insertions(+), 2027 deletions(-) + +commit 62c18efae524d4cd41939c1d63989d3582b1131a +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + Signed-off-by: Brad Spengler + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 718ed34658f4e4716ff3c9e6d098552d357d19f1 +Author: Brad Spengler +Date: Sun Nov 24 20:58:05 2013 -0500 + + Initial import of pax-linux-3.12.1-test1.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 23 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 3 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 54 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 95 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-common.S | 40 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 3 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/module.c | 31 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/process.c | 42 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 35 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 24 +- + arch/arm/kvm/arm.c | 8 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 4 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 6 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/context.c | 10 +- + arch/arm/mm/fault.c | 134 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 185 +- + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 728 ++- + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/local.h | 57 + + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/include/asm/smtc_proc.h | 2 +- + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/irq.c | 6 +- + arch/mips/kernel/process.c | 12 - + arch/mips/kernel/smtc-proc.c | 6 +- + arch/mips/kernel/smtc.c | 2 +- + arch/mips/kernel/sync-r4k.c | 24 +- + arch/mips/kernel/traps.c | 13 +- + arch/mips/mm/fault.c | 25 + + arch/mips/mm/mmap.c | 51 +- + arch/mips/sgi-ip27/ip27-nmi.c | 6 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap.c | 16 + + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/smp_64.c | 12 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 52 +- + arch/sparc/kernel/traps_64.c | 27 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/sparc/mm/init_64.c | 10 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 16 +- + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 2 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 6 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 157 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 8 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 16 +- + arch/x86/include/asm/desc.h | 74 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 8 +- + arch/x86/include/asm/futex.h | 20 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 136 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 124 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 79 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 29 +- + arch/x86/include/asm/smap.h | 64 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/tlbflush.h | 74 +- + arch/x86/include/asm/uaccess.h | 108 +- + arch/x86/include/asm/uaccess_32.h | 96 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xen/page.h | 2 +- + arch/x86/include/asm/xsave.h | 14 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 69 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 130 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 356 +- + arch/x86/kernel/entry_64.S | 666 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 228 +- + arch/x86/kernel/head_64.S | 138 +- + arch/x86/kernel/i386_ksyms_32.c | 12 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 67 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/jump_label.c | 6 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 20 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 42 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 5 +- + arch/x86/kernel/setup.c | 63 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 28 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 12 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/tracepoint.c | 4 +- + arch/x86/kernel/traps.c | 62 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 6 +- + arch/x86/kernel/x86_init.c | 6 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 63 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 89 +- + arch/x86/lib/copy_user_nocache_64.S | 22 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 8 +- + arch/x86/lib/getuser.S | 74 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 22 +- + arch/x86/lib/memmove_64.S | 36 +- + arch/x86/lib/memset_64.S | 11 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 359 +- + arch/x86/lib/usercopy_64.c | 18 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 564 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 101 +- + arch/x86/mm/init_32.c | 111 +- + arch/x86/mm/init_64.c | 45 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 36 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 139 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/mm/uderef_64.c | 37 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 38 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 3 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 45 +- + arch/x86/xen/mmu.c | 11 +- + arch/x86/xen/smp.c | 21 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-cgroup.c | 4 +- + block/blk-iopoll.c | 2 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 2 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 9 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 29 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 2 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/apei/ghes.c | 4 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 12 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_nl.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 4 +- + drivers/bluetooth/btwilink.c | 2 +- + drivers/bus/arm-cci.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 43 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clk/socfpga/clk.c | 9 +- + drivers/cpufreq/acpi-cpufreq.c | 13 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 4 +- + drivers/cpufreq/cpufreq_ondemand.c | 10 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 67 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/crypto/hifn_795x.c | 4 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdmac.c | 2 +- + drivers/edac/edac_device.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci.c | 4 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 6 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 2 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 8 +- + drivers/gpu/drm/drm_fops.c | 16 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 20 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- + drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- + drivers/gpu/drm/qxl/qxl_drv.h | 8 +- + drivers/gpu/drm/qxl/qxl_irq.c | 16 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/gpu/host1x/drm/dc.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hid/uhid.c | 6 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hv_balloon.c | 18 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mcg.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- + drivers/infiniband/hw/mthca/mthca_main.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- + drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/misc/ims-pcu.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/input/serio/serio_raw.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_common.c | 2 + + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/isdn/mISDN/dsp_cmx.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bcache/super.c | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stats.c | 6 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 4 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 +- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-device.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 67 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/max8925-i2c.c | 2 +- + drivers/mfd/tps65910.c | 2 +- + drivers/mfd/twl4030-irq.c | 9 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/mmci.c | 4 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/usb/sierra_net.c | 4 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wimax/i2400m/rx.c | 2 +- + drivers/net/wireless/airo.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath10k/htc.c | 7 +- + drivers/net/wireless/ath/ath10k/htc.h | 4 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/b43/phy_lp.c | 2 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/nfc/nfcwilink.c | 2 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 6 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/msi-wmi.c | 2 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/core.c | 4 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/android/timed_output.c | 6 +- + drivers/staging/gdm724x/gdm_tty.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/target/sbp/sbp_target.c | 4 +- + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/hvc/hvsi.c | 12 +- + drivers/tty/hvc/hvsi_lib.c | 6 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/ioc4_serial.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/msm_serial.c | 4 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 8 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 15 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 6 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/dwc3/gadget.c | 2 - + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/host/ehci-hub.c | 4 +- + drivers/usb/misc/appledisplay.c | 4 +- + drivers/usb/serial/console.c | 8 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vfio/vfio.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbmem.c | 6 +- + drivers/video/hyperv_fb.c | 4 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/afs/inode.c | 4 +- + fs/aio.c | 2 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 6 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 656 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/delayed-inode.c | 6 +- + fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/super.c | 2 +- + fs/buffer.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/ceph/super.c | 4 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 4 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 18 +- + fs/dcache.c | 3 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 +- + fs/ext2/xattr.c | 5 +- + fs/ext3/xattr.c | 5 +- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/ext4/xattr.c | 5 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 40 +- + fs/fscache/internal.h | 200 +- + fs/fscache/object.c | 26 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hostfs/hostfs_kern.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 16 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 2 +- + fs/ntfs/super.c | 6 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 4 +- + fs/splice.c | 41 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_readdir.c | 7 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 16 + + include/asm-generic/uaccess.h | 16 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/i915_pciids.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/audit.h | 2 +- + include/linux/binfmts.h | 3 +- + include/linux/bitops.h | 4 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 8 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 12 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fdtable.h | 2 +- + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 4 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 12 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/jiffies.h | 12 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/linkage.h | 1 + + include/linux/list.h | 15 + + include/linux/math64.h | 10 +- + include/linux/mempolicy.h | 7 + + include/linux/mm.h | 118 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/preempt.h | 19 + + include/linux/proc_ns.h | 2 +- + include/linux/quota.h | 2 +- + include/linux/random.h | 19 +- + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/security.h | 2 - + include/linux/semaphore.h | 2 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 48 +- + include/linux/slab_def.h | 14 +- + include/linux/slub_def.h | 2 +- + include/linux/smp.h | 2 + + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 18 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 9 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 9 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-device.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 17 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 20 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 4 +- + include/net/netns/ipv6.h | 4 +- + include/net/ping.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 13 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 77 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 10 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 12 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 4 +- + kernel/fork.c | 166 +- + kernel/futex.c | 11 +- + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 2 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 10 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 24 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 76 +- + kernel/rcutree.h | 26 +- + kernel/rcutree_plugin.h | 30 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 49 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 14 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_clock.c | 4 +- + kernel/trace/trace_events.c | 1 - + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/percpu-refcount.c | 2 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 10 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 3 +- + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 +- + mm/mempolicy.c | 25 + + mm/mlock.c | 15 +- + mm/mmap.c | 591 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 42 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 44 +- + mm/shmem.c | 19 +- + mm/slab.c | 108 +- + mm/slab.h | 15 +- + mm/slab_common.c | 60 +- + mm/slob.c | 206 +- + mm/slub.c | 88 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 2 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 75 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 2 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 4 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/ceph/messenger.c | 4 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/netpoll.c | 4 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/skbuff.c | 6 +- + net/core/sock.c | 28 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ieee802154/6lowpan.c | 2 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 14 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 20 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 18 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/af_inet6.c | 2 +- + net/ipv6/datagram.c | 2 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/output_core.c | 15 +- + net/ipv6/ping.c | 28 +- + net/ipv6/raw.c | 17 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 6 +- + net/ipv6/xfrm6_policy.c | 17 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 10 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 8 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/auth_gss/svcauth_gss.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/svcauth_unix.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 4 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 22 +- + net/xfrm/xfrm_state.c | 33 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/module-common.lds | 4 + + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 690 ++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/avc.c | 6 +- + security/selinux/hooks.c | 11 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/hda/hda_codec.c | 8 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 471 ++ + tools/gcc/latent_entropy_plugin.c | 335 + + tools/gcc/size_overflow_hash.data | 7613 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 3840 ++++++++++ + tools/gcc/stackleak_plugin.c | 327 + + tools/gcc/structleak_plugin.c | 277 + + tools/lib/lk/Makefile | 2 +- + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1701 files changed, 36050 insertions(+), 7719 deletions(-) +commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 +Author: Brad Spengler +Date: Sun Nov 24 17:50:21 2013 -0500 + + remove unnecessary code/comments after new reload method + + grsecurity/gracl.c | 4 ---- + grsecurity/gracl_policy.c | 13 ------------- + 2 files changed, 0 insertions(+), 17 deletions(-) + +commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d +Author: Brad Spengler +Date: Sun Nov 24 16:05:01 2013 -0500 + + Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous + features have been added since then) + + Introduce new atomic RBAC reload method, developed as part of sponsorship + by EIG + + This is accompanied by an updated 3.0 gradm which will use the new reload + method when -R is passed to gradm. The old method will still be available + via gradm -r (which is what a 2.9.1 gradm will continue to use). + + The new RBAC reload method is atomic in the sense that at no point in the + reload process will the system not be covered by a coherent full policy. + In contrast to previous reload behavior, it also preserves inherited subjects + and special roles. + + The old RBAC reload method has also been made atomic. Both methods have + been updated to perform role_allowed_ip checks only against the IP tagged + to the task at the time its role was first applied or changed. This resolves + long-standing usability problems with the use of role_allowed_ip and matches + the policies created by learning. + + grsecurity/Makefile | 2 +- + grsecurity/gracl.c | 3903 +++++++++++++------------------------------ + grsecurity/gracl_alloc.c | 42 +- + grsecurity/gracl_compat.c | 3 +- + grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ + grsecurity/gracl_segv.c | 12 +- + grsecurity/grsec_disabled.c | 7 - + grsecurity/grsec_init.c | 15 - + include/linux/gracl.h | 43 +- + include/linux/grinternal.h | 1 - + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 2 + + 12 files changed, 3082 insertions(+), 2787 deletions(-) + +commit d8981a4fd03025434a466fd87a0eaea93755bc70 +Author: Brad Spengler +Date: Sun Nov 24 15:08:28 2013 -0500 + + compile fix for recent GRKERNSEC_CHROOT_INITRD change + + init/main.c | 12 +++--------- + 1 files changed, 3 insertions(+), 9 deletions(-) + +commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f +Author: Brad Spengler +Date: Sat Nov 23 18:27:37 2013 -0500 + + Make the recent usermode_helper protection race-free as far as userland + is concerned by creating a copy of the path to be executed, then check against + that copied path instead of the still-mutable original path + + include/linux/kmod.h | 3 +++ + kernel/kmod.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +commit ecdd0610bef058fd33fee50b489d949c1a0db07a +Author: Brad Spengler +Date: Sat Nov 23 17:20:15 2013 -0500 + + Produce a UDEREF message when faulting on kernel access to a non-present + page in the userland range. This is purely for consistency of logs, + due to there being no domain present to fault based on. An + "Unable to handle kernel fault.." oops would already (and still is) + generated for these cases, triggering grsec's bruteforce prevention. + + Reported by acez on IRC + + arch/arm/mm/fault.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 3f4adfade80bba0d865b5c603bd58da555ca4553 +Author: Brad Spengler +Date: Sat Nov 23 16:56:46 2013 -0500 + + Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, + Also make sure we mark init as run if no initrd was used. Though this + should already be enforced in grsec_chroot.c, this should future-proof + the feature a bit in case userland somehow changes drastically. + + Conflicts: + + init/main.c + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 2 +- + init/main.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 +Author: Brad Spengler +Date: Sat Nov 23 16:33:20 2013 -0500 + + limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected + + kernel/kmod.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit e727db195f8bed17c65d050e1772643d730fe565 +Author: Brad Spengler +Date: Sat Nov 23 16:02:01 2013 -0500 + + perform USERCOPY kernel text checks against the linear mapping on amd64 as well + + fs/exec.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb +Merge: 2fcc3a5 2d1263b +Author: Brad Spengler +Date: Fri Nov 22 21:11:44 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 +Merge: d52f291 e0cd057 +Author: Brad Spengler +Date: Fri Nov 22 21:11:33 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + drivers/net/ethernet/chelsio/cxgb3/sge.c + +commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 +Author: Brad Spengler +Date: Fri Nov 22 20:31:37 2013 -0500 + + Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" + + This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. + + It caused errors with traceroute, reported to upstream and fixed with + http://patchwork.ozlabs.org/patch/293614/ + But there's no reason for us to maintain this backport as we're + already impervious to recvmsg/msg_name infoleaks + + Conflicts: + + net/ipv4/ping.c + + net/ieee802154/dgram.c | 3 ++- + net/ipv4/ping.c | 11 +++++++++-- + net/ipv4/raw.c | 4 +++- + net/ipv4/udp.c | 7 ++++++- + net/ipv6/raw.c | 4 +++- + net/ipv6/udp.c | 5 ++++- + net/l2tp/l2tp_ip.c | 4 +++- + net/phonet/datagram.c | 9 +++++---- + 8 files changed, 35 insertions(+), 12 deletions(-) + +commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b +Author: Hannes Frederic Sowa +Date: Mon Nov 18 07:07:45 2013 +0100 + + Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 + + ping: prevent NULL pointer dereference on write to msg_name + + A plain read() on a socket does set msg->msg_name to NULL. So check for + NULL pointer first. + + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv4/ping.c | 34 +++++++++++++++++++--------------- + 1 files changed, 19 insertions(+), 15 deletions(-) + +commit 8bb32f2682953e1b748a59c4a4363b237c3510df +Author: Hannes Frederic Sowa +Date: Mon Nov 18 04:20:45 2013 +0100 + + Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 + + inet: prevent leakage of uninitialized memory to user in recv syscalls + + Only update *addr_len when we actually fill in sockaddr, otherwise we + can return uninitialized memory from the stack to the caller in the + recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) + checks because we only get called with a valid addr_len pointer either + from sock_common_recvmsg or inet_recvmsg. + + If a blocking read waits on a socket which is concurrently shut down we + now return zero and set msg_msgnamelen to 0. + + Reported-by: mpb + Suggested-by: Eric Dumazet + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ieee802154/dgram.c | 3 +-- + net/ipv4/ping.c | 19 +++++++------------ + net/ipv4/raw.c | 4 +--- + net/ipv4/udp.c | 7 +------ + net/ipv6/raw.c | 4 +--- + net/ipv6/udp.c | 5 +---- + net/l2tp/l2tp_ip.c | 4 +--- + net/phonet/datagram.c | 9 ++++----- + 8 files changed, 17 insertions(+), 38 deletions(-) + +commit 642d754081c130a151e7df27e5c07edf2f368106 +Author: Jeff Layton +Date: Wed Nov 13 09:08:21 2013 -0500 + + Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 + + nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once + + Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or + NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. + There is no guarantee that doing so will work however, so we can end up + retrying the call in an infinite loop. + + Worse yet, we create the new client using rpc_clone_client_set_auth, + which creates the new client as a child of the old one. Thus, we can end + up with a *very* long lineage of rpc_clnts. When we go to put all of the + references to them, we can end up with a long call chain that can smash + the stack as each rpc_free_client() call can recurse back into itself. + + This patch fixes this by simply ensuring that the SETCLIENTID call will + only be retried in this situation if the last attempt did not use + RPC_AUTH_UNIX. + + Note too that with this change, we don't need the (i > 2) check in the + -EACCES case since we now have a more reliable test as to whether we + should reattempt. + + Cc: stable@vger.kernel.org # v3.10+ + Cc: Chuck Lever + Tested-by/Acked-by: Weston Andros Adamson + Signed-off-by: Jeff Layton + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4state.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 +Author: Chuck Lever +Date: Wed Jul 24 12:28:28 2013 -0400 + + Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e + + NFS: Use root's credential for lease management when keytab is missing + + Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" + Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, + which forces our NFS client to establish a client ID immediately + during a mount operation rather than waiting until a user wants to + open a file. + + Normally machine credentials (eg. from a keytab) are used to perform + a mount operation that is protected by Kerberos. Before 05fc350, + SETCLIENTID used a machine credential, or fell back to a regular + user's credential if no keytab is available. + + On clients that don't have a keytab, performing SETCLIENTID early + means there's no user credential to fall back on, since no regular + user has kinit'd yet. 05f4c350 seems to have broken the ability + to mount with sec=krb5 on clients that don't have a keytab in + kernels 3.7 - 3.10. + + To address this regression, commit 4edaa308 (NFS: Use "krb5i" to + establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, + was merged in 3.10. This commit forces the NFS client to fall back + to AUTH_SYS for lease management operations if no keytab is + available. + + Neil Brown noticed that, since root is required to kinit to do a + sec=krb5 mount when a client doesn't have a keytab, we can try to + use root's Kerberos credential before AUTH_SYS. + + Now, when determining a principal and flavor to use for lease + management, the NFS client tries in this order: + + 1. Flavor: AUTH_GSS, krb5i + Principal: service principal (via keytab) + + 2. Flavor: AUTH_GSS, krb5i + Principal: user principal established for UID 0 (via kinit) + + 3. Flavor: AUTH_SYS + Principal: UID 0 / GID 0 + + Signed-off-by: Chuck Lever + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4state.c | 19 ++++++++++++++++++- + 1 files changed, 18 insertions(+), 1 deletions(-) + +commit 6ebab64904f37af82e950b0c6d321437e810b248 +Author: Trond Myklebust +Date: Tue Nov 12 17:24:36 2013 -0500 + + Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b + + SUNRPC: Avoid deep recursion in rpc_release_client + + In cases where an rpc client has a parent hierarchy, then + rpc_free_client may end up calling rpc_release_client() on the + parent, thus recursing back into rpc_free_client. If the hierarchy + is deep enough, then we can get into situations where the stack + simply overflows. + + The fix is to have rpc_release_client() loop so that it can take + care of the parent rpc client hierarchy without needing to + recurse. + + Reported-by: Jeff Layton + Reported-by: Weston Andros Adamson + Reported-by: Bruce Fields + Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com + Cc: stable@vger.kernel.org + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit fcb4306973aed105cc6d042077bf31e21b812008 +Author: Trond Myklebust +Date: Fri Nov 8 16:03:50 2013 -0500 + + Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 + + SUNRPC: Fix a data corruption issue when retransmitting RPC calls + + The following scenario can cause silent data corruption when doing + NFS writes. It has mainly been observed when doing database writes + using O_DIRECT. + + 1) The RPC client uses sendpage() to do zero-copy of the page data. + 2) Due to networking issues, the reply from the server is delayed, + and so the RPC client times out. + + 3) The client issues a second sendpage of the page data as part of + an RPC call retransmission. + + 4) The reply to the first transmission arrives from the server + _before_ the client hardware has emptied the TCP socket send + buffer. + 5) After processing the reply, the RPC state machine rules that + the call to be done, and triggers the completion callbacks. + 6) The application notices the RPC call is done, and reuses the + pages to store something else (e.g. a new write). + + 7) The client NIC drains the TCP socket send buffer. Since the + page data has now changed, it reads a corrupted version of the + initial RPC call, and puts it on the wire. + + This patch fixes the problem in the following manner: + + The ordering guarantees of TCP ensure that when the server sends a + reply, then we know that the _first_ transmission has completed. Using + zero-copy in that situation is therefore safe. + If a time out occurs, we then send the retransmission using sendmsg() + (i.e. no zero-copy), We then know that the socket contains a full copy of + the data, and so it will retransmit a faithful reproduction even if the + RPC call completes, and the application reuses the O_DIRECT buffer in + the meantime. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- + 1 files changed, 21 insertions(+), 7 deletions(-) + +commit 2c59d4080ae744532dbe595f6923dcba72279977 +Merge: b2b99c6 d52f291 +Author: Brad Spengler +Date: Mon Nov 18 19:07:55 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d52f291621da9227cda5fd647e82dfe9bfc11265 +Author: Brad Spengler +Date: Mon Nov 18 19:07:14 2013 -0500 + + Update to pax-linux-3.11.8-test14.patch: + - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) + + mm/page_alloc.c | 2 +- + tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- + 2 files changed, 25 insertions(+), 11 deletions(-) + +commit b2b99c6972e345565d561b722de210f071e5e259 +Author: Brad Spengler +Date: Thu Nov 14 20:47:37 2013 -0500 + + Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e + + ipv6: fix headroom calculation in udp6_ufo_fragment + Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp + fragmentation for tunnel traffic.") changed the calculation if + there is enough space to include a fragment header in the skb from a + skb->mac_header dervived one to skb_headroom. Because we already peeled + off the skb to transport_header this is wrong. Change this back to check + if we have enough room before the mac_header. + + This fixes a panic Saran Neti reported. He used the tbf scheduler which + skb_gso_segments the skb. The offsets get negative and we panic in memcpy + because the skb was erroneously not expanded at the head. + + Reported-by: Saran Neti + Cc: Pravin B Shelar + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/udp_offload.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 012ee7647e16f464f8d1ad004e28eac2ba778158 +Author: Dan Carpenter +Date: Thu Nov 14 11:21:10 2013 +0300 + + Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 + + isdnloop: use strlcpy() instead of strcpy() + + These strings come from a copy_from_user() and there is no way to be + sure they are NUL terminated. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f +Author: Eric Dumazet +Date: Thu Nov 14 13:37:54 2013 -0800 + + Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf + + ipv4: fix possible seqlock deadlock + + ip4_datagram_connect() being called from process context, + it should use IP_INC_STATS() instead of IP_INC_STATS_BH() + otherwise we can deadlock on 32bit arches, or get corruptions of + SNMP counters. + + Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") + Signed-off-by: Eric Dumazet + Reported-by: Dave Jones + Signed-off-by: David S. Miller + + net/ipv4/datagram.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1a642170613ae336331f2df38aa8f2c1227d3c96 +Merge: 60c6423 84d78c7 +Author: Brad Spengler +Date: Thu Nov 14 20:28:51 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 +Author: Brad Spengler +Date: Thu Nov 14 20:28:07 2013 -0500 + + Update to pax-linux-3.11.8-test13.patch: + - forward port to 3.11.8 + - removed some no longer used code from bpf jit + - fixed some atomic_unchecked_t usage in oprofile and uio + - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy + + arch/x86/include/asm/mmu_context.h | 8 ++++++++ + arch/x86/kernel/setup.c | 2 +- + drivers/bluetooth/btwilink.c | 2 +- + drivers/md/dm-table.c | 2 +- + drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- + drivers/mfd/max8925-i2c.c | 2 +- + drivers/mfd/tps65910.c | 2 +- + drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- + drivers/net/wireless/airo.c | 2 +- + drivers/net/wireless/b43/phy_lp.c | 2 +- + drivers/nfc/nfcwilink.c | 2 +- + drivers/oprofile/oprofilefs.c | 4 ++-- + drivers/platform/x86/msi-wmi.c | 2 +- + drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- + drivers/usb/serial/console.c | 2 +- + include/linux/filter.h | 4 ---- + kernel/audit.c | 2 +- + 20 files changed, 41 insertions(+), 45 deletions(-) + +commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c +Author: Brad Spengler +Date: Thu Nov 14 20:15:51 2013 -0500 + + GRKERNSEC_HARDEN_IPC should depend on SYSVIPC + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 +Author: Brad Spengler +Date: Thu Nov 14 19:07:11 2013 -0500 + + Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS + and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps + make it more obvious that while we make use of domains, CPU_USE_DOMAINS is + disabled as far as the kernel knows + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba +Author: Brad Spengler +Date: Thu Nov 14 19:01:59 2013 -0500 + + Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research + on overly-permissive shared memory found in hundreds of areas in Linux + distros: + http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + + Will let this sit in -test for a while to weed out any app incompatibilities + + grsecurity/Kconfig | 17 +++++++++++++++++ + grsecurity/Makefile | 2 +- + grsecurity/grsec_init.c | 4 ++++ + grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ + grsecurity/grsec_sysctl.c | 9 +++++++++ + include/linux/grinternal.h | 1 + + include/linux/grmsg.h | 1 + + ipc/util.c | 5 +++++ + 8 files changed, 60 insertions(+), 1 deletions(-) + +commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 +Merge: 08e883f d0a09ad +Author: Brad Spengler +Date: Wed Nov 13 22:27:13 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d0a09ad6430008135b98da6e1941e98a6110b59e +Merge: 4e826ac 02709ef +Author: Brad Spengler +Date: Wed Nov 13 22:27:03 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + +commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 +Author: Brad Spengler +Date: Mon Nov 11 10:48:10 2013 -0500 + + Fix the overflowable range check just to be correct. + Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt + but I believe this to be unexploitable due to bounds checks on 'count' + from rw_verify_area() in fs/read_write.c + + drivers/video/arcfb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 094c08532f9877a287ffac7a87b05841a56b4e5d +Author: Brad Spengler +Date: Sun Nov 10 22:01:33 2013 -0500 + + Add missing include + + fs/proc/proc_sysctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e383790f8252620f52895e202cc057c4318da3f4 +Author: Brad Spengler +Date: Sun Nov 10 17:50:12 2013 -0500 + + add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS + option: GRKERNSEC_OLD_ARM_USERLAND + + arch/arm/mm/Kconfig | 2 +- + grsecurity/Kconfig | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletions(-) + +commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 +Author: Brad Spengler +Date: Sun Nov 10 15:19:27 2013 -0500 + + On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr + was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF + loading). Fix this by setting a proper default on these architectures like set on the LSM-based + mmap_min_addr. + + Thanks to acez from IRC for debugging. + + mm/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 17f832897194f46c4759aa02e048ad5623a04eed +Author: Brad Spengler +Date: Sun Nov 10 13:54:25 2013 -0500 + + Compatibility fix for LXC: + Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, + use a CAP_NET_ADMIN check within the user namespace of the process performing the modification + CAP_SYS_ADMIN is still required for any other sysctl modification, including modification + of sysctls of a net namespace other than our own + + This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's + networking + + Thanks to ncopa from IRC for testing + + fs/proc/proc_sysctl.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 +Merge: fb281bd 4e826ac +Author: Brad Spengler +Date: Wed Nov 6 17:27:16 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/l2tp/l2tp_core.c + +commit 4e826ac763867707352d93b7d23ed86e4c6829cf +Merge: e309bfb 39773be +Author: Brad Spengler +Date: Wed Nov 6 17:26:23 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + net/compat.c + +commit fb281bdee5ccb76facfe1172318a867b624011f4 +Author: Brad Spengler +Date: Wed Nov 6 16:23:36 2013 -0500 + + Force on DEBUG_LIST so all users can benefit from safe linking/unlinking + + Conflicts: + + security/Kconfig + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a +Author: Brad Spengler +Date: Wed Nov 6 16:19:21 2013 -0500 + + change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel + bruteforce deterrence + + Conflicts: + + lib/list_debug.c + + lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- + 1 files changed, 42 insertions(+), 23 deletions(-) + +commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba +Author: Dan Carpenter +Date: Tue Oct 29 23:01:43 2013 +0300 + + Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 + + Staging: sb105x: info leak in mp_get_count() + + The icount.reserved[] array isn't initialized so it leaks stack + information to userspace. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/sb105x/sb_pci_mp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de +Author: Dan Carpenter +Date: Tue Oct 29 22:06:04 2013 +0300 + + Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b + + uml: check length in exitcode_proc_write() + + We don't cap the size of buffer from the user so we could write past the + end of the array here. Only root can write to this file. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + arch/um/kernel/exitcode.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 1285d10ec38f216f3c5de7ce085ce43447c78916 +Author: Jason Wang +Date: Fri Nov 1 15:01:10 2013 +0800 + + Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd + + net: flow_dissector: fail on evil iph->ihl + + We don't validate iph->ihl which may lead a dead loop if we meet a IPIP + skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl + is evil (less than 5). + + This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae + (rps: support IPIP encapsulation). + + Cc: Eric Dumazet + Cc: Petr Matousek + Cc: Michael S. Tsirkin + Cc: Daniel Borkmann + Signed-off-by: Jason Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/core/flow_dissector.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc +Author: Ming Lei +Date: Thu Oct 31 16:34:17 2013 -0700 + + Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 + + lib/scatterlist.c: don't flush_kernel_dcache_page on slab page + + Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper + functions") introduces two sg buffer copy helpers, and calls + flush_kernel_dcache_page() on pages in SG list after these pages are + written to. + + Unfortunately, the commit may introduce a potential bug: + + - Before sending some SCSI commands, kmalloc() buffer may be passed to + block layper, so flush_kernel_dcache_page() can see a slab page + finally + + - According to cachetlb.txt, flush_kernel_dcache_page() is only called + on "a user page", which surely can't be a slab page. + + - ARCH's implementation of flush_kernel_dcache_page() may use page + mapping information to do optimization so page_mapping() will see the + slab page, then VM_BUG_ON() is triggered. + + Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, + and this patch fixes the bug by adding test of '!PageSlab(miter->page)' + before calling flush_kernel_dcache_page(). + + Signed-off-by: Ming Lei + Reported-by: Aaro Koskinen + Tested-by: Simon Baatz + Cc: Russell King - ARM Linux + Cc: Will Deacon + Cc: Aaro Koskinen + Acked-by: Catalin Marinas + Cc: FUJITA Tomonori + Cc: Tejun Heo + Cc: "James E.J. Bottomley" + Cc: Jens Axboe + Cc: [3.2+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/scatterlist.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 +Author: Dan Carpenter +Date: Tue Oct 29 23:01:11 2013 +0300 + + Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba + + Staging: bcm: info leak in ioctl + + The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel + information to user space. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/bcm/Bcmchar.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a2ab9d69265a08280241a2f2152e535316d02f53 +Author: Dan Carpenter +Date: Tue Oct 29 22:11:06 2013 +0300 + + Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 + + aacraid: missing capable() check in compat ioctl + + In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we + added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the + check as well. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/scsi/aacraid/linit.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e +Author: Dan Carpenter +Date: Tue Oct 29 23:00:15 2013 +0300 + + Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 + + staging: wlags49_h2: buffer overflow setting station name + + We need to check the length parameter before doing the memcpy(). I've + actually changed it to strlcpy() as well so that it's NUL terminated. + + You need CAP_NET_ADMIN to trigger these so it's not the end of the + world. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +commit afd645c1684265260b64ec8189cbc2703b91f6ab +Author: Dan Carpenter +Date: Tue Oct 29 22:07:47 2013 +0300 + + Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 + + staging: ozwpan: prevent overflow in oz_cdev_write() + + We need to check "count" so we don't overflow the ei->data buffer. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/ozwpan/ozcdev.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 4a907baeb462b7e0f50923be5a9d842aec93c97a +Author: Linus Torvalds +Date: Tue Oct 29 10:21:34 2013 -0700 + + Fixed a little differently than Linus... + + Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 + + Fix a few incorrectly checked [io_]remap_pfn_range() calls + + Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that + really should use the vm_iomap_memory() helper. This trivially converts + two of them to the helper, and comments about why the third one really + needs to continue to use remap_pfn_range(), and adds the missing size + check. + + Reported-by: Nico Golde + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds +Date: Sun Oct 27 15:17:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e309bfbf7b506b2294b30233f7a3299173a75cf7 +Author: Hugh Dickins +Date: Wed Oct 16 13:47:09 2013 -0700 + + Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 + + mm: revert mremap pud_free anti-fix + + Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail + calling pmd_alloc()"). + + The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() + ensure that the pud, pmd, pt is already allocated, and seldom do they + need to allocate; on failure, upper levels are freed if appropriate by + the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an + unconditional pud_free() of a most-likely still-in-use pud: saved only + by the near-impossiblity of pmd_alloc() failing. + + Signed-off-by: Hugh Dickins + Cc: Chen Gang + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mremap.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 +Author: Eric Dumazet +Date: Tue Oct 1 21:04:11 2013 -0700 + + Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 + + net: do not call sock_put() on TIMEWAIT sockets + + commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / + hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. + + We should instead use inet_twsk_put() + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/inet_hashtables.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 +Author: Andi Kleen +Date: Mon Sep 30 13:29:08 2013 -0700 + + Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 + + igb: Avoid uninitialized advertised variable in eee_set_cur + + eee_get_cur assumes that the output data is already zeroed. It can + read-modify-write the advertised field: + + if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) + 2594 edata->advertised |= ADVERTISED_100baseT_Full; + + This is ok for the normal ethtool eee_get call, which always + zeroes the input data before. + + But eee_set_cur also calls eee_get_cur and it did not zero the input + field. Later on it then compares agsinst the field, which can contain partial + stack garbage. + + Zero the input field in eee_set_cur() too. + + Cc: jeffrey.t.kirsher@intel.com + Cc: netdev@vger.kernel.org + Signed-off-by: Andi Kleen + Acked-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 651730a8caabce37f78d8e6c84283b96e434d19f +Author: Dan Carpenter +Date: Thu Oct 3 00:27:20 2013 +0300 + + Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 + + net: heap overflow in __audit_sockaddr() + + We need to cap ->msg_namelen or it leads to a buffer overflow when we + to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to + exploit this bug. + + The call tree is: + ___sys_recvmsg() + move_addr_to_user() + audit_sockaddr() + __audit_sockaddr() + + Reported-by: Jüri Aedla + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + Conflicts: + + net/compat.c + + net/compat.c | 2 ++ + net/socket.c | 24 ++++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc +Author: Salva Peiró +Date: Wed Oct 16 12:46:50 2013 +0200 + + Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 + + wanxl: fix info leak in ioctl + + The wanxl_ioctl() code fails to initialize the two padding bytes of + struct sync_serial_settings after the ->loopback member. Add an explicit + memset(0) before filling the structure to avoid the info leak. + + Signed-off-by: Salva Peiró + Signed-off-by: David S. Miller + + drivers/net/wan/wanxl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f +Author: Geyslan G. Bem +Date: Fri Oct 11 16:49:16 2013 -0300 + + Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 + + ecryptfs: Fix memory leakage in keystore.c + + In 'decrypt_pki_encrypted_session_key' function: + + Initializes 'payload' pointer and releases it on exit. + + Signed-off-by: Geyslan G. Bem + Signed-off-by: Tyler Hicks + Cc: stable@vger.kernel.org # v2.6.28+ + + fs/ecryptfs/keystore.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 +Author: Colin Ian King +Date: Thu Oct 24 14:08:07 2013 +0000 + + Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e + + eCryptfs: fix 32 bit corruption issue + + Shifting page->index on 32 bit systems was overflowing, causing + data corruption of > 4GB files. Fix this by casting it first. + + https://launchpad.net/bugs/1243636 + + Signed-off-by: Colin Ian King + Reported-by: Lars Duesing + Cc: stable@vger.kernel.org # v3.11+ + Signed-off-by: Tyler Hicks + + fs/ecryptfs/crypto.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 +Author: Brad Spengler +Date: Sun Oct 27 13:29:49 2013 -0400 + + This is a replacement patch only for stable which does fix the problems + handled by the following two commits in -net: + + "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) + "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) + + Three frames are written on a corked udp socket for which the output + netdevice has UFO enabled. If the first and third frame are smaller than + the mtu and the second one is bigger, we enqueue the second frame with + skb_append_datato_frags without initializing the gso fields. This leads + to the third frame appended regulary and thus constructing an invalid skb. + + This fixes the problem by always using skb_append_datato_frags as soon + as the first frag got enqueued to the skb without marking the packet + as SKB_GSO_UDP. + + The problem with only two frames for ipv6 was fixed by "ipv6: udp + packets following an UFO enqueued packet need also be handled by UFO" + (2811ebac2521ceac84f2bdae402455baa6a7fb47). + + Cc: Jiri Pirko + Cc: Eric Dumazet + Cc: David Miller + Signed-off-by: Hannes Frederic Sowa + + include/linux/skbuff.h | 5 +++++ + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 +Merge: 5cf8361 ddadc82 +Author: Brad Spengler +Date: Sat Oct 26 08:42:26 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec +Author: Brad Spengler +Date: Sat Oct 26 08:41:24 2013 -0400 + + - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) + - updated config help for latent entropy to reflect recent changes + + arch/x86/include/asm/uaccess_64.h | 4 ++-- + security/Kconfig | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad +Author: Johannes Weiner +Date: Wed Oct 16 13:47:00 2013 -0700 + + Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc + + fs: buffer: move allocation failure loop into the allocator + + Buffer allocation has a very crude indefinite loop around waking the + flusher threads and performing global NOFS direct reclaim because it can + not handle allocation failures. + + The most immediate problem with this is that the allocation may fail due + to a memory cgroup limit, where flushers + direct reclaim might not make + any progress towards resolving the situation at all. Because unlike the + global case, a memory cgroup may not have any cache at all, only + anonymous pages but no swap. This situation will lead to a reclaim + livelock with insane IO from waking the flushers and thrashing unrelated + filesystem cache in a tight loop. + + Use __GFP_NOFAIL allocations for buffers for now. This makes sure that + any looping happens in the page allocator, which knows how to + orchestrate kswapd, direct reclaim, and the flushers sensibly. It also + allows memory cgroups to detect allocations that can't handle failure + and will allow them to ultimately bypass the limit if reclaim can not + make progress. + + Reported-by: azurIt + Signed-off-by: Johannes Weiner + Cc: Michal Hocko + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/buffer.c | 14 ++++++++++++-- + mm/memcontrol.c | 2 ++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +commit 799326c8683d8d70b2035b1e5ab913c159112b6b +Author: Miklos Szeredi +Date: Thu Oct 10 16:48:19 2013 +0200 + + Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 + + ext[34]: fix double put in tmpfile + + d_tmpfile() already swallowed the inode ref. + + Signed-off-by: Miklos Szeredi + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/ext3/namei.c | 5 ++--- + fs/ext4/namei.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 +Author: Jan Klos +Date: Sun Oct 6 21:08:20 2013 +0200 + + Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 + + cifs: Fix inability to write files >2GB to SMB2/3 shares + + When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). + + The patch fixes this by checking for the correct bit according to the protocol version. + + CC: Stable + Signed-off-by: Jan Klos + Reviewed-by: Jeff Layton + Signed-off-by: Steve French + + fs/cifs/cifsfs.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 +Author: Tim Gardner +Date: Sun Oct 13 13:29:03 2013 -0600 + + Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a + + cifs: ntstatus_to_dos_map[] is not terminated + + Functions that walk the ntstatus_to_dos_map[] array could + run off the end. For example, ntstatus_to_dos() loops + while ntstatus_to_dos_map[].ntstatus is not 0. Granted, + this is mostly theoretical, but could be used as a DOS attack + if the error code in the SMB header is bogus. + + [Might consider adding to stable, as this patch is low risk - Steve] + + Reviewed-by: Jeff Layton + Signed-off-by: Tim Gardner + Signed-off-by: Steve French + + fs/cifs/netmisc.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit ed8c09a96fa260e1864c632e1dd91b1320876305 +Author: Eric Dumazet +Date: Tue Oct 15 11:54:30 2013 -0700 + + Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 + + tcp: must unclone packets before mangling them + + TCP stack should make sure it owns skbs before mangling them. + + We had various crashes using bnx2x, and it turned out gso_size + was cleared right before bnx2x driver was populating TC descriptor + of the _previous_ packet send. TCP stack can sometime retransmit + packets that are still in Qdisc. + + Of course we could make bnx2x driver more robust (using + ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. + + We have identified two points where skb_unclone() was needed. + + This patch adds a WARN_ON_ONCE() to warn us if we missed another + fix of this kind. + + Kudos to Neal for finding the root cause of this bug. Its visible + using small MSS. + + Signed-off-by: Eric Dumazet + Signed-off-by: Neal Cardwell + Cc: Yuchung Cheng + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +commit e5dcf1772ca2a85952da10a21d0650507dc061d3 +Author: Dan Carpenter +Date: Mon Oct 14 15:28:38 2013 +0300 + + Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 + + yam: integer underflow in yam_ioctl() + + We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be + negative. I don't know the impact of using a negative bitrate but let's + prevent it. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + include/linux/yam.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1f5d72d633f317248bba25158c326a61394aebf2 +Merge: 7ca4328 4df1b96 +Author: Brad Spengler +Date: Fri Oct 18 19:36:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + ipc/shm.c + +commit 4df1b965687831808af2548487e0f35a2ccc5c29 +Merge: e41125e 5070441 +Author: Brad Spengler +Date: Fri Oct 18 19:35:31 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + arch/x86/kernel/setup.c + +commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 +Author: Brad Spengler +Date: Wed Oct 16 18:35:00 2013 -0400 + + From: Mathias Krause + To: Evgeniy Polyakov + Cc: Mathias Krause , netdev@vger.kernel.org + Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length + + The current code tests the length of the whole netlink message to be + at least as long to fit a cn_msg. This is wrong as nlmsg_len includes + the length of the netlink message header. Use nlmsg_len() instead to + fix this "off-by-NLMSG_HDRLEN" size check. + + Cc: stable@vger.kernel.org # v2.6.14+ + Signed-off-by: Mathias Krause + + drivers/connector/connector.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 +Author: Brad Spengler +Date: Wed Oct 16 18:36:25 2013 -0400 + + From: Mathias Krause + To: linux-audit@redhat.com + Cc: Mathias Krause , Al Viro , Eric Paris + Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests + + We leak 4 bytes of kernel stack in response to an AUDIT_GET request as + we miss to initialize the mask member of status_set. Fix that. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ + Signed-off-by: Mathias Krause + + kernel/audit.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9557a8727fd46e68f092dec0830a982e85b231f7 +Author: Brad Spengler +Date: Wed Oct 16 19:02:32 2013 -0400 + + add 2nd chunk of audit nlmsg_len() fix from minipli + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd +Author: Brad Spengler +Date: Wed Oct 16 18:37:59 2013 -0400 + + From: Mathias Krause + To: linux-audit@redhat.com + Cc: Mathias Krause , Al Viro , Eric Paris + Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length + + Using the nlmsg_len member of the netlink header to test if the message + is valid is wrong as it includes the size of the netlink header itself. + Thereby allowing to send short netlink messages that pass those checks. + + Use nlmsg_len() instead to test for the right message length. The result + of nlmsg_len() is guaranteed to be non-negative as the netlink message + already passed the checks of nlmsg_ok(). + + Also switch to min_t() to please checkpatch.pl. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7547b29750381c776dfd47f4b1277a492d5b0f72 +Author: Brad Spengler +Date: Wed Oct 16 18:41:01 2013 -0400 + + From: Mathias Krause + To: netfilter-devel@vger.kernel.org + Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik + , Bart De Schuymer + Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Bart De Schuymer + Signed-off-by: Mathias Krause + + Conflicts: + + net/bridge/netfilter/ebt_ulog.c + + net/bridge/netfilter/ebt_ulog.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 +Author: Brad Spengler +Date: Wed Oct 16 18:43:01 2013 -0400 + + From: Mathias Krause + To: netfilter-devel@vger.kernel.org + Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik + + Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Pablo Neira Ayuso + Cc: Patrick McHardy + Cc: Jozsef Kadlecsik + Signed-off-by: Mathias Krause + + Conflicts: + + net/ipv4/netfilter/ipt_ULOG.c + + net/ipv4/netfilter/ipt_ULOG.c | 7 +------ + 1 files changed, 1 insertions(+), 6 deletions(-) + +commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 +Author: Brad Spengler +Date: Wed Oct 16 18:49:45 2013 -0400 + + From: Mathias Krause + To: "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org + Subject: [PATCH net] unix_diag: fix info leak + + When filling the netlink message we miss to wipe the pad field, + therefore leak one byte of heap memory to userland. Fix this by + setting pad to 0. + + Signed-off-by: Mathias Krause + + net/unix/diag.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc +Author: Mathias Krause +Date: Mon Sep 30 22:03:06 2013 +0200 + + Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 + + proc connector: fix info leaks + + Initialize event_data for all possible message types to prevent leaking + kernel stack contents to userland (up to 20 bytes). Also set the flags + member of the connector message to 0 to prevent leaking two more stack + bytes this way. + + Cc: stable@vger.kernel.org # v2.6.15+ + Signed-off-by: Mathias Krause + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 18 ++++++++++++++++++ + 1 files changed, 18 insertions(+), 0 deletions(-) + +commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 +Author: AKASHI Takahiro +Date: Wed Oct 9 15:58:29 2013 +0100 + + Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a + + ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() + + In ftrace_syscall_enter(), + syscall_get_arguments(..., 0, n, ...) + if (i == 0) { ...; n--;} + memcpy(..., n * sizeof(args[0])); + If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in + syscall_get_arguments(), none of arguments should be copied by memcpy(). + Otherwise 'n--' can be a big positive number and unexpected amount of data + will be copied. Tracing system calls which take no argument, say sync(void), + may hit this case and eventually make the system corrupted. + This patch fixes the issue both in syscall_get_arguments() and + syscall_set_arguments(). + + Cc: + Acked-by: Will Deacon + Signed-off-by: AKASHI Takahiro + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/include/asm/syscall.h | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 +Author: Dave Jones +Date: Thu Oct 10 20:05:35 2013 -0400 + + Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc + + ext4: fix memory leak in xattr + + If we take the 2nd retry path in ext4_expand_extra_isize_ea, we + potentionally return from the function without having freed these + allocations. If we don't do the return, we over-write the previous + allocation pointers, so we leak either way. + + Spotted with Coverity. + + [ Fixed by tytso to set is and bs to NULL after freeing these + pointers, in case in the retry loop we later end up triggering an + error causing a jump to cleanup, at which point we could have a double + free bug. -- Ted ] + + Signed-off-by: Dave Jones + Signed-off-by: "Theodore Ts'o" + Reviewed-by: Eric Sandeen + Cc: stable@vger.kernel.org + + fs/ext4/xattr.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 224e55268fbd4f81fca479e315c9483df591411d +Author: Salva Peiró +Date: Fri Oct 11 12:50:03 2013 +0300 + + Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 + + farsync: fix info leak in ioctl + + The fst_get_iface() code fails to initialize the two padding bytes of + struct sync_serial_settings after the ->loopback member. Add an explicit + memset(0) before filling the structure to avoid the info leak. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/net/wan/farsync.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 +Author: James Hogan +Date: Mon Oct 7 12:14:26 2013 +0100 + + Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 + + MIPS: stack protector: Fix per-task canary switch + + Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary + per task) was merged in v3.11 and introduced assembly in the MIPS resume + functions to update the value of the current canary in + __stack_chk_guard. However it used PTR_L resulting in a load of the + canary value, instead of PTR_LA to construct its address. The value is + intended to be random but is then treated as an address in the + subsequent LONG_S (store). + + This was observed to cause a fault and panic: + + CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 + Oops[#1]: + ... + $24 : 139fea20 1e1f7cb6 + ... + Call Trace: + [<8000cc0c>] resume+0xac/0x118 + [<8034f2a4>] __schedule+0x5f8/0x78c + [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c + [<80348eec>] rest_init+0x74/0x84 + [<804dc990>] start_kernel+0x43c/0x454 + Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc + + This can also be forced by modifying + arch/mips/include/asm/stackprotector.h so that the default + __stack_chk_guard value is more likely to be a bad (or unaligned) + pointer. + + Fix it to use PTR_LA instead, to load the address of the canary value, + which the LONG_S can then use to write into it. + + Reported-by: bobjones (via #mipslinux on IRC) + Signed-off-by: James Hogan + Cc: Ralf Baechle + Cc: Gregory Fong + Cc: linux-mips@linux-mips.org + Cc: stable@vger.kernel.org + Patchwork: https://patchwork.linux-mips.org/patch/6026/ + Signed-off-by: Ralf Baechle + + arch/mips/kernel/octeon_switch.S | 2 +- + arch/mips/kernel/r2300_switch.S | 2 +- + arch/mips/kernel/r4k_switch.S | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c +Author: Fan Du +Date: Tue Sep 17 15:14:13 2013 +0800 + + Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda + + xfrm: Guard IPsec anti replay window against replay bitmap + + For legacy IPsec anti replay mechanism: + + bitmap in struct xfrm_replay_state could only provide a 32 bits + window size limit in current design, thus user level parameter + sadb_sa_replay should honor this limit, otherwise misleading + outputs("replay=244") by setkey -D will be: + + 192.168.25.2 192.168.22.2 + esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) + E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 + A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 + seq=0x00000000 replay=244 flags=0x00000000 state=mature + created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 + diff: 22(s) hard: 30(s) soft: 26(s) + last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) + current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) + allocated: 22 hard: 0 soft: 0 + sadb_seq=1 pid=4854 refcnt=0 + 192.168.22.2 192.168.25.2 + esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) + E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 + A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 + seq=0x00000000 replay=244 flags=0x00000000 state=mature + created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 + diff: 22(s) hard: 30(s) soft: 26(s) + last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) + current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) + allocated: 22 hard: 0 soft: 0 + sadb_seq=0 pid=4854 refcnt=0 + + And also, optimizing xfrm_replay_check window checking by setting the + desirable x->props.replay_window with only doing the comparison once + for all when xfrm_state is first born. + + Signed-off-by: Fan Du + Signed-off-by: Steffen Klassert + + net/key/af_key.c | 3 ++- + net/xfrm/xfrm_replay.c | 3 +-- + net/xfrm/xfrm_user.c | 3 ++- + 3 files changed, 5 insertions(+), 4 deletions(-) + +commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 +Author: Thomas Egerer +Date: Thu Sep 19 13:19:19 2013 +0200 + + Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c + + xfrm: Fix aevent generation for each received packet + + If asynchronous events are enabled for a particular netlink socket, + the notify function is called by the advance function. The notify + function creates and dispatches a km_event if a replay timeout occurred, + or at least replay_maxdiff packets have been received since the last + asynchronous event has been sent. The function is supposed to return if + neither of the two events were detected for a state, or replay_maxdiff + is equal to zero. + Replay_maxdiff is initialized in xfrm_state_construct to the value of + the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state + if the netlink attribute XFRMA_REPLAY_THRESH is set. + If, however, replay_maxdiff is set to zero, then all of the three notify + implementations perform a break from the switch statement instead of + checking whether a timeout occurred, and -- if not -- return. As a + result an asynchronous event is generated for every replay update of a + state that has a zero replay_maxdiff value. + This patch modifies the notify functions such that they immediately + return if replay_maxdiff has the value zero, unless a timeout occurred. + + Signed-off-by: Thomas Egerer + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- + 1 files changed, 27 insertions(+), 24 deletions(-) + +commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 +Author: Steffen Klassert +Date: Tue Oct 8 10:49:45 2013 +0200 + + Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee + + xfrm: Add refcount handling to queued policies + + We need to ensure that policies can't go away as long as the hold timer + is armed, so take a refcont when we arm the timer and drop one if we + delete it. + + Bug was introduced with git commit a0073fe18 ("xfrm: Add a state + resolution packet queue") + + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- + 1 files changed, 17 insertions(+), 7 deletions(-) + +commit b4948dc963442682534b3a039664b564c764e4f8 +Author: Steffen Klassert +Date: Tue Oct 8 10:49:51 2013 +0200 + + Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 + + xfrm: check for a vaild skb in xfrm_policy_queue_process + + We might dreference a NULL pointer if the hold_queue is empty, + so add a check to avoid this. + + Bug was introduced with git commit a0073fe18 ("xfrm: Add a state + resolution packet queue") + + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_policy.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit fad7f264b264b0b17a307aa16162cb43c7688a30 +Author: Marc Kleine-Budde +Date: Mon Oct 7 23:19:58 2013 +0200 + + Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 + + net: vlan: fix nlmsg size calculation in vlan_get_size() + + This patch fixes the calculation of the nlmsg size, by adding the missing + nla_total_size(). + + Cc: Patrick McHardy + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + net/8021q/vlan_netlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd +Author: François Cachereul +Date: Wed Oct 2 10:16:02 2013 +0200 + + Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c + + l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses + + IPv4 mapped addresses cause kernel panic. + The patch juste check whether the IPv6 address is an IPv4 mapped + address. If so, use IPv4 API instead of IPv6. + + [ 940.026915] general protection fault: 0000 [#1] + [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse + [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 + [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 + [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 + [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 + [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 + [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 + [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 + [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 + [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 + [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 + [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 + [ 940.026915] Stack: + [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 + [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 + [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 + [ 940.026915] Call Trace: + [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 + [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] + [ 940.026915] [] ? pskb_expand_head+0x161/0x214 + [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] + [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] + [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] + [ 940.026915] [] ? vfs_write+0xa2/0x106 + [ 940.026915] [] ? SyS_write+0x56/0x8a + [ 940.026915] [] ? system_call_fastpath+0x16/0x1b + [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 + 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 + 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 + [ 940.026915] RIP [] ip6_xmit+0x276/0x326 + [ 940.026915] RSP + [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- + [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt + + Signed-off-by: François CACHEREUL + Signed-off-by: David S. Miller + + net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- + net/l2tp/l2tp_core.h | 3 +++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 +Merge: 28f9622 e41125e +Author: Brad Spengler +Date: Tue Oct 15 10:00:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/ds.c + net/sysctl_net.c + +commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 +Merge: 740e5ec a145cb9 +Author: Brad Spengler +Date: Tue Oct 15 09:58:29 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + +commit 28f9622091224541efadf3ae006f0e5651c7fa45 +Author: Brad Spengler +Date: Tue Oct 1 22:48:34 2013 -0400 + + Fix this strlcpy crap properly + + arch/sparc/kernel/ds.c | 7 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +commit 837193210e4125fe4e9e554b28d7bc33985f3554 +Author: David S. Miller +Date: Fri Sep 27 13:46:04 2013 -0700 + + Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 + + sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). + + Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using + strlcpy() instead of strcpy()") added a bug to ldom_reboot in + arch/sparc/kernel/ds.c + + - strcpy(full_boot_str + strlen("boot "), boot_command); + + strlcpy(full_boot_str + strlen("boot "), boot_command, + + sizeof(full_boot_str + strlen("boot "))); + + That last sizeof() expression evaluates to sizeof(size_t) which is + not what was intended. + + Also even the corrected: + + sizeof(full_boot_str) + strlen("boot ") + + is not right as the destination buffer length is just plain + "sizeof(full_boot_str)" and that's what the final argument + should be. + + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 +Author: Hannes Frederic Sowa +Date: Sun Sep 29 05:40:50 2013 +0200 + + Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae + + ipv6: gre: correct calculation of max_headroom + + gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, + so initialize max_headroom to zero. Otherwise the + + if (encap_limit >= 0) { + max_headroom += 8; + mtu -= 8; + } + + increments an uninitialized variable before max_headroom was reset. + + Found with coverity: 728539 + + Cc: Dmitry Kozlov + Signed-off-by: Hannes Frederic Sowa + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/ip6_gre.c + + net/ipv6/ip6_gre.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 0d68ac550952d0eaf60851497ceee68dbba24516 +Merge: 64257ad 740e5ec +Author: Brad Spengler +Date: Tue Oct 1 18:11:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/hid/hid-core.c + drivers/hid/hid-lg2ff.c + drivers/hid/hid-lg3ff.c + drivers/hid/hid-lg4ff.c + drivers/hid/hid-lgff.c + drivers/hid/hid-logitech-dj.c + drivers/hid/hid-steelseries.c + drivers/hid/hid-zpff.c + include/linux/hid.h + +commit 740e5ec087969afd43ae0b552b4e05914437ed32 +Merge: c38c6b0 db20388 +Author: Brad Spengler +Date: Tue Oct 1 17:40:46 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + +commit 64257ad95c51285d415f93ebdd486fae6bb9415d +Author: Hannes Frederic Sowa +Date: Sat Sep 21 06:27:00 2013 +0200 + + Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 + + ipv6: udp packets following an UFO enqueued packet need also be handled by UFO + + In the following scenario the socket is corked: + If the first UDP packet is larger then the mtu we try to append it to the + write queue via ip6_ufo_append_data. A following packet, which is smaller + than the mtu would be appended to the already queued up gso-skb via + plain ip6_append_data. This causes random memory corruptions. + + In ip6_ufo_append_data we also have to be careful to not queue up the + same skb multiple times. So setup the gso frame only when no first skb + is available. + + This also fixes a shortcoming where we add the current packet's length to + cork->length but return early because of a packet > mtu with dontfrag set + (instead of sutracting it again). + + Found with trinity. + + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Reported-by: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- + 1 files changed, 22 insertions(+), 31 deletions(-) + +commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 +Author: Dan Carpenter +Date: Tue Sep 24 15:27:45 2013 -0700 + + Just a whitespace fix to sync with upstream as we already applied this fix + via Vasiliy Kulikov in 2010. It fell through the cracks upstream + + cciss: fix info leak in cciss_ioctl32_passthru() + + The arg64 struct has a hole after ->buf_size which isn't cleared. Or if + any of the calls to copy_from_user() fail then that would cause an + information leak as well. + + This was assigned CVE-2013-2147. + + Signed-off-by: Dan Carpenter + Acked-by: Mike Miller + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/block/cciss.c + + drivers/block/cciss.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e +Author: Paul E. McKenney +Date: Tue Sep 24 18:29:11 2013 -0700 + + Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b + + mm: Place preemption point in do_mlockall() loop + + There is a loop in do_mlockall() that lacks a preemption point, which + means that the following can happen on non-preemptible builds of the + kernel. Dave Jones reports: + + "My fuzz tester keeps hitting this. Every instance shows the non-irq + stack came in from mlockall. I'm only seeing this on one box, but + that has more ram (8gb) than my other machines, which might explain + it. + + INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) + sending NMI to all CPUs: + NMI backtrace for cpu 3 + CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 + Call Trace: + lru_add_drain_all+0x15/0x20 + SyS_mlockall+0xa5/0x1a0 + tracesys+0xdd/0xe2" + + This commit addresses this problem by inserting the required preemption + point. + + Reported-by: Dave Jones + Signed-off-by: Paul E. McKenney + Cc: KOSAKI Motohiro + Cc: Michel Lespinasse + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mlock.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 +Author: Brad Spengler +Date: Fri Sep 27 21:06:17 2013 -0400 + + Don't log attempts to create a socket with a family that the kernel doesn't + support + Further, if the kernel doesn't support the socket family, instead of returning + -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 + sockets in RBAC policy despite a kernel that doesn't support ipv6 + observed during a Debian userland update necessitating a policy change + + grsecurity/gracl_ip.c | 7 +++---- + net/socket.c | 26 +++++++++++++++----------- + 2 files changed, 18 insertions(+), 15 deletions(-) + +commit 55f1e409275973513a3314fe5bfa76a4781c0db7 +Merge: 2eac654 c38c6b0 +Author: Brad Spengler +Date: Fri Sep 27 20:35:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/hid/hid-picolcd_core.c + +commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 +Merge: 115bf6a a3308b5 +Author: Brad Spengler +Date: Fri Sep 27 20:34:15 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + arch/x86/ia32/ia32_signal.c + arch/x86/include/asm/checksum_32.h + arch/x86/include/asm/mmu_context.h + arch/x86/kernel/signal.c + arch/x86/lib/csum-wrappers_64.c + include/linux/compat.h + +commit 2eac65435fdffca548a56e5187840908438fc95c +Merge: ba0ebde 115bf6a +Author: Brad Spengler +Date: Thu Sep 26 20:00:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 115bf6af0083ea28c751d551a39cfdba1798e9dc +Author: Brad Spengler +Date: Thu Sep 26 19:59:14 2013 -0400 + + Update to pax-linux-3.11.1-test10.patch: + - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine + - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard + - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) + - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) + - beefed up latent entropy extraction + - latent_entropy itself will be initialized to a compile-time random value (instead of 0) + - entropy will be collected from various irq and softirq handlers + + arch/arm/kernel/module.c | 2 ++ + arch/arm/kernel/vmlinux.lds.S | 2 +- + block/blk-iopoll.c | 2 +- + block/blk-softirq.c | 2 +- + fs/binfmt_elf.c | 8 +++++--- + include/linux/genhd.h | 2 +- + include/linux/random.h | 4 ++-- + kernel/hrtimer.c | 2 +- + kernel/rcutiny.c | 2 +- + kernel/rcutree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 4 ++-- + kernel/timer.c | 2 +- + lib/percpu-refcount.c | 2 +- + net/core/dev.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 2 +- + 16 files changed, 24 insertions(+), 20 deletions(-) + +commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 +Author: Brad Spengler +Date: Sun Sep 22 18:14:07 2013 -0400 + + Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" + + This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. + + net/netlink/genetlink.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 +Merge: f1e4228 90db383 +Author: Brad Spengler +Date: Wed Sep 18 17:34:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 90db383fd7d650172d52229b0116ad7604c9bec1 +Author: Brad Spengler +Date: Wed Sep 18 17:32:42 2013 -0400 + + Update to pax-linux-3.11.1-test9.patch: + - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer + - better implementation of __read_only for modules + - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard + + arch/arm/kernel/entry-common.S | 12 ++++++------ + arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- + arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- + arch/x86/include/asm/cache.h | 4 ---- + drivers/bus/arm-cci.c | 2 +- + drivers/clk/socfpga/clk.c | 2 +- + drivers/mmc/host/mmci.c | 4 +++- + drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- + include/linux/cache.h | 4 ++++ + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + scripts/module-common.lds | 4 ++++ + 12 files changed, 49 insertions(+), 19 deletions(-) + +commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 +Author: Brad Spengler +Date: Wed Sep 18 17:32:25 2013 -0400 + + Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" + + This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. + + net/sctp/protocol.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f1e42285e17479067b6cbcffc43916720e6dedd3 +Merge: 456ca17 5e30989 +Author: Brad Spengler +Date: Mon Sep 16 21:42:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5e30989102e2d0df166ab6ff915b90f675f8786f +Author: Brad Spengler +Date: Mon Sep 16 21:41:44 2013 -0400 + + mark sctp_af_inet forward declaration as __read_only to fix compile error + + net/sctp/protocol.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 456ca176141f10355c1569b29225c9ce4b7db18e +Merge: b406eac 5df8f36 +Author: Brad Spengler +Date: Mon Sep 16 20:02:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 +Author: Brad Spengler +Date: Mon Sep 16 20:01:38 2013 -0400 + + Update to pax-linux-3.11.1-test7.patch: + - fixed arm compile error, reported by Arnaud Ebalard + - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) + - fixed od_ops constification, fixes cpufreq ondemand on AMD + - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) + - __read_only will now be enforced in modules as well + - removed unneccessary __read_only from ntfs + + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/x86/include/asm/cache.h | 4 ++++ + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 2 +- + fs/ntfs/file.c | 4 ++-- + include/linux/init.h | 5 ----- + include/net/xfrm.h | 5 ++++- + init/main.c | 9 +++------ + mm/page_alloc.c | 1 + + net/ipv4/xfrm4_policy.c | 4 ++-- + net/ipv6/xfrm6_policy.c | 4 ++-- + net/xfrm/xfrm_policy.c | 11 ++--------- + 12 files changed, 23 insertions(+), 30 deletions(-) + +commit b406eac579bb3a5faa1c9d73b8af5530f942009a +Author: Brad Spengler +Date: Mon Sep 16 12:53:22 2013 -0400 + + Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce + + author Steffen Klassert 2013-09-09 07:39:01 (GMT) + committer Steffen Klassert 2013-09-16 07:39:37 (GMT) + + xfrm: Fix replay size checking on async events + We pass the wrong netlink attribute to xfrm_replay_verify_len(). + It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as + we currently doing. This causes memory corruptions if the + replay esn attribute has incorrect length. Fix this by passing + the right attribute to xfrm_replay_verify_len(). + + Reported-by: Michael Rossberg + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_user.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 +Merge: 84843a3 0a0ced6 +Author: Brad Spengler +Date: Sun Sep 15 11:24:30 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/wireless/ath/ath10k/core.c + drivers/net/wireless/ath/ath10k/htc.c + +commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d +Author: Brad Spengler +Date: Sun Sep 15 11:21:43 2013 -0400 + + Update to pax-linux-3.11.1-test6.patch: + - forward port to 3.11.1 + - fixed some CONSTIFY fallout, reported by spender + - fixed INVPCID on i386, reported by spender + - simplified/consolidated the recent security_ops change + + arch/x86/include/asm/mmu_context.h | 4 ++-- + arch/x86/include/asm/tlbflush.h | 6 +++--- + arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- + include/linux/security.h | 2 -- + security/security.c | 3 --- + security/selinux/hooks.c | 5 +++-- + 8 files changed, 16 insertions(+), 19 deletions(-) + +commit 84843a394cde0578be728cb5fd34da9859dcf110 +Author: Brad Spengler +Date: Sun Sep 15 09:19:21 2013 -0400 + + remove unnecessary check from when protocol was signed + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit cc7c916cac4c2eb0ec243690627e2b6a13234fef +Author: Brad Spengler +Date: Sun Sep 15 08:53:27 2013 -0400 + + resync with PaX + + security/selinux/hooks.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit fdeadf7ba061242685e07a2504c6be99161f292c +Author: Brad Spengler +Date: Sat Sep 14 23:04:53 2013 -0400 + + Fix constification of ath10k_hif_cb struct located on stack + + drivers/net/wireless/ath/ath10k/hif.h | 1 + + drivers/net/wireless/ath/ath10k/htc.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletions(-) + +commit 73c6875760e610cb636f86566a1be7a744d89b82 +Author: Brad Spengler +Date: Sat Sep 14 22:41:06 2013 -0400 + + use a no_const typedef for ath10k_htc_ops, which is located on the stack + + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + drivers/net/wireless/ath/ath10k/htc.h | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +commit bffb0279b95b717c739365a5a25ca0391e7479b1 +Author: Brad Spengler +Date: Sat Sep 14 22:13:46 2013 -0400 + + fix compilation error under constify + + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1044c726fd98de89a711c6655f811600d4051e46 +Merge: ffc8003 e39d12a +Author: Brad Spengler +Date: Sat Sep 14 21:57:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e39d12a3b877293ba677bf7642c8887144ae1576 +Author: Brad Spengler +Date: Sat Sep 14 21:56:56 2013 -0400 + + Update to pax-linux-3.11-test5.patch: + - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) + - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin + + mm/mremap.c | 5 ++++- + tools/gcc/kernexec_plugin.c | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b +Author: Brad Spengler +Date: Sat Sep 14 21:48:03 2013 -0400 + + fix compile error introduced by pipacs + + security/selinux/hooks.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 874e80f445b1325df45f04cc317f67587e241218 +Author: Brad Spengler +Date: Sat Sep 14 21:12:45 2013 -0400 + + Fix invalid dependency causing warning: + warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a +Author: Brad Spengler +Date: Sat Sep 14 19:53:56 2013 -0400 + + change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs + + arch/x86/include/asm/tlbflush.h | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 +Author: Daniel Borkmann +Date: Sat Sep 7 16:44:59 2013 +0200 + + Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 + + net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE + + If we do not add braces around ... + + mask |= POLLERR | + sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; + + ... then this condition always evaluates to true as POLLERR is + defined as 8 and binary or'd with whatever result comes out of + sock_flag(). Hence instead of (X | Y) ? A : B, transform it into + X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix + smatch warnings inside datagram_poll") forgot about SCTP. :-( + + Introduced by 7d4c04fc170 ("net: add option to enable error queue + packets waking select"). + + Signed-off-by: Daniel Borkmann + Cc: Jacob Keller + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Acked-by: Jacob Keller + Signed-off-by: David S. Miller + + net/sctp/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 +Author: Jason Wang +Date: Wed Sep 11 18:09:48 2013 +0800 + + Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 + + tuntap: correctly handle error in tun_set_iff() + + Commit c8d68e6be1c3b242f1c598595830890b65cea64a + (tuntap: multiqueue support) only call free_netdev() on error in + tun_set_iff(). This causes several issues: + + - memory of tun security were leaked + - use after free since the flow gc timer was not deleted and the tfile + were not detached + + This patch solves the above issues. + + Reported-by: Wannes Rombouts + Cc: Michael S. Tsirkin + Signed-off-by: Jason Wang + Acked-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/net/tun.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit b504140d8590bd67ed481ea84824a9846dde2d74 +Author: Herbert Xu +Date: Sun Sep 8 14:33:50 2013 +1000 + + Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa + + crypto: api - Fix race condition in larval lookup + + crypto_larval_lookup should only return a larval if it created one. + Any larval created by another entity must be processed through + crypto_larval_wait before being returned. + + Otherwise this will lead to a larval being killed twice, which + will most likely lead to a crash. + + Cc: stable@vger.kernel.org + Reported-by: Kees Cook + Tested-by: Kees Cook + Signed-off-by: Herbert Xu + + crypto/api.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 +Author: Daniel Borkmann +Date: Wed Sep 11 16:58:36 2013 +0200 + + Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 + + net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit + + Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not + being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport + does not seem to have the desired effect: + + SCTP + IPv4: + + 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) + 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 + 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) + 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): + + SCTP + IPv6: + + 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) + fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp + 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] + + Moreover, Alan says: + + This problem was seen with both Racoon and Racoon2. Other people have seen + this with OpenSwan. When IPsec is configured to encrypt all upper layer + protocols the SCTP connection does not initialize. After using Wireshark to + follow packets, this is because the SCTP packet leaves Box A unencrypted and + Box B believes all upper layer protocols are to be encrypted so it drops + this packet, causing the SCTP connection to fail to initialize. When IPsec + is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. + + In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" + string on the other end, results in cleartext on the wire where SCTP eventually + does not report any errors, thus in the latter case that Alan reports, the + non-paranoid user might think he's communicating over an encrypted transport on + SCTP although he's not (tcpdump ... -X): + + ... + 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... + 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... + + Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the + receiver side. Initial follow-up analysis from Alan's bug report was done by + Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. + + SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). + This has the implication that it probably never really got updated along with + changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. + + SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since + a call to inet6_csk_xmit() would solve this problem, but result in unecessary + route lookups, let us just use the cached flowi6 instead that we got through + sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), + we do the route lookup / flow caching in sctp_transport_route(), hold it in + tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in + sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect + of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() + instead to get the correct source routed dst entry, which we assign to the skb. + + Also source address routing example from 625034113 ("sctp: fix sctp to work with + ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 + it is actually 'recommended' to not use that anyway due to traffic amplification [1]. + So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if + we overwrite the flow destination here, the lower IPv6 layer will be unable to + put the correct destination address into IP header, as routing header is added in + ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, + result of this patch is that we do not have any XfrmInTmplMismatch increase plus on + the wire with this patch it now looks like: + + SCTP + IPv6: + + 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: + AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 + 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: + AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 + + This fixes Kernel Bugzilla 24412. This security issue seems to be present since + 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have + its fun with that. lksctp-tools IPv6 regression test suite passes as well with + this patch. + + [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf + + Reported-by: Alan Chester + Reported-by: Alexey Dobriyan + Signed-off-by: Daniel Borkmann + Cc: Steffen Klassert + Cc: Hannes Frederic Sowa + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/ipv6.c | 42 +++++++++++++----------------------------- + 1 files changed, 13 insertions(+), 29 deletions(-) + +commit 726915e42b1a23b88cd420029003d82208a30006 +Author: Kees Cook +Date: Fri Sep 13 14:52:04 2013 -0700 + + Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 + + isdn: clean up debug format string usage + + Avoid unneeded local string buffers for constructing debug output. Also + cleans up debug calls that contain a single parameter so that they cannot + be accidentally parsed as format strings. + + Signed-off-by: Kees Cook + Cc: Karsten Keil + Cc: David Miller + Signed-off-by: Andrew Morton + Signed-off-by: David S. Miller + + drivers/isdn/hisax/amd7930_fn.c | 4 +- + drivers/isdn/hisax/avm_pci.c | 4 +- + drivers/isdn/hisax/config.c | 2 +- + drivers/isdn/hisax/diva.c | 4 +- + drivers/isdn/hisax/elsa.c | 2 +- + drivers/isdn/hisax/elsa_ser.c | 2 +- + drivers/isdn/hisax/hfc_pci.c | 2 +- + drivers/isdn/hisax/hfc_sx.c | 2 +- + drivers/isdn/hisax/hscx_irq.c | 4 +- + drivers/isdn/hisax/icc.c | 4 +- + drivers/isdn/hisax/ipacx.c | 8 +++--- + drivers/isdn/hisax/isac.c | 4 +- + drivers/isdn/hisax/isar.c | 6 ++-- + drivers/isdn/hisax/jade.c | 18 ++++---------- + drivers/isdn/hisax/jade_irq.c | 4 +- + drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- + drivers/isdn/hisax/netjet.c | 2 +- + drivers/isdn/hisax/q931.c | 6 ++-- + drivers/isdn/hisax/w6692.c | 8 +++--- + 19 files changed, 57 insertions(+), 79 deletions(-) + +commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 +Author: Brad Spengler +Date: Sat Sep 14 19:16:48 2013 -0400 + + Fix a bad git merge, re-applied a previously reverted patch + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 5dea4b212b0405d6bcbea57516d77b21035d1178 +Author: Brad Spengler +Date: Sat Sep 14 16:56:37 2013 -0400 + + finish porting namei.c + + fs/namei.c | 50 +++++++++++--------------------------------------- + 1 files changed, 11 insertions(+), 39 deletions(-) + +commit a7d5c5e2d0fd4831df19247e41c73c362809b00f +Author: Brad Spengler +Date: Sat Sep 14 16:44:08 2013 -0400 + + cred->user -> current_user() + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit be3db5fa6532557384fb66d2d9297d77666912cf +Author: Brad Spengler +Date: Sat Sep 14 16:36:24 2013 -0400 + + Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce9afc12137b65991bfc7cce70e28d86bbb76956 +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 84aa149aa0f178516f5784d028522d60d35696c9 +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1145b56059535549be226da9891b56ab2d902b2f +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + 3 files changed, 20 insertions(+), 2 deletions(-) + +commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 74dc00678ec84a254617b500a2880974dac95220 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + Signed-off-by: Brad Spengler + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it + + Signed-off-by: Brad Spengler + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 889852764d245f44e416da4eb203fda0bd327584 +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit f30e932a87f25b53779d1f92b49923f8a2dc9834 +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 9f5ae466957014bc300929374ebb7afdd9d116d6 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit b643b8f8af23488d92f16a817bf16c162d612ce1 +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 975723a41239b1befae172e88082ff4422753508 +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 05c3db7daee82d79c628c15b304f8621159e14f3 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit a79f25f59fdd0abaf4ecfab93017aa49de089498 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c147e32922dd91edf1969b8a6eb333aafb4abb79 +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 +Author: Kees Cook +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs + + Signed-off-by: Brad Spengler + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit abde07f6c047c0331f511318cb49a36d49218dfc +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + Signed-off-by: Brad Spengler + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit d502375416b17270008ebdf11f1c3be7837f7c50 +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit f6c363aba68cccff2815a488a7e9ed68990100d2 +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages + + Signed-off-by: Brad Spengler + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 + + Signed-off-by: Brad Spengler + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + Signed-off-by: Brad Spengler + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 17 deletions(-) + +commit 5c0737b045d057152a39154746d8c8e5d59185ed +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs + + Signed-off-by: Brad Spengler + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + Signed-off-by: Brad Spengler + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + Signed-off-by: Brad Spengler + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d4d49138661d5cb646f0dd012178447380b79956 +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping + + Signed-off-by: Brad Spengler + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 4a307f7d3ff3ab232c0b6341415088e7618c494e +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 78011eb5c2454b8afc96b98bd86ac172e589b13c +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit 2669672647f6955f0e5154596492c73cd4fda330 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + Signed-off-by: Brad Spengler + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 75de5da79f5e03936a79ffe2c827462000001985 +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 9055a8feb8493a30d1ad0fcef25eb496630d223f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 129b6204587740fd082e731a54d00e8a9fc35f8b +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 798adb5cab6c3a8056e1b415e6f34a270f369721 +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 4d4945ce90d83784634b898f83cb5a7699537733 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6db464f72eff84f77335b69dc2748a3759e151d1 +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit e78a78dcfc089142273243b54509840d3b50c538 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b27005e62bebc09e6604a6f5dc099742bb6b4434 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 101b84a778c254dfd7399f5bcd6264ff437f1176 +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + Signed-off-by: Brad Spengler + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3e182e4da46de4c6b9a9f45d41030bef19260954 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 +++++------ + 1 files changed, 5 insertions(+), 6 deletions(-) + +commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 32537d92b8da84f38bf45eb85b6953f452064936 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 +Author: Brad Spengler +Date: Sat Sep 14 16:15:10 2013 -0400 + + Initial port of grsecurity to 3.11 using new git method + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 12 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 128 ++- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 2 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 256 +++- + fs/namespace.c | 16 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 166 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 ++- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 69 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 341 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 +++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 235 files changed, 4384 insertions(+), 1312 deletions(-) + +commit a76b033c58b4886552911442f1b89e0cee041dae +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + Signed-off-by: Brad Spengler + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit d1cf217118e0750f54aca9136d8c6a41f0ae439c +Author: Brad Spengler +Date: Sat Sep 14 14:36:40 2013 -0400 + + Initial import of pax-linux-3.11-test4.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 23 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 3 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 54 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 95 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-common.S | 40 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 3 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/process.c | 42 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 35 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/kvm/arm.c | 8 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 6 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/context.c | 10 +- + arch/arm/mm/fault.c | 104 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 185 +- + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 728 +++- + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/local.h | 57 + + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/include/asm/smtc_proc.h | 2 +- + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/irq.c | 6 +- + arch/mips/kernel/process.c | 12 - + arch/mips/kernel/smtc-proc.c | 6 +- + arch/mips/kernel/smtc.c | 2 +- + arch/mips/kernel/sync-r4k.c | 24 +- + arch/mips/kernel/traps.c | 13 +- + arch/mips/mm/fault.c | 25 + + arch/mips/mm/mmap.c | 51 +- + arch/mips/sgi-ip27/ip27-nmi.c | 6 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap.c | 16 + + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/smp_64.c | 12 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 52 +- + arch/sparc/kernel/traps_64.c | 27 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/sparc/mm/init_64.c | 10 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 16 +- + arch/x86/ia32/ia32entry.S | 157 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 16 +- + arch/x86/include/asm/desc.h | 74 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 8 +- + arch/x86/include/asm/futex.h | 20 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 128 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 124 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 82 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 29 +- + arch/x86/include/asm/smap.h | 64 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/tlbflush.h | 74 +- + arch/x86/include/asm/uaccess.h | 112 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 14 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 130 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 356 +- + arch/x86/kernel/entry_64.S | 669 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 228 +- + arch/x86/kernel/head_64.S | 138 +- + arch/x86/kernel/i386_ksyms_32.c | 12 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 67 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 20 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 42 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 5 +- + arch/x86/kernel/setup.c | 65 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 19 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 28 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 12 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/tracepoint.c | 4 +- + arch/x86/kernel/traps.c | 62 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 6 +- + arch/x86/kernel/x86_init.c | 6 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 89 +- + arch/x86/lib/copy_user_nocache_64.S | 22 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 13 +- + arch/x86/lib/getuser.S | 74 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 22 +- + arch/x86/lib/memmove_64.S | 36 +- + arch/x86/lib/memset_64.S | 11 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 18 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 571 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 101 +- + arch/x86/mm/init_32.c | 111 +- + arch/x86/mm/init_64.c | 45 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 36 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 139 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/mm/uderef_64.c | 37 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 39 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 3 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 45 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-cgroup.c | 4 +- + block/blk-iopoll.c | 2 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 2 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 9 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 2 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/apei/ghes.c | 4 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 12 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_nl.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 43 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clk/socfpga/clk.c | 7 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/crypto/hifn_795x.c | 4 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_device.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci.c | 4 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 6 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 24 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/gpu/host1x/drm/dc.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hid/uhid.c | 6 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hv_balloon.c | 18 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mcg.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/misc/ims-pcu.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/input/serio/serio_raw.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_common.c | 2 + + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bcache/super.c | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 +- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-device.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/usb/sierra_net.c | 4 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wimax/i2400m/rx.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/core.c | 4 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/android/timed_output.c | 6 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.h | 4 +- + drivers/target/sbp/sbp_target.c | 4 +- + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/hvc/hvsi.c | 12 +- + drivers/tty/hvc/hvsi_lib.c | 6 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/ioc4_serial.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/msm_serial.c | 4 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/dwc3/gadget.c | 2 - + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/misc/appledisplay.c | 4 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vfio/vfio.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/hyperv_fb.c | 4 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/afs/inode.c | 4 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 648 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/delayed-inode.c | 6 +- + fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/super.c | 2 +- + fs/buffer.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/ceph/super.c | 4 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 4 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 18 +- + fs/dcache.c | 3 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 +- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 38 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 26 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 16 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 6 +- + fs/ntfs/super.c | 6 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 41 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 7 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 16 + + include/asm-generic/uaccess.h | 16 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 5 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fdtable.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 17 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/linkage.h | 1 + + include/linux/list.h | 15 + + include/linux/math64.h | 8 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/preempt.h | 19 + + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 15 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/security.h | 2 +- + include/linux/seq_file.h | 1 + + include/linux/signal.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 48 +- + include/linux/slab_def.h | 32 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/smp.h | 2 + + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 18 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 9 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-device.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 17 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 18 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/ping.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 84 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 12 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 4 +- + kernel/fork.c | 170 +- + kernel/futex.c | 11 +- + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 2 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 10 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 24 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 74 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 49 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 32 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 14 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_clock.c | 4 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 10 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 3 +- + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 25 + + mm/mlock.c | 15 +- + mm/mmap.c | 588 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 44 +- + mm/shmem.c | 19 +- + mm/slab.c | 108 +- + mm/slab.h | 15 +- + mm/slab_common.c | 60 +- + mm/slob.c | 206 +- + mm/slub.c | 88 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 10 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 2 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/ceph/messenger.c | 4 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/netpoll.c | 4 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/skbuff.c | 6 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ieee802154/6lowpan.c | 2 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 14 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 20 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/datagram.c | 2 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/output_core.c | 15 +- + net/ipv6/ping.c | 28 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 6 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 10 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/auth_gss/svcauth_gss.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 4 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 33 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 690 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 12 +- + security/selinux/avc.c | 6 +- + security/selinux/hooks.c | 6 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/hda/hda_codec.c | 8 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 471 ++ + tools/gcc/latent_entropy_plugin.c | 321 + + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2113 +++++++ + tools/gcc/stackleak_plugin.c | 327 + + tools/gcc/structleak_plugin.c | 277 + + tools/lib/lk/Makefile | 2 +- + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1664 files changed, 32957 insertions(+), 7636 deletions(-) +commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c +Merge: c3ccfb2 777e08c +Author: Brad Spengler +Date: Sun Sep 8 19:49:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 +Author: Brad Spengler +Date: Sun Sep 8 19:47:32 2013 -0400 + + Update to pax-linux-3.10.11-test26.patch: + - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger + - fixed an uninitialized read in splice, reported by hunger + + fs/splice.c | 1 + + include/linux/syscalls.h | 14 +- + tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- + 3 files changed, 247 insertions(+), 194 deletions(-) + +commit 5c3161364270c842d901789faac731f79a9f9cd6 +Merge: cf9c476 85cdabb +Author: Brad Spengler +Date: Sun Sep 8 19:24:25 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c3ccfb29794a03413095422100ce90d40ef7df0f +Author: Jakob Bornecrantz +Date: Thu Aug 29 02:32:53 2013 +0200 + + Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f + + drm/vmwgfx: Split GMR2_REMAP commands if they are to large + + This fixes the piglit test texturing/max-texture-size + causing the VM to die due to a too large SVGA command. + + Signed-off-by: Jakob Bornecrantz + Reviewed-by: Biran Paul + Reviewed-by: Zack Rusin + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- + 1 files changed, 39 insertions(+), 19 deletions(-) + +commit d260badf708d6aa16c44f56f54727532dcae826e +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 +Author: Dan Carpenter +Date: Thu Aug 29 11:47:00 2013 +0300 + + Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 + + mISDN: return -EINVAL on error in dsp_control_req() + + If skb->len is too short then we should return an error. Otherwise we + read beyond the end of skb->data for several bytes. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/mISDN/dsp_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit da68dbcd96c617923a0aedb177d36b2701f9c858 +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with + CAP_SYS_ADMIN. This allows for more inventive uses of the feature + that would be impossible otherwise (like toggling it while the screen is + locked, etc) + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit ce0e893adc830ee110f97071cc17e661fb35ae3d +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what + GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for + users who know they want the functionality but don't want to bother + with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + security/security.c | 4 ++++ + 4 files changed, 24 insertions(+), 2 deletions(-) + +commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd +Merge: 7ee3899 cf9c476 +Author: Brad Spengler +Date: Sun Sep 1 13:56:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cf9c47690fa0f3da590de766ea8c6a543984ee3c +Author: Brad Spengler +Date: Sun Sep 1 13:56:16 2013 -0400 + + Update to pax-linux-3.10.10-test25.patch: + - fixed a few more REFCOUNT false positives, by Mathias Krause + - got inet_getid and ipv6_select_ident rid of the cmpxchg loop + + block/blk-cgroup.c | 4 ++-- + drivers/video/hyperv_fb.c | 4 ++-- + fs/namespace.c | 4 ++-- + include/net/inetpeer.h | 13 +++++-------- + kernel/trace/trace_clock.c | 4 ++-- + net/ipv6/output_core.c | 15 ++++++--------- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- + 7 files changed, 21 insertions(+), 27 deletions(-) + +commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa +Merge: fd0338c 2bdeae7 +Author: Brad Spengler +Date: Sat Aug 31 22:07:38 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 +Author: Brad Spengler +Date: Sat Aug 31 22:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test24.patch: + - fixed a REFCOUNT false positive, by Mathias Krause + - fixed a bunch more after a quick audit of atomic_inc_return users + + drivers/acpi/apei/ghes.c | 4 ++-- + drivers/ata/libata-core.c | 4 ++-- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/block/drbd/drbd_nl.c | 4 ++-- + drivers/crypto/hifn_795x.c | 4 ++-- + drivers/edac/edac_device.c | 4 ++-- + drivers/edac/edac_pci.c | 4 ++-- + drivers/firewire/core-card.c | 4 ++-- + drivers/hv/hv_balloon.c | 18 +++++++++--------- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/input/misc/ims-pcu.c | 4 ++-- + drivers/input/serio/serio_raw.c | 4 ++-- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 ++-- + drivers/media/v4l2-core/v4l2-device.c | 4 ++-- + drivers/net/usb/sierra_net.c | 4 ++-- + drivers/pci/hotplug/pciehp_hpc.c | 4 +--- + drivers/regulator/core.c | 4 ++-- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ + drivers/staging/android/timed_output.c | 6 +++--- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/target/sbp/sbp_target.c | 4 ++-- + drivers/tty/hvc/hvsi.c | 12 ++++++------ + drivers/tty/hvc/hvsi_lib.c | 6 +++--- + drivers/tty/serial/ioc4_serial.c | 6 +++--- + drivers/tty/serial/msm_serial.c | 4 ++-- + drivers/usb/misc/appledisplay.c | 4 ++-- + fs/afs/inode.c | 4 ++-- + fs/btrfs/delayed-inode.c | 6 +++--- + fs/btrfs/delayed-inode.h | 4 ++-- + fs/fscache/cookie.c | 4 ++-- + include/media/v4l2-device.h | 2 +- + net/ceph/messenger.c | 4 ++-- + net/core/netpoll.c | 4 ++-- + net/xfrm/xfrm_state.c | 4 ++-- + security/selinux/avc.c | 6 +++--- + 43 files changed, 93 insertions(+), 95 deletions(-) + +commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 +Merge: 1bdf7ec 85099d2 +Author: Brad Spengler +Date: Sat Aug 31 21:07:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed +Author: Brad Spengler +Date: Sat Aug 31 21:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test23.patch: + - added the necessary atomic_unchecked_t conversion for mips + - audited and fixed arm and sparc for proper atomic_unchecked_t usage + + arch/arm/kvm/arm.c | 8 ++++---- + arch/arm/mm/context.c | 10 +++++----- + arch/mips/kernel/irq.c | 6 +++--- + arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ + arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- + arch/sparc/kernel/smp_64.c | 12 ++++++------ + arch/sparc/kernel/traps_64.c | 14 +++++++------- + arch/sparc/mm/init_64.c | 10 +++++----- + 8 files changed, 45 insertions(+), 45 deletions(-) + +commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 +Merge: 995a168 38ee86c +Author: Brad Spengler +Date: Fri Aug 30 19:23:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 38ee86c05df0f8db582df8776b9f23f317d42bbb +Author: Brad Spengler +Date: Fri Aug 30 19:23:11 2013 -0400 + + Update to pax-linux-3.10.10-test22.patch: + - fixed !REFCOUNT/mips compilation, by Corey Minyard + - fixed a few more format strings + + arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- + drivers/md/bcache/super.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- + drivers/pci/hotplug/pciehp_hpc.c | 2 +- + drivers/platform/x86/wmi.c | 2 +- + drivers/scsi/sd.c | 2 +- + drivers/vfio/vfio.c | 4 ++-- + fs/ntfs/super.c | 6 +++--- + include/linux/workqueue.h | 6 +++--- + net/mac80211/main.c | 2 +- + sound/pci/hda/hda_codec.c | 8 ++------ + 11 files changed, 32 insertions(+), 25 deletions(-) + +commit 995a16841e2097c3a9dfc652e856469679c4a0ba +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 +Merge: be2497c 1052971 +Author: Brad Spengler +Date: Thu Aug 29 20:44:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + include/linux/sched.h + +commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 +Merge: e902dad 8bf3379 +Author: Brad Spengler +Date: Thu Aug 29 20:39:50 2013 -0400 + + Update to pax-linux-3.10.10-test21.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 +Merge: 081c22b e902dad +Author: Brad Spengler +Date: Wed Aug 28 20:52:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 +Author: Brad Spengler +Date: Wed Aug 28 20:51:21 2013 -0400 + + Update to pax-linux-3.10.9-test21.patch: + - removed unnecessary type cast in do_PrefetchAbort, noticed by spender + - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov + - fixed a REFCOUNT false positive in UHID + - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) + Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout + (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): + - icmpv6_filter: no memory corruption, probably just some logical error in the caller + - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) + - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) + - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now + - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless + - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network + + arch/arm/mm/fault.c | 2 +- + arch/mips/kernel/traps.c | 2 -- + drivers/hid/uhid.c | 6 +++--- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/i4l/isdn_common.c | 2 ++ + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + drivers/usb/dwc3/gadget.c | 2 -- + net/ieee802154/6lowpan.c | 2 +- + net/ipv6/raw.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- + 10 files changed, 14 insertions(+), 16 deletions(-) + +commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit + Kees' recent findings are motivation enough to publish it + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 8044382257ec75a03f3d784ce048ef14e94b90ca +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit 270ba9096ddecdc3cf6c4d76e6892184820116be +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 60115e8108e508060815bce5ef9504233c81898c +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 38627769bb2b9a550e251b2caf1babda7566fb4a +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 813f51e0881e4ea6d221da828b1cced02ad9694d +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 95e3cfb5a995dabe45b98cafb77e59d074de151f +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 96a55ce1b2f3af376c400a02059174e79ce4399c +Author: Brad Spengler +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + From: Kees Cook + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + --- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit eb1106eef5f17bfda833ca3cf89e315919173257 +Author: Dan Carpenter +Date: Fri Aug 9 12:52:31 2013 +0300 + + Upstream commit: 909bd5926d474e275599094acad986af79671ac9 + + Hostap: copying wrong data prism2_ioctl_giwaplist() + + We want the data stored in "addr" and "qual", but the extra ampersands + mean we are copying stack data instead. + + Signed-off-by: Dan Carpenter + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 +Author: Brad Spengler +Date: Wed Aug 28 17:01:21 2013 -0400 + + fix typo in ipv6 backport + + net/ipv6/addrconf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 +Author: Andy Lutomirski +Date: Thu Aug 22 11:39:15 2013 -0700 + + Upstream commit: d661684cf6820331feae71146c35da83d794467e + + net: Check the correct namespace when spoofing pid over SCM_RIGHTS + + This is a security bug. + + The follow-up will fix nsproxy to discourage this type of issue from + happening again. + + Cc: stable@vger.kernel.org + Signed-off-by: Andy Lutomirski + Reviewed-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/core/scm.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 +Author: Hannes Frederic Sowa +Date: Fri Aug 16 13:02:27 2013 +0200 + + Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 + + ipv6: remove max_addresses check from ipv6_create_tempaddr + + Because of the max_addresses check attackers were able to disable privacy + extensions on an interface by creating enough autoconfigured addresses: + + + + But the check is not actually needed: max_addresses protects the + kernel to install too many ipv6 addresses on an interface and guards + addrconf_prefix_rcv to install further addresses as soon as this limit + is reached. We only generate temporary addresses in direct response of + a new address showing up. As soon as we filled up the maximum number of + addresses of an interface, we stop installing more addresses and thus + also stop generating more temp addresses. + + Even if the attacker tries to generate a lot of temporary addresses + by announcing a prefix and removing it again (lifetime == 0) we won't + install more temp addresses, because the temporary addresses do count + to the maximum number of addresses, thus we would stop installing new + autoconfigured addresses when the limit is reached. + + This patch fixes CVE-2013-0343 (but other layer-2 attacks are still + possible). + + Thanks to Ding Tianhong to bring this topic up again. + + Cc: Ding Tianhong + Cc: George Kargiotakis + Cc: P J P + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Acked-by: Ding Tianhong + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/addrconf.c + + net/ipv6/addrconf.c | 10 ++++------ + 1 files changed, 4 insertions(+), 6 deletions(-) + +commit 8333e0981469a226a47d0142ff31090a48db95a4 +Author: David Vrabel +Date: Thu Aug 15 13:21:06 2013 +0100 + + Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 + + xen/events: initialize local per-cpu mask for all possible events + + The sizeof() argument in init_evtchn_cpu_bindings() is incorrect + resulting in only the first 64 (or 32 in 32-bit guests) ports having + their bindings being initialized to VCPU 0. + + In most cases this does not cause a problem as request_irq() will set + the irq affinity which will set the correct local per-cpu mask. + However, if the request_irq() is called on a VCPU other than 0, there + is a window between the unmasking of the event and the affinity being + set were an event may be lost because it is not locally unmasked on + any VCPU. If request_irq() is called on VCPU 0 then local irqs are + disabled during the window and the race does not occur. + + Fix this by initializing all NR_EVENT_CHANNEL bits in the local + per-cpu masks. + + Signed-off-by: David Vrabel + Signed-off-by: Konrad Rzeszutek Wilk + CC: stable@vger.kernel.org + + drivers/xen/events.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2a9a83768433937a2b7a97001ba1627156c0efed +Author: Roland Dreier +Date: Mon Aug 5 17:55:01 2013 -0700 + + Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 + + [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal + + There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances + leads to one process writing data into the address space of some other + random unrelated process if the ioctl is interrupted by a signal. + What happens is the following: + + - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the + underlying SCSI command will transfer data from the SCSI device to + the buffer provided in the ioctl) + + - Before the command finishes, a signal is sent to the process waiting + in the ioctl. This will end up waking up the sg_ioctl() code: + + result = wait_event_interruptible(sfp->read_wait, + (srp_done(sfp, srp) || sdp->detached)); + + but neither srp_done() nor sdp->detached is true, so we end up just + setting srp->orphan and returning to userspace: + + srp->orphan = 1; + write_unlock_irq(&sfp->rq_list_lock); + return result; /* -ERESTARTSYS because signal hit process */ + + At this point the original process is done with the ioctl and + blithely goes ahead handling the signal, reissuing the ioctl, etc. + + - Eventually, the SCSI command issued by the first ioctl finishes and + ends up in sg_rq_end_io(). At the end of that function, we run through: + + write_lock_irqsave(&sfp->rq_list_lock, iflags); + if (unlikely(srp->orphan)) { + if (sfp->keep_orphan) + srp->sg_io_owned = 0; + else + done = 0; + } + srp->done = done; + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (likely(done)) { + /* Now wake up any sg_read() that is waiting for this + * packet. + */ + wake_up_interruptible(&sfp->read_wait); + kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); + kref_put(&sfp->f_ref, sg_remove_sfp); + } else { + INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); + schedule_work(&srp->ew.work); + } + + Since srp->orphan *is* set, we set done to 0 (assuming the + userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN + ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() + to run in a workqueue. + + - In workqueue context we go through sg_rq_end_io_usercontext() -> + sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> + bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). + + The key point here is that we are doing copy_to_user() on a + workqueue -- that is, we're on a kernel thread with current->mm + equal to whatever random previous user process was scheduled before + this kernel thread. So we end up copying whatever data the SCSI + command returned to the virtual address of the buffer passed into + the original ioctl, but it's quite likely we do this copying into a + different address space! + + As suggested by James Bottomley , + add a check for current->mm (which is NULL if we're on a kernel thread + without a real userspace address space) in bio_uncopy_user(), and skip + the copy if we're on a kernel thread. + + There's no reason that I can think of for any caller of bio_uncopy_user() + to want to do copying on a kernel thread with a random active userspace + address space. + + Huge thanks to Costa Sapuntzakis for the + original pointer to this bug in the sg code. + + Signed-off-by: Roland Dreier + Tested-by: David Milburn + Cc: Jens Axboe + Cc: + Signed-off-by: James Bottomley + + fs/bio.c | 20 +++++++++++++++----- + 1 files changed, 15 insertions(+), 5 deletions(-) + +commit e6fe57dee152671afd618d6bc8cbf23155be6c34 +Merge: cdc8f7d f2095a4 +Author: Brad Spengler +Date: Tue Aug 27 18:13:35 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + security/Kconfig + +commit f2095a4787f7d332e5919f0bd00f8de6021ad612 +Author: Brad Spengler +Date: Tue Aug 27 18:08:23 2013 -0400 + + Update to pax-linux-3.10.9-test20.patch: + - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy + - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard + - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard + - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do + - added REFCOUNT support for mips, by Corey Minyard + - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) + - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) + + arch/arm/mm/fault.c | 11 +- + arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- + arch/mips/kernel/traps.c | 14 +- + arch/x86/include/asm/tlbflush.h | 4 + + arch/x86/include/asm/uaccess_64.h | 2 +- + fs/ntfs/file.c | 2 +- + kernel/events/internal.h | 4 +- + kernel/events/uprobes.c | 2 +- + kernel/futex.c | 2 +- + mm/filemap.c | 8 +- + security/Kconfig | 2 +- + tools/gcc/kernexec_plugin.c | 18 +- + tools/gcc/latent_entropy_plugin.c | 26 +- + tools/gcc/size_overflow_plugin.c | 3 +- + 14 files changed, 750 insertions(+), 70 deletions(-) + +commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 +Merge: 5a9ae57 745975e +Author: Brad Spengler +Date: Mon Aug 26 20:27:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 745975e3b3b74b64e00e85778f9a22714d1274f2 +Author: Brad Spengler +Date: Mon Aug 26 20:26:33 2013 -0400 + + Fix compilation when UDEREF is enabled and KERNEXEC is disabled, + as reported by fabled on the forums: + http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 + + arch/arm/include/asm/pgtable.h | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 +Merge: 486ec00 f68df21 +Author: Brad Spengler +Date: Tue Aug 20 20:15:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 +Author: Brad Spengler +Date: Tue Aug 20 20:14:50 2013 -0400 + + Update to pax-linux-3.10.9-test18.patch: + - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) + - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) + - forward port to 3.10.9 + + arch/x86/kernel/entry_64.S | 18 +++++++++--------- + arch/x86/kernel/i386_ksyms_32.c | 4 ++++ + arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ + 3 files changed, 17 insertions(+), 9 deletions(-) + +commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f +Merge: f47a293 d8fed0e +Author: Brad Spengler +Date: Tue Aug 20 20:12:47 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 +Merge: f6ace8e 0a4b6d4 +Author: Brad Spengler +Date: Tue Aug 20 20:12:33 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit f47a293a1440da2a3e2c239d43d636e37ca74f10 +Merge: f1e8ec7 f6ace8e +Author: Brad Spengler +Date: Tue Aug 20 18:20:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/kernel/perf_event.c + include/linux/sched.h + +commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 +Merge: b4fa847 6f54059 +Author: Brad Spengler +Date: Tue Aug 20 18:18:02 2013 -0400 + + Update to pax-linux-3.10.8-test18.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca +Merge: 6f88011 b4fa847 +Author: Brad Spengler +Date: Tue Aug 20 18:05:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 +Author: Brad Spengler +Date: Tue Aug 20 18:04:14 2013 -0400 + + Update to pax-linux-3.10.7-test18.patch: + - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) + - fixed a UDEREF resume regression due to the constification of clone_pgd_mask + - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause + + arch/arm/kernel/process.c | 2 +- + arch/x86/include/asm/processor.h | 25 ++----------------------- + arch/x86/kernel/cpu/common.c | 4 ++++ + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/staging/zcache/tmem.c | 4 ++-- + drivers/staging/zcache/tmem.h | 6 ++---- + 6 files changed, 47 insertions(+), 30 deletions(-) + +commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) + as reported by pipacs + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 +Merge: 6eba999 5de93c8 +Author: Brad Spengler +Date: Sun Aug 18 22:03:19 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db +Author: Brad Spengler +Date: Sun Aug 18 22:02:47 2013 -0400 + + Update to pax-linux-3.10.7-test15.patch: + - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) + - fixed some new REFCOUNT false positives, caught by inspection + + arch/x86/kernel/cpu/common.c | 5 +++-- + arch/x86/kernel/entry_64.S | 11 +++++++---- + fs/ceph/super.c | 4 ++-- + mm/backing-dev.c | 4 ++-- + 4 files changed, 14 insertions(+), 10 deletions(-) + +commit 94c119587c76723c1072237b98fff9886ccb7689 +Author: Brad Spengler +Date: Sun Aug 18 20:49:39 2013 -0400 + + fix pipacs' DEMORGAN typo + + arch/x86/include/asm/tlbflush.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 +Merge: df347f6 64a293e +Author: Brad Spengler +Date: Sun Aug 18 18:13:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 +Author: Brad Spengler +Date: Sun Aug 18 18:12:37 2013 -0400 + + Update to pax-linux-3.10.7-test14.patch: + - fixed compile error introduced by the previous PCID change + - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) + + arch/x86/include/asm/tlbflush.h | 2 +- + kernel/posix-timers.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 +Merge: d8efbc5 e11b314 +Author: Brad Spengler +Date: Sun Aug 18 08:15:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e11b314734c5b7317f5468be75305ad812e78c2b +Author: Brad Spengler +Date: Sun Aug 18 08:14:26 2013 -0400 + + Update to pax-linux-3.10.7-test13.patch: + - always enable the use of PCID and INVPCID when available in the CPU + - kvm guest kernels can use these features even if the host kernel lacks UDEREF + + arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- + arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- + 2 files changed, 70 insertions(+), 47 deletions(-) + +commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 6c8feffa95ce2db280160015027b52bb41a344c8 +Merge: dbf6930 0bb1c2b +Author: Brad Spengler +Date: Sat Aug 17 11:57:50 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 +Author: Brad Spengler +Date: Sat Aug 17 11:56:43 2013 -0400 + + Update to pax-linux-3.10.7-test12.patch: + - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause + - fixed some arm compile problems + + arch/x86/include/asm/tlbflush.h | 2 +- + drivers/clocksource/bcm_kona_timer.c | 2 +- + kernel/signal.c | 4 ++++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +commit dbf69305ad4f8a037aae95af90f9201f556dcb48 +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 +Merge: 68bd16f f562e3e +Author: Brad Spengler +Date: Sat Aug 17 10:35:02 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f562e3ef7737ea8d80431a722479b36a12504ace +Author: Brad Spengler +Date: Sat Aug 17 10:34:51 2013 -0400 + + add uderef_64.c + + arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 files changed, 37 insertions(+), 0 deletions(-) + +commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 +Author: Asbjoern Sloth Toennesen +Date: Mon Aug 12 16:30:09 2013 +0000 + + Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 + + rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header + + Fix the iproute2 command `bridge vlan show`, after switching from + rtgenmsg to ifinfomsg. + + Let's start with a little history: + + Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in + the 3.9 merge window. + In the kernel commit 6cbdceeb, he added attribute support to + bridge GETLINK requests sent with rtgenmsg. + + Mar 6th: Vlad got this iproute2 reference implementation of the bridge + vlan netlink interface accepted (iproute2 9eff0e5c) + + Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) + http://patchwork.ozlabs.org/patch/239602/ + http://marc.info/?t=136680900700007 + + Apr 28th: Linus released 3.9 + + Apr 30th: Stephen released iproute2 3.9.0 + + The `bridge vlan show` command haven't been working since the switch to + ifinfomsg, or in a released version of iproute2. Since the kernel side + only supports rtgenmsg, which iproute2 switched away from just prior to + the iproute2 3.9.0 release. + + I haven't been able to find any documentation, about neither rtgenmsg + nor ifinfomsg, and in which situation to use which, but kernel commit + 88c5b5ce seams to suggest that ifinfomsg should be used. + + Fixing this in kernel will break compatibility, but I doubt that anybody + have been using it due to this bug in the user space reference + implementation, at least not without noticing this bug. That said the + functionality is still fully functional in 3.9, when reversing iproute2 + commit 63338dca. + + This could also be fixed in iproute2, but thats an ugly patch that would + reintroduce rtgenmsg in iproute2, and from searching in netdev it seams + like rtgenmsg usage is discouraged. I'm assuming that the only reason + that Vlad implemented the kernel side to use rtgenmsg, was because + iproute2 was using it at the time. + + Signed-off-by: Asbjoern Sloth Toennesen + Reviewed-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/core/rtnetlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8c7bc5bafddddff55ed4687203a977e96f72540a +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb +Author: Daniel Borkmann +Date: Fri Aug 9 16:25:21 2013 +0200 + + Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e + + net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption + + Probably this one is quite unlikely to be triggered, but it's more safe + to do the call_rcu() at the end after we have dropped the reference on + the asoc and freed sctp packet chunks. The reason why is because in + sctp_transport_destroy_rcu() the transport is being kfree()'d, and if + we're unlucky enough we could run into corrupted pointers. Probably + that's more of theoretical nature, but it's safer to have this simple fix. + + Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings + for deferred call_rcu's"). I also did the 8c98653f regression test and + it's fine that way. + + Signed-off-by: Daniel Borkmann + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/transport.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3925eab5483946fd746575a46f97bee9d566bb77 +Author: Stephane Grosjean +Date: Fri Aug 9 11:44:06 2013 +0200 + + Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e + + can: pcan_usb: fix wrong memcpy() bytes length + + Fix possibly wrong memcpy() bytes length since some CAN records received from + PCAN-USB could define a DLC field in range [9..15]. + In that case, the real DLC value MUST be used to move forward the record pointer + but, only 8 bytes max. MUST be copied into the data field of the struct + can_frame object of the skb given to the network core. + + Cc: linux-stable + Signed-off-by: Stephane Grosjean + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c1ac6642baae4a400d1f87115024d1bb1ef53598 +Author: Linus Lüssing +Date: Tue Aug 6 20:21:15 2013 +0200 + + Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 + + batman-adv: fix potential kernel paging errors for unicast transmissions + + There are several functions which might reallocate skb data. Currently + some places keep reusing their old ethhdr pointer regardless of whether + they became invalid after such a reallocation or not. This potentially + leads to kernel paging errors. + + This patch fixes these by refetching the ethdr pointer after the + potential reallocations. + + Signed-off-by: Linus Lüssing + Signed-off-by: Marek Lindner + Signed-off-by: Antonio Quartulli + + net/batman-adv/bridge_loop_avoidance.c | 2 ++ + net/batman-adv/gateway_client.c | 13 ++++++++++++- + net/batman-adv/gateway_client.h | 3 +-- + net/batman-adv/soft-interface.c | 9 ++++++++- + net/batman-adv/unicast.c | 13 ++++++++++--- + 5 files changed, 33 insertions(+), 7 deletions(-) + +commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb +Author: Yuchung Cheng +Date: Fri Aug 9 17:21:27 2013 -0700 + + Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 + + netfilter: nf_conntrack: fix tcp_in_window for Fast Open + + Currently the conntrack checks if the ending sequence of a packet + falls within the observed receive window. However it does so even + if it has not observe any packet from the remote yet and uses an + uninitialized receive window (td_maxwin). + + If a connection uses Fast Open to send a SYN-data packet which is + dropped afterward in the network. The subsequent SYNs retransmits + will all fail this check and be discarded, leading to a connection + timeout. This is because the SYN retransmit does not contain data + payload so + + end == initial sequence number (isn) + 1 + sender->td_end == isn + syn_data_len + receiver->td_maxwin == 0 + + The fix is to only apply this check after td_maxwin is initialized. + + Reported-by: Michael Chan + Signed-off-by: Yuchung Cheng + Acked-by: Eric Dumazet + Acked-by: Jozsef Kadlecsik + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec +Author: Dan Carpenter +Date: Thu Aug 1 12:36:57 2013 +0300 + + Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 + + netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message + + These structs have a "_pad" member. Also the "phw" structs have an 8 + byte "hw_addr[]" array but sometimes only the first 6 bytes are + initialized. + + Signed-off-by: Dan Carpenter + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_log.c | 6 +++++- + net/netfilter/nfnetlink_queue_core.c | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:46:46 2013 +0200 + + Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 + + netfilter: xt_TCPOPTSTRIP: fix possible off by one access + + Fix a possible off by one access since optlen() + touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. + + This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen + that stores the TCP header length, to save some cycles. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +commit 4634def261cf5f635bc60afe8a6ad436b3ec151e +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:37:49 2013 +0200 + + Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd + + netfilter: xt_TCPMSS: fix handling of malformed TCP header and options + + Make sure the packet has enough room for the TCP header and + that it is not malformed. + + While at it, store tcph->doff*4 in a variable, as it is used + several times. + + This patch also fixes a possible off by one in case of malformed + TCP options. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ + 1 files changed, 16 insertions(+), 12 deletions(-) + +commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 +Author: Dave Jones +Date: Fri Aug 9 11:16:34 2013 -0700 + + Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e + + 8139cp: Fix skb leak in rx_status_loop failure path. + + Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 + ("8139cp: Add dma_mapping_error checking") + + Signed-off-by: Dave Jones + Signed-off-by: David S. Miller + + drivers/net/ethernet/realtek/8139cp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 227b279491a0bbcc70ca3654f34903282c378600 +Author: Timo Teräs +Date: Tue Aug 6 13:45:43 2013 +0300 + + Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b + + ip_gre: fix ipgre_header to return correct offset + + Fix ipgre_header() (header_ops->create) to return the correct + amount of bytes pushed. Most callers of dev_hard_header() seem + to care only if it was success, but af_packet.c uses it as + offset to the skb to copy from userspace only once. In practice + this fixes packet socket sendto()/sendmsg() to gre tunnels. + + Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 + ("GRE: Refactor GRE tunneling code.") + + Cc: Pravin B Shelar + Signed-off-by: Timo Teräs + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb +Author: Eric Dumazet +Date: Mon Aug 5 11:18:49 2013 -0700 + + Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 + + fib_trie: remove potential out of bound access + + AddressSanitizer [1] dynamic checker pointed a potential + out of bound access in leaf_walk_rcu() + + We could allocate one more slot in tnode_new() to leave the prefetch() + in-place but it looks not worth the pain. + + Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") + + [1] : + https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + + Reported-by: Andrey Konovalov + Signed-off-by: Eric Dumazet + Cc: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv4/fib_trie.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 +Author: Daniel Borkmann +Date: Mon Aug 5 12:49:35 2013 +0200 + + Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 + + net: esp{4,6}: fix potential MTU calculation overflows + + Commit 91657eafb ("xfrm: take net hdr len into account for esp payload + size calculation") introduced a possible interger overflow in + esp{4,6}_get_mtu() handlers in case of x->props.mode equals + XFRM_MODE_TUNNEL. Thus, the following expression will overflow + + unsigned int net_adj; + ... + + net_adj = 0; + ... + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - + net_adj) & ~(align - 1)) + (net_adj - 2); + + where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned + context. Fix it by simply removing brackets as those operations here + do not need to have special precedence. + + Signed-off-by: Daniel Borkmann + Cc: Benjamin Poirier + Cc: Steffen Klassert + Acked-by: Benjamin Poirier + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit f02bce292d1c2fe610be509c96593e70b3de387b +Author: Julia Lawall +Date: Mon Aug 5 16:47:38 2013 +0200 + + Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 + + net/vmw_vsock/af_vsock.c: drop unneeded semicolon + + Drop the semicolon at the end of the list_for_each_entry loop header. + + Signed-off-by: Julia Lawall + Signed-off-by: David S. Miller + + net/vmw_vsock/af_vsock.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 +Author: Tiger Yang +Date: Tue Aug 13 16:00:58 2013 -0700 + + Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 + + ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page + + Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as + the struct file pointer, it finally result in a null pointer dereference + in ocfs2_duplicate_clusters_by_page. + + This patch replace file pointer with inode pointer in + cow_duplicate_clusters to fix this issue. + + [jeff.liu@oracle.com: rebased patch against linux-next tree] + Signed-off-by: Tiger Yang + Signed-off-by: Jie Liu + Cc: Joel Becker + Cc: Mark Fasheh + Acked-by: Tao Ma + Tested-by: David Weber + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/ocfs2/aops.c | 2 +- + fs/ocfs2/file.c | 6 ++-- + fs/ocfs2/move_extents.c | 2 +- + fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- + fs/ocfs2/refcounttree.h | 6 ++-- + 5 files changed, 16 insertions(+), 53 deletions(-) + +commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 +Author: Dan Carpenter +Date: Thu Aug 15 15:52:57 2013 +0300 + + Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e + + tun: signedness bug in tun_get_user() + + The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is + not totally correct. Because "len" and "sizeof()" are size_t type, that + means they are never less than zero. + + Signed-off-by: Dan Carpenter + Acked-by: Michael S. Tsirkin + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 26ad267ddda451919357965a0cf271ca24d1bcf2 +Author: Weiping Pan +Date: Tue Aug 13 21:46:56 2013 +0800 + + Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 + + tun: compare with 0 instead of total_len + + Since we set "len = total_len" in the beginning of tun_get_user(), + so we should compare the new len with 0, instead of total_len, + or the if statement always returns false. + + Signed-off-by: Weiping Pan + Signed-off-by: David S. Miller + + drivers/net/tun.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 +Author: Guenter Roeck +Date: Fri Aug 16 20:50:55 2013 -0700 + + Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 + + s390: Fix broken build + + Fix this build error: + + In file included from fs/exec.c:61:0: + arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' + arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] + arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': + arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' + + Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range + invalidation corner cases"). + + Cc: Greg Kroah-Hartman + Cc: stable@vger.kernel.org + Signed-off-by: Guenter Roeck + [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] + Signed-off-by: Linus Torvalds + + arch/s390/include/asm/tlb.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4e57312c2de2a25ddb181d129dafbc0251062c33 +Author: Linus Torvalds +Date: Thu Aug 15 11:42:25 2013 -0700 + + Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce + + Fix TLB gather virtual address range invalidation corner cases + + Ben Tebulin reported: + + "Since v3.7.2 on two independent machines a very specific Git + repository fails in 9/10 cases on git-fsck due to an SHA1/memory + failures. This only occurs on a very specific repository and can be + reproduced stably on two independent laptops. Git mailing list ran + out of ideas and for me this looks like some very exotic kernel issue" + + and bisected the failure to the backport of commit 53a59fc67f97 ("mm: + limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). + + That commit itself is not actually buggy, but what it does is to make it + much more likely to hit the partial TLB invalidation case, since it + introduces a new case in tlb_next_batch() that previously only ever + happened when running out of memory. + + The real bug is that the TLB gather virtual memory range setup is subtly + buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: + enable tlb flush range in generic mmu_gather"), and the range handling + was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB + range flushed when __tlb_remove_page() runs out of slots"), but that fix + was not complete. + + The problem with the TLB gather virtual address range is that it isn't + set up by the initial tlb_gather_mmu() initialization (which didn't get + the TLB range information), but it is set up ad-hoc later by the + functions that actually flush the TLB. And so any such case that forgot + to update the TLB range entries would potentially miss TLB invalidates. + + Rather than try to figure out exactly which particular ad-hoc range + setup was missing (I personally suspect it's the hugetlb case in + zap_huge_pmd(), which didn't have the same logic as zap_pte_range() + did), this patch just gets rid of the problem at the source: make the + TLB range information available to tlb_gather_mmu(), and initialize it + when initializing all the other tlb gather fields. + + This makes the patch larger, but conceptually much simpler. And the end + result is much more understandable; even if you want to play games with + partial ranges when invalidating the TLB contents in chunks, now the + range information is always there, and anybody who doesn't want to + bother with it won't introduce subtle bugs. + + Ben verified that this fixes his problem. + + Reported-bisected-and-tested-by: Ben Tebulin + Build-testing-by: Stephen Rothwell + Build-testing-by: Richard Weinberger + Reviewed-by: Michal Hocko + Acked-by: Peter Zijlstra + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + arch/arm/include/asm/tlb.h | 7 +++++-- + arch/arm64/include/asm/tlb.h | 7 +++++-- + arch/ia64/include/asm/tlb.h | 9 ++++++--- + arch/s390/include/asm/tlb.h | 8 ++++++-- + arch/sh/include/asm/tlb.h | 6 ++++-- + arch/um/include/asm/tlb.h | 6 ++++-- + fs/exec.c | 4 ++-- + include/asm-generic/tlb.h | 2 +- + mm/hugetlb.c | 2 +- + mm/memory.c | 36 +++++++++++++++++++++--------------- + mm/mmap.c | 4 ++-- + 11 files changed, 57 insertions(+), 34 deletions(-) + +commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 +Merge: 5568c80 ffceabf +Author: Brad Spengler +Date: Sat Aug 17 09:11:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ffceabfcc65c60109ba5fca694d78d4dc7047809 +Author: Brad Spengler +Date: Sat Aug 17 09:10:44 2013 -0400 + + Update to pax-linux-3.10.7-test11.patch: + - simplified some arm code + - disabled preemption when calling show_regs, reported by Corey Minyard + - added PCID based support for UDEREF on amd64 (blog will have more details) + - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc + - nopcid turns it off + - by default a strong form of UDEREF is used under PCID + - pax_weakuderef switches to the older, less secure UDEREF + - fixed several bugs that would also have manifested under SMAP + - INVPCID is used when available (Haswell) + - added a few more return insn instrumentation in new amd64 crypto code + + Documentation/kernel-parameters.txt | 7 + + arch/arm/include/asm/uaccess.h | 3 + + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ + arch/x86/ia32/ia32_signal.c | 2 +- + arch/x86/ia32/ia32entry.S | 24 ++++- + arch/x86/include/asm/cpufeature.h | 3 +- + arch/x86/include/asm/fpu-internal.h | 2 + + arch/x86/include/asm/futex.h | 4 + + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- + arch/x86/include/asm/pgtable.h | 10 +- + arch/x86/include/asm/processor.h | 15 +++- + arch/x86/include/asm/segment.h | 5 +- + arch/x86/include/asm/smap.h | 64 +++++++++++- + arch/x86/include/asm/tlbflush.h | 63 +++++++++-- + arch/x86/include/asm/uaccess.h | 18 +++- + arch/x86/include/asm/xsave.h | 4 + + arch/x86/kernel/cpu/common.c | 38 +++++++ + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- + arch/x86/kernel/head_32.S | 2 +- + arch/x86/kernel/head_64.S | 8 +- + arch/x86/kernel/process_64.c | 5 + + arch/x86/kernel/setup.c | 8 +- + arch/x86/kernel/signal.c | 4 +- + arch/x86/kernel/smpboot.c | 15 ++- + arch/x86/lib/copy_user_64.S | 50 +-------- + arch/x86/lib/copy_user_nocache_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 11 ++- + arch/x86/lib/memcpy_64.S | 4 +- + arch/x86/lib/memmove_64.S | 2 +- + arch/x86/lib/memset_64.S | 4 +- + arch/x86/lib/usercopy_64.c | 5 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/fault.c | 29 ++++-- + arch/x86/mm/init.c | 7 +- + arch/x86/mm/init_64.c | 9 ++- + arch/x86/mm/pageattr.c | 2 +- + arch/x86/mm/pgtable.c | 3 + + arch/x86/platform/efi/efi_32.c | 2 +- + arch/x86/platform/efi/efi_64.c | 2 +- + arch/x86/realmode/rm/trampoline_64.S | 1 + + fs/exec.c | 2 + + include/asm-generic/uaccess.h | 8 ++ + include/linux/compat.h | 1 + + include/linux/preempt.h | 19 +++ + include/linux/signal.h | 1 + + include/linux/smp.h | 2 + + init/main.c | 14 ++- + kernel/signal.c | 16 +++ + security/Kconfig | 5 + + tools/lib/lk/Makefile | 2 +- + tools/perf/Makefile | 2 +- + 64 files changed, 673 insertions(+), 136 deletions(-) + +commit 5568c8059e78d6d002815409df4e90c83b3b08a8 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 +Author: Brad Spengler +Date: Fri Aug 16 22:55:24 2013 -0400 + + Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b + + arch/arm/kernel/perf_event.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit 3637bc893b57a227b01852fe34685ab237285b10 +Author: Stephen Boyd +Date: Wed Aug 7 16:18:08 2013 -0700 + + Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb + + perf/arm: Fix armpmu_map_hw_event() + + Fix constraint check in armpmu_map_hw_event(). + + Reported-and-tested-by: Vince Weaver + Cc: + Signed-off-by: Ingo Molnar + Signed-off-by: Linus Torvalds + + arch/arm/kernel/perf_event.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 11802e1f961a088c39af58d1c1b14d861eedfb35 +Author: Brad Spengler +Date: Fri Aug 16 22:53:30 2013 -0400 + + More ARM backports + + arch/arm/kernel/entry-armv.S | 3 ++- + arch/arm/kernel/fiq.c | 8 ++------ + 2 files changed, 4 insertions(+), 7 deletions(-) + +commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: + http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 +Author: yonghua zheng +Date: Tue Aug 13 16:01:03 2013 -0700 + + fs/proc/task_mmu.c: fix buffer overflow in add_page_map() + + Recently we met quite a lot of random kernel panic issues after enabling + CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something + to do with following bug in pagemap: + + In struct pagemapread: + + struct pagemapread { + int pos, len; + pagemap_entry_t *buffer; + bool v2; + }; + + pos is number of PM_ENTRY_BYTES in buffer, but len is the size of + buffer, it is a mistake to compare pos and len in add_page_map() for + checking buffer is full or not, and this can lead to buffer overflow and + random kernel panic issue. + + Correct len to be total number of PM_ENTRY_BYTES in buffer. + + [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] + Signed-off-by: Yonghua Zheng + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/task_mmu.c + + fs/proc/task_mmu.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 0a3dac834746de241c10d4978bf61b4f146ba89d +Merge: dc19474 e12de30 +Author: Brad Spengler +Date: Fri Aug 16 17:39:01 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 +Author: Brad Spengler +Date: Fri Aug 16 17:34:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch: + - Emese fixed a size overflow false positive reported by Sven Vermeulen + - fixed some arm compile problems reported by spender + - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard + eventually we'll have full REFCOUNT support on mips + + arch/arm/kernel/process.c | 5 ++- + arch/arm/mm/Kconfig | 2 +- + arch/arm/mm/fault.c | 3 ++ + arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ + mm/internal.h | 2 +- + 5 files changed, 65 insertions(+), 4 deletions(-) + +commit dc19474d0ea6ea3c939544ae5f906067b1784a10 +Merge: 51b78c0 82266f9 +Author: Brad Spengler +Date: Thu Aug 15 21:47:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 82266f90a3f87ab5017329fb539aebf94c42253a +Author: Brad Spengler +Date: Thu Aug 15 21:14:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch + + arch/arm/kernel/process.c | 6 ++---- + 1 files changed, 2 insertions(+), 4 deletions(-) + +commit 51b78c06d1f41614f593cd36456b4af559e9d7fa +Merge: e32d904 cb77ead +Author: Brad Spengler +Date: Thu Aug 15 20:53:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit cb77ead0eccb5abb75f7e437a3725d0254558ccd +Merge: 13675b8 519be45 +Author: Brad Spengler +Date: Thu Aug 15 20:50:47 2013 -0400 + + Update to pax-linux-3.10.7-test8.patch + + Merge branch 'linux-3.10.y' into pax-test + +commit e32d904b87292288e74e2637b900fd1115687b8e +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators + on sparc64 hugepages + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c +Author: Oleg Nesterov +Date: Thu Aug 8 18:55:32 2013 +0200 + + Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 + + another local DoS found in reaction to the one I reported, + we don't allow unpriv user ns use so this doesn't matter much to us + + userns: limit the maximum depth of user_namespace->parent chain + + Ensure that user_namespace->parent chain can't grow too much. + Currently we use the hardroded 32 as limit. + + Reported-by: Andy Lutomirski + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + include/linux/user_namespace.h | 1 + + kernel/user_namespace.c | 4 ++++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit 223ac007ef18bf3a5095ba0a56675c1f16200149 +Merge: 1c92de4 13675b8 +Author: Brad Spengler +Date: Thu Aug 8 20:45:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 13675b848cf02bffd26924b2b84d927095bc253d +Author: Brad Spengler +Date: Thu Aug 8 20:43:52 2013 -0400 + + Update to pax-linux-3.10.5-test8.patch: + - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) + - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard + - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard + + arch/arm/include/asm/pgtable-2level.h | 4 +++- + arch/arm/mm/proc-v7-2level.S | 3 --- + arch/mips/mm/fault.c | 8 ++++++++ + arch/x86/include/asm/processor.h | 3 ++- + include/linux/math64.h | 2 +- + security/Kconfig | 2 -- + 6 files changed, 14 insertions(+), 8 deletions(-) + +commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 +Merge: e65aa3d 1660f49 +Author: Brad Spengler +Date: Mon Aug 5 18:50:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 1660f496848b8400d263f7920989dae15e72185a +Merge: 7f91ba1 dc51cd2 +Author: Brad Spengler +Date: Mon Aug 5 18:50:12 2013 -0400 + + Update to pax-linux-3.10.5-test7.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/head_64.S + mm/mempolicy.c + +commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the + gentoo-hardened bugzilla: + https://bugs.gentoo.org/show_bug.cgi?id=382793 + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 +Author: Dan Carpenter +Date: Tue Jul 30 13:23:39 2013 +0300 + + Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 + + net_sched: info leak in atm_tc_dump_class() + + The "pvc" struct has a hole after pvc.sap_family which is not cleared. + + Signed-off-by: Dan Carpenter + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/sched/sch_atm.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 50d20ebce56b6e0b9622685930e007e46c7c04bb +Author: Daniel Borkmann +Date: Fri Aug 2 11:32:43 2013 +0200 + + Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 + + net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails + + Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa + resource that was allocated via inet_alloc_ifa() unfreed when returning + the function with -EINVAL. Thus, free it first via inet_free_ifa(). + + Signed-off-by: Daniel Borkmann + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/ipv4/devinet.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 +Author: Himanshu Madhani +Date: Fri Aug 2 23:15:56 2013 -0400 + + Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 + + qlcnic: Free up memory in error path. + + Signed-off-by: Himanshu Madhani + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a +Author: Shahed Shaikh +Date: Fri Aug 2 23:15:54 2013 -0400 + + Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f + + qlcnic: Fix MAC address filter issue on 82xx adapter + + Driver was passing the address of a pointer instead of + the pointer itself. + + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we + cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 24 ++++++++++++++++++++++-- + 2 files changed, 22 insertions(+), 19 deletions(-) + +commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b8966a5d577e9220fbc63306eee978f819f24e2e +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out + all others as suggested by pipacs + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1704c23fdc55b68f512dc9927940e72237f3f43e +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) + Remove textrel logging option, combine into rwx logging option + Enhance RWX logging option to display when PT_GNU_STACK-enabled library + is loaded under an MPROTECTed binary + Enhance RWX mprotect logging to display stack/heap instead of just + anon mapping + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit faf81c100c8565524e21c9af780a0ad2ce3fd925 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c +Merge: 65019c9 7f91ba1 +Author: Brad Spengler +Date: Wed Jul 31 17:47:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 65019c9bd05f860437071cbf00e2027fd2d68615 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 +Author: Brad Spengler +Date: Wed Jul 31 17:46:00 2013 -0400 + + Update to pax-linux-3.10.4-test7.patch: + - added a few more missing format strings + - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable + - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time + - fixed a UDEREF/i386 regression, __get_user_8 would always fail + + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/dumpstack.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/lib/getuser.S | 4 +- + arch/x86/xen/smp.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- + drivers/video/backlight/backlight.c | 2 +- + drivers/video/backlight/lcd.c | 2 +- + fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- + fs/exec.c | 50 +++++++++++++-------------- + include/linux/sched.h | 2 + + 14 files changed, 88 insertions(+), 47 deletions(-) + +commit 043130da54cb7cc8dc44e0ce889d426e889a0532 +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ed0a195abd4e41c2449a020a53a19c74dc866d78 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit e75b3f504692b97960a7530ad0855d91441d79c0 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e5abbaf95313066a724e1a843d4fc902a9a6450e +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 877d6c2f8b3518ff39601084560bb33c58d35a1f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 23278a1ee1c7738dd1e7005241394d32b82196e4 +Author: Brad Spengler +Date: Tue Jul 30 19:48:58 2013 -0400 + + revert recent PaX change that causes boot failures with 32bit userland + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit ec27f71a813656fea8ab37faecb2b485fe99d08e +Merge: 3a11bcf 05f0a61 +Author: Brad Spengler +Date: Tue Jul 30 19:42:21 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 +Author: Brad Spengler +Date: Tue Jul 30 19:41:44 2013 -0400 + + Update to pax-linux-3.10.4-test6.patch: + - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender + + include/linux/syscalls.h | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 8b744005f8bae565e24c1fd88af77e6e619b9434 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit b93b829afcc98b6108b18d99ff63c53642d0b951 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit ac695a081d1124fb28bec46814535d34c5e40611 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 82631f451cc7432b6c5578cf8d24155473feb25c +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading + Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 84c4a433dfb096e4a1162ee5e68025122c70b421 +Merge: c9d3ed3 9fe5897 +Author: Brad Spengler +Date: Mon Jul 29 17:08:56 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9fe58978938e357642885866ca48090a7753d403 +Merge: 8f693ad 6f7bb6b +Author: Brad Spengler +Date: Mon Jul 29 17:08:43 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 +Merge: d5e5bfd 8f693ad +Author: Brad Spengler +Date: Sun Jul 28 10:03:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8f693ade9b3e448f92706d34148b00a087637f70 +Author: Brad Spengler +Date: Sun Jul 28 10:02:16 2013 -0400 + + Update to pax-linux-3.10.3-test5.patch: + - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) + - fixed handling of faulting userland accesses for UDEREF/arm, from spender + - updated the size overflow hash table, from Emese + + arch/arm/kernel/entry-armv.S | 3 +- + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- + 7 files changed, 513 insertions(+), 55 deletions(-) + +commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 +Merge: 19e077b 8a8a0d0 +Author: Brad Spengler +Date: Thu Jul 25 21:05:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 +Author: Brad Spengler +Date: Thu Jul 25 21:04:09 2013 -0400 + + Update to pax-linux-3.10.3-test4.patch: + - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. + this is finer grained sanitization than the existing per-page based approach (which + is still done) at a somewhat higher performance cost. the pax_sanitize_slab command + line option can be used to enable/disable it on boot (it's enabled by default when + CONFIG_PAX_MEMORY_SANITIZE is enabled). + + Documentation/kernel-parameters.txt | 4 ++++ + fs/buffer.c | 2 +- + fs/dcache.c | 3 ++- + include/linux/slab.h | 7 +++++++ + include/linux/slab_def.h | 4 ++++ + kernel/fork.c | 2 +- + mm/rmap.c | 6 ++++-- + mm/slab.c | 27 +++++++++++++++++++++++++++ + mm/slab.h | 12 +++++++++++- + mm/slab_common.c | 14 ++++++++++++++ + mm/slob.c | 5 +++++ + mm/slub.c | 11 +++++++++++ + net/core/skbuff.c | 6 ++++-- + security/Kconfig | 23 +++++++++++++++++------ + 14 files changed, 112 insertions(+), 14 deletions(-) + +commit 19e077bfff54ca211d0142c07cb6dd88069a390c +Merge: 960ec51 c8f7f51 +Author: Brad Spengler +Date: Thu Jul 25 19:53:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c8f7f51591207b82530214300e86277028919286 +Merge: d5142e3 81a4648 +Author: Brad Spengler +Date: Thu Jul 25 19:52:29 2013 -0400 + + Update to pax-linux-3.10.3-test3.patch: + - fixed some compile issues reported by Michael Tremer and spender + - fixed an i386 regression with the lower address space gap on i386, reported by cnu + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + kernel/time/tick-broadcast.c + +commit 960ec51ab2142544fbae563d4fd5744775408965 +Author: Al Viro +Date: Sat Jul 20 03:13:55 2013 +0400 + + Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 + + livelock avoidance in sget() + + Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about + to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, + ->s_active is 1. Along comes two more processes, trying to mount the same + thing; sget() in each is picking that superblock, bumping ->s_count and + trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) + finally gets to deactivate_locked_super() on failure; ->s_active is 2, + superblock is still ->fs_supers because shutdown will *not* happen until + ->s_active hits 0. ->s_umount is dropped and now we have two processes + chasing each other: + s_active = 2, A acquired ->s_umount, B blocked + A sees that the damn thing is stillborn, does deactivate_locked_super() + s_active = 1, A drops ->s_umount, B gets it + A restarts the search and finds the same superblock. And bumps it ->s_active. + s_active = 2, B holds ->s_umount, A blocked on trying to get it + ... and we are in the earlier situation with A and B switched places. + + The root cause, of course, is that ->s_active should not grow until we'd + got MS_BORN. Then failing ->mount() will have deactivate_locked_super() + shut the damn thing down. Fortunately, it's easy to do - the key point + is that grab_super() is called only for superblocks currently on ->fs_supers, + so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and + bump ->s_active; we must never increment ->s_count for superblocks past + ->kill_sb(), but grab_super() is never called for those. + + The bug is pretty old; we would've caught it by now, if not for accidental + exclusion between sget() for block filesystems; the things like cgroup or + e.g. mtd-based filesystems don't have anything of that sort, so they get + bitten. The right way to deal with that is obviously to fix sget()... + + Signed-off-by: Al Viro + + fs/super.c | 25 ++++++++++--------------- + 1 files changed, 10 insertions(+), 15 deletions(-) + +commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 +Merge: ab95b58 d5142e3 +Author: Brad Spengler +Date: Sun Jul 21 22:47:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d5142e31785f8c32c7338c51fcc27313bdd4a84e +Merge: f36ae8c 0f4a56e +Author: Brad Spengler +Date: Sun Jul 21 22:47:34 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit ab95b5842899d61ff5c30f4582e72029b3155be8 +Author: Brad Spengler +Date: Sun Jul 21 22:28:40 2013 -0400 + + compile fix with constification reported by Michael Tremer + + drivers/gpu/host1x/drm/dc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 817cd2d1e7a55720326599dd8f542578eef30927 +Author: Hannes Frederic Sowa +Date: Fri Jul 12 23:46:33 2013 +0200 + + Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 + + ipv6: only static routes qualify for equal cost multipathing + + Static routes in this case are non-expiring routes which did not get + configured by autoconf or by icmpv6 redirects. + + To make sure we actually get an ecmp route while searching for the first + one in this fib6_node's leafs, also make sure it matches the ecmp route + assumptions. + + v2: + a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + + v3: + a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + + Cc: Nicolas Dichtel + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_fib.c | 15 +++++++++++---- + 1 files changed, 11 insertions(+), 4 deletions(-) + +commit 77db8196d51b043e2e2d124094da101b0f01bccb +Author: Dan Carpenter +Date: Fri Jul 12 09:39:03 2013 +0300 + + Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 + + svcrdma: underflow issue in decode_write_list() + + My static checker marks everything from ntohl() as untrusted and it + complains we could have an underflow problem doing: + + return (u32 *)&ary->wc_array[nchunks]; + + Also on 32 bit systems the upper bound check could overflow. + + Cc: stable@vger.kernel.org + Signed-off-by: Dan Carpenter + Signed-off-by: J. Bruce Fields + + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ + 1 files changed, 14 insertions(+), 6 deletions(-) + +commit 926473317fd7953137ef97835edd36dabc584b01 +Author: Brad Spengler +Date: Wed Jul 17 21:29:02 2013 -0400 + + add missing asm/pgtable.h include, reported by Michael Tremer + + drivers/clk/socfpga/clk.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c592ae0001b31932ef1491784dfa374058797c66 +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 +Merge: 9c96441 f36ae8c +Author: Brad Spengler +Date: Sun Jul 14 19:23:13 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f36ae8c741ae32b1caff10825be12c327792c925 +Author: Brad Spengler +Date: Sun Jul 14 19:22:15 2013 -0400 + + Update to pax-linux-3.10-test2.patch: + - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer + - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer + - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer + - spender fixed an madvise regression, reported by Peter Keel + - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) + - fixed a headers_install regression, reported by Mathias Krause + - fixed a SLOB compile regression, reported by Mathias Krause + + arch/arm/include/asm/uaccess.h | 4 ++-- + arch/arm/mm/mmu.c | 15 +++++++++++++-- + drivers/clk/socfpga/clk.c | 6 ++++-- + mm/madvise.c | 4 ++-- + mm/slab.c | 4 ++-- + mm/slob.c | 4 ++-- + scripts/headers_install.sh | 2 +- + 7 files changed, 26 insertions(+), 13 deletions(-) + +commit 9c9644156a49637050741d9165df79174e59b0ef +Author: Brad Spengler +Date: Sun Jul 14 19:19:54 2013 -0400 + + Fix sparc64 compilation, reported by Blake Self + + arch/sparc/kernel/sys_sparc_64.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + mm/madvise.c | 15 +++++++-------- + 1 files changed, 7 insertions(+), 8 deletions(-) + +commit a10e377d0eddd37e8a3665b135e546ab03d9d171 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 08c5adca34d408772255b313f90d82c250c1d967 +Author: Brad Spengler +Date: Sun Jul 14 11:26:34 2013 -0400 + + don't make high vector mapping non-present on old ARM architectures, no + point in emulating some vector entries when the processor doesn't even support XN + + arch/arm/mm/mmu.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 2b40781d4197a89a003616af584884e36361c5b2 +Author: Brad Spengler +Date: Sun Jul 14 09:51:58 2013 -0400 + + Temporary compile fix for code incorrectly modifying const data + Wrap a cast version of the code with open/close + + Thanks to Michael Tremer for the report + + drivers/clk/socfpga/clk.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit a8258c1b4098c396cd4ea719e20858182feac1c1 +Author: Brad Spengler +Date: Sun Jul 14 09:41:16 2013 -0400 + + Fix missing right parens in pipacs' "improvement" of my ARM code ;) + Thanks to Michael Tremer for reporting + + arch/arm/include/asm/uaccess.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 8542e1e973be7cc9a009d2ada8033576b2890e6f +Merge: 86f446e 2577f8e +Author: Brad Spengler +Date: Sat Jul 13 20:46:58 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + mm/memcontrol.c + +commit 2577f8e4ec41efb347706a59c6838de20f0c90da +Merge: 75a36f0 cb5d8be +Author: Brad Spengler +Date: Sat Jul 13 20:43:42 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + crypto/algapi.c + drivers/block/nbd.c + +commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 +Author: Brad Spengler +Date: Fri Jul 12 23:02:11 2013 -0400 + + we always want the vector page to be noaccess for userland + therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY + which turns into supervisor rwx, userland rx, we instead omit that entirely, + leaving it as supervisor rwx only + + Fixes booting on ARMv5 and earlier, which need to write directly + to the high vector mapping via set_tls when context switching + + Thanks to Michael Tremer for the bugreport + + arch/arm/mm/mmu.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 90cd0827eef656ec884f19c977873fefe2f2e47d +Author: Cong Wang +Date: Sat Jun 29 12:02:59 2013 +0800 + + Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 + + gre: fix a regression in ioctl + + When testing GRE tunnel, I got: + + # ip tunnel show + get tunnel gre0 failed: Invalid argument + get tunnel gre1 failed: Invalid argument + + This is a regression introduced by commit c54419321455631079c7d + ("GRE: Refactor GRE tunneling code.") because previously we + only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, + after that commit, the check is moved for all commands. + + So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + + After this patch I got: + + # ip tunnel show + gre0: gre/ip remote any local any ttl inherit nopmtudisc + gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit + + Cc: Pravin B Shelar + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 +Author: Cong Wang +Date: Sat Jun 29 13:00:57 2013 +0800 + + Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 + + vti: remove duplicated code to fix a memory leak + + vti module allocates dev->tstats twice: in vti_fb_tunnel_init() + and in vti_tunnel_init(), this lead to a memory leak of + dev->tstats. + + Just remove the duplicated operations in vti_fb_tunnel_init(). + + (candidate for -stable) + + Cc: Stephen Hemminger + Cc: Saurabh Mohan + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd +Author: Michal Schmidt +Date: Mon Jul 1 17:23:05 2013 +0200 + + Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a + + bnx2x: remove zeroing of dump data buffer + + There is no need to initialize the dump data with zeros. + data is allocated with vzalloc, so it's already zero-filled. + + More importantly, the memset is harmful, because dump->len (the length + requested by userspace) can be bigger than the allocated buffer (whose + size is determined by asking the driver's .get_dump_flag method). + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit c771072b72c261f9bddd6734dca6979c1b96e7df +Author: Michal Schmidt +Date: Mon Jul 1 17:23:06 2013 +0200 + + Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 + + bnx2x: fix dump flag handling + + bnx2x interprets the dump flag as an index of a register preset. + It is important to validate the index to avoid out of bounds + memory accesses. + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit aed315c8fad9b2044143b46b239574b1b72135ce +Author: Michal Schmidt +Date: Mon Jul 1 17:23:30 2013 +0200 + + Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 + + ethtool: make .get_dump_data() harder to misuse by drivers + + As the patch "bnx2x: remove zeroing of dump data buffer" showed, + it is too easy implement .get_dump_data incorrectly in a driver. + + Let's make sure drivers cannot get confused by userspace requesting + a too big dump. + + Also WARN if the driver sets dump->len to something weird and make + sure the length reported to userspace is the actual length of data + copied to userspace. + + Signed-off-by: Michal Schmidt + Reviewed-by: Ben Hutchings + Signed-off-by: David S. Miller + + net/core/ethtool.c | 21 ++++++++++++++++++++- + 1 files changed, 20 insertions(+), 1 deletions(-) + +commit 5c57991e66216e386dcc875d34c33f0edd038569 +Author: Wei Yongjun +Date: Tue Jul 2 09:02:07 2013 +0800 + + Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd + + l2tp: add missing .owner to struct pppox_proto + + Add missing .owner of struct pppox_proto. This prevents the + module from being removed from underneath its users. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 +Author: Benjamin Herrenschmidt +Date: Sun Jun 30 14:37:11 2013 +1000 + + Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 + + cxgb3: Missing rtnl lock in error recovery + + When exercising error injection on IBM pseries machine, I hit the + following warning: + + [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 + [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) + [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 + [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) + [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 + [ 254.895474] Call Trace: + [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) + [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c + [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 + [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] + [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] + [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 + [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 + [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 + [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 + [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 + [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 + + It appears that t3_resume_ports() is called with the rtnl_lock held from + the fatal error task but not from the PCI error callbacks. This fixes it. + + Signed-off-by: Benjamin Herrenschmidt + Signed-off-by: David S. Miller + + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 +Author: Hannes Frederic Sowa +Date: Mon Jul 1 20:21:30 2013 +0200 + + Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 + + ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data + + We accidentally call down to ip6_push_pending_frames when uncorking + pending AF_INET data on a ipv6 socket. This results in the following + splat (from Dave Jones): + + skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:126! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth + +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c + CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 + task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 + RIP: 0010:[] [] skb_panic+0x63/0x65 + RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 + RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 + RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 + RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 + R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 + FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 + Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 + Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 + Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 + RIP [] skb_panic+0x63/0x65 + RSP + + This patch adds a check if the pending data is of address family AF_INET + and directly calls udp_push_ending_frames from udp_v6_push_pending_frames + if that is the case. + + This bug was found by Dave Jones with trinity. + + (Also move the initialization of fl6 below the AF_INET check, even if + not strictly necessary.) + + Cc: Dave Jones + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +commit cd83094a85d9bbd5a67332156407d53cf8835432 +Author: Hannes Frederic Sowa +Date: Tue Jul 2 08:04:05 2013 +0200 + + Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be + + ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size + + If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track + of this when appending the second frame on a corked socket. This results + in the following splat: + + [37598.993962] ------------[ cut here ]------------ + [37598.994008] kernel BUG at net/core/skbuff.c:2064! + [37598.994008] invalid opcode: 0000 [#1] SMP + [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat + +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi + +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm + [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc + +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video + [37598.994008] CPU 0 + [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG + [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 + [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 + [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 + [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 + [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 + [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 + [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 + [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 + [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) + [37598.994008] Stack: + [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 + [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 + [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 + [37598.994008] Call Trace: + [37598.994008] [] ip6_append_data+0xccf/0xfe0 + [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 + [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 + [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 + [37598.994008] [] ? sock_has_perm+0x75/0x90 + [37598.994008] [] inet_sendmsg+0x63/0xb0 + [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 + [37598.994008] [] sock_sendmsg+0xb0/0xe0 + [37598.994008] [] ? __switch_to+0x181/0x4a0 + [37598.994008] [] sys_sendto+0x12d/0x180 + [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 + [37598.994008] [] ? syscall_trace_enter+0x231/0x240 + [37598.994008] [] tracesys+0xdd/0xe2 + [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 + [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP + [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + + While there, also check if path mtu discovery is activated for this + socket. The logic was adapted from ip6_append_data when first writing + on the corked socket. + + This bug was introduced with commit + 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec + fragment"). + + v2: + a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. + b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). + c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + + Acked-by: Gao feng + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 files changed, 10 insertions(+), 6 deletions(-) + +commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c +Author: Michael S. Tsirkin +Date: Sun Jul 7 14:26:53 2013 +0300 + + Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 + + vhost-net: fix use-after-free in vhost_net_flush + + vhost_net_ubuf_put_and_wait has a confusing name: + it will actually also free it's argument. + Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" + vhost_net_flush tries to use the argument after passing it + to vhost_net_ubuf_put_and_wait, this results + in use after free. + To fix, don't free the argument in vhost_net_ubuf_put_and_wait, + add an new API for callers that want to free ubufs. + + Acked-by: Asias He + Acked-by: Jason Wang + Signed-off-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/vhost/net.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 088806db74ac2f08c106202bc5498585a9ee529f +Author: Michal Hocko +Date: Mon Jul 8 16:00:29 2013 -0700 + + Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b + + memcg, kmem: fix reference count handling on the error path + + mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. + This is not correct because only memcg_propagate_kmem takes an + additional reference while mem_cgroup_sockets_init is allowed to fail as + well (although no current implementation fails) but it doesn't take any + reference. This all suggests that it should be memcg_propagate_kmem + that should clean up after itself so this patch moves mem_cgroup_put + over there. + + Unfortunately this is not that easy (as pointed out by Li Zefan) because + memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is + marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if + memcg_propagate_kmem fails so the additional reference is dropped in + that case in kmem_cgroup_destroy which means that the reference would be + dropped two times. + + The easiest way then would be to simply remove mem_cgrroup_put from + mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right + thing. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.8] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 08bfb6e700d13886ed722c2236e1ec10f03a95df +Author: Michal Hocko +Date: Mon Jul 8 16:00:27 2013 -0700 + + Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 + + Revert "memcg: avoid dangling reference count in creation failure" + + This reverts commit e4715f01be697a. + + mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops + an additional reference from all parents so the additional + mem_cgrroup_put(parent) potentially causes use-after-free. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.9+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 3267ec559f48327a1836eccecd53215afc5810d0 +Author: Tyler Hicks +Date: Thu Jun 20 13:13:59 2013 -0700 + + Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e + + libceph: Fix NULL pointer dereference in auth client code + + A malicious monitor can craft an auth reply message that could cause a + NULL function pointer dereference in the client's kernel. + + To prevent this, the auth_none protocol handler needs an empty + ceph_auth_client_ops->build_request() function. + + CVE-2013-1059 + + Signed-off-by: Tyler Hicks + Reported-by: Chanam Park + Reviewed-by: Seth Arnold + Reviewed-by: Sage Weil + Cc: stable@vger.kernel.org + + net/ceph/auth_none.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit cdfeb4049e7cb38702215b2c356ce0407974ac79 +Author: Eric Paris +Date: Wed Jul 3 15:08:29 2013 -0700 + + Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 + + fork: reorder permissions when violating number of processes limits + + When a task is attempting to violate the RLIMIT_NPROC limit we have a + check to see if the task is sufficiently priviledged. The check first + looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. + + A result is that tasks which are allowed by the uid=0 check are first + checked against the security subsystem. This results in the security + subsystem auditting a denial for sys_admin and sys_resource and then the + task passing the uid=0 check. + + This patch rearranges the code to first check uid=0, since if we pass that + we shouldn't hit the security system at all. We then check sys_resource, + since it is the smallest capability which will solve the problem. Lastly + we check the fallback everything cap_sysadmin. We don't want to give this + capability many places since it is so powerful. + + This will eliminate many of the false positive/needless denial messages we + get when a root task tries to violate the nproc limit. (note that + kthreads count against root, so on a sufficiently large machine we can + actually get past the default limits before any userspace tasks are + launched.) + + Signed-off-by: Eric Paris + Cc: Al Viro + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/fork.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08c87e049c8a50707908785d950fd48c334f4c09 +Author: Chen Gang +Date: Sat Jun 22 13:26:09 2013 +0800 + + Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 + + arch: sparc: kernel: check the memory length before use strcpy(). + + For the related next strcpy(), the destination length is less than 512, + but the source maximize length may be 'OPROMMAXPARAM' (4096) which is + more than 512. + + One work flow may: + openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) + getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. + opromsetopt() -> devide the buffer into 'var' and 'value' + of_set_property() -> pass + prom_setprop() -> pass + ldom_set_var() + + And do not mind the additional 4 alignment buffer increasing, since + 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 +Author: Brad Spengler +Date: Fri Jul 12 20:38:45 2013 -0400 + + Fix SLAB boot errors due to PAX_USERCOPY reported on the forums + + Unlike slub, slab can initally create two of the kmalloc_caches + which will be used later for generic kmallocs of their particular + aligned size (since the later loop in the unified allocator code + skips any already-existing kmalloc_caches) + + mm/slab.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e2d027c7e0f106be683c0c72482b8285daefcbe6 +Author: Brad Spengler +Date: Tue Jul 9 20:58:40 2013 -0400 + + commit successful merges + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 129 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 4 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/mwave/tp3780i.c | 1 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/resize.c | 17 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 234 ++- + fs/namespace.c | 16 + + fs/notify/fanotify/fanotify_user.c | 1 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 70 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 343 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 ++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 242 files changed, 4385 insertions(+), 2042 deletions(-) + +commit 043a378c0f72ed92cc30182c48abce39867ac93f +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 +Author: Brad Spengler +Date: Tue Jul 9 17:35:47 2013 -0400 + + Initial import of pax-linux-3.10-test1.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 14 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 122 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 33 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 28 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 +- + arch/x86/kernel/entry_64.S | 548 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 143 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 2 + + arch/x86/kernel/setup.c | 21 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 13 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 98 +- + arch/x86/mm/init_32.c | 113 +- + arch/x86/mm/init_64.c | 38 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 11 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/algapi.c | 2 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 45 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 6 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/output.c | 2 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 607 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/lockd/svc.c | 2 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 10 +- + fs/nfs/callback.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 40 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 65 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 42 +- + include/linux/slab_def.h | 28 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 10 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 83 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditfilter.c | 2 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 10 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 11 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 22 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 76 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 6 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 15 +- + mm/mmap.c | 606 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 79 +- + mm/slab.h | 5 +- + mm/slab_common.c | 46 +- + mm/slob.c | 201 +- + mm/slub.c | 79 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_core.c | 8 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 676 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + sound/sound_core.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 +++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 277 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1607 files changed, 30734 insertions(+), 7318 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 +Author: Brad Spengler +Date: Thu Jul 4 23:05:14 2013 -0400 + + always enforce a non-zero gap for RAND_THREADSTACK + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 40d67e38a42d4e94b43b3d7400addc662b9857dc +Author: Brad Spengler +Date: Thu Jul 4 16:09:28 2013 -0400 + + fix up file comparisons + + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_sig.c | 4 ++-- + include/linux/grinternal.h | 12 ++++++++++++ + 3 files changed, 15 insertions(+), 3 deletions(-) + +commit a1fff2c95162314626dd96bec71d951a8c1c4708 +Author: Brad Spengler +Date: Thu Jul 4 15:33:18 2013 -0400 + + fix suid binary matching + + grsecurity/grsec_sig.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 00131c458eea5200971c8fc326e90fdb6c2d0baa +Merge: 37b97a9 47beb61 +Author: Brad Spengler +Date: Thu Jul 4 15:02:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 +Author: Brad Spengler +Date: Thu Jul 4 15:01:37 2013 -0400 + + Update to pax-linux-3.9.9-test13.patch: + - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) + - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) + + arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- + arch/arm/kernel/armksyms.c | 2 +- + arch/arm/kernel/entry-armv.S | 4 ++-- + arch/arm/mm/Kconfig | 2 +- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/page.h | 1 + + arch/x86/kernel/entry_32.S | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + arch/x86/kernel/head64.c | 12 ++++++------ + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/init.c | 8 ++++++++ + arch/x86/mm/init_32.c | 6 ------ + arch/x86/mm/init_64.c | 6 ------ + arch/x86/platform/efi/efi_32.c | 5 +++++ + arch/x86/platform/efi/efi_64.c | 10 ++++++++++ + 15 files changed, 64 insertions(+), 44 deletions(-) + +commit 89085d2d0643813a62f23d1199a335dc1e129bc0 +Merge: 963af7f 0adf2e7 +Author: Brad Spengler +Date: Thu Jul 4 14:55:44 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 +Author: Brad Spengler +Date: Thu Jul 4 13:46:02 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 +Author: Brad Spengler +Date: Thu Jul 4 13:29:51 2013 -0400 + + update log arguments + + grsecurity/grsec_sig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 +Author: Brad Spengler +Date: Thu Jul 4 13:20:23 2013 -0400 + + Update logging of suid exec ban + + Conflicts: + + grsecurity/grsec_sig.c + + grsecurity/grsec_sig.c | 3 +-- + include/linux/grmsg.h | 1 + + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ef808866c070aa1901bd2224521baaf5d145a3a7 +Author: Brad Spengler +Date: Thu Jul 4 12:58:33 2013 -0400 + + Additional improvements to the user banning code: + + Separate the kernel-bruteforcing case from the suid bruteforcing case + In the suid bruteforcing case, only kill existing copies of the bruteforced + binary. Instead of preventing all future execs by this user, prevent them + from executing any suid/sgid binaries for the next 15 minutes. + + Kernel case is mostly unchanged from before, except the task trying to change + real uid to the banned user will be terminated instead of failing the setuid + call. + + Configuration help has been updated to reflect the new changes. + + fs/exec.c | 13 +++++--- + grsecurity/Kconfig | 5 ++- + grsecurity/gracl.c | 6 ++-- + grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 9 +++-- + 6 files changed, 65 insertions(+), 45 deletions(-) + +commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 +Author: Brad Spengler +Date: Wed Jul 3 16:14:09 2013 -0400 + + fix renamed export of csum_partial_copy_from_user, as reported by fabled + on the forums + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 318235973c2a548c3d25562645d6b69f66e85934 +Author: Brad Spengler +Date: Wed Jul 3 16:09:16 2013 -0400 + + make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error + reported on the forums by fabled + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b569a7f60fab7a522d8c142765c8b847bbce8a1e +Author: Brad Spengler +Date: Wed Jul 3 15:53:12 2013 -0400 + + Revise the user ban code to kill the process issuing a banned + set*id instead of returning an error. For the sake of keeping + unified user banning between the suid and kernel bruteforce case, + we will apply this killing to the suid bruteforce case, despite + a check just at exec time (that already existed) being sufficient. + + Returning an error could enable exploitation of the "failure to check + setuid return value" case which was recently effectively closed + upstream, albeit in a rare situation with a suitable binary and + two colluding users. + + Many thanks to stealth for reviewing the user ban code. + + grsecurity/gracl.c | 4 ++-- + grsecurity/grsec_sig.c | 16 +++++++++++++--- + 2 files changed, 15 insertions(+), 5 deletions(-) + +commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f +Author: Artem Bityutskiy +Date: Fri Jun 28 14:15:15 2013 +0300 + + Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d + + UBIFS: fix a horrid bug + + Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no + mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are + in the middle of 'ubifs_readdir()'. + + This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses + it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, + but this may corrupt memory and lead to all kinds of problems like crashes an + security holes. + + This patch fixes the problem by using the 'file->f_version' field, which + '->llseek()' always unconditionally sets to zero. We set it to 1 in + 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a + seek and it is time to clear the state saved in 'file->private_data'. + + I tested this patch by writing a user-space program which runds readdir and + seek in parallell. I could easily crash the kernel without these patches, but + could not crash it with these patches. + + Cc: stable@vger.kernel.org + Reported-by: Al Viro + Tested-by: Artem Bityutskiy + Signed-off-by: Artem Bityutskiy + Signed-off-by: Al Viro + + fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- + 1 files changed, 27 insertions(+), 3 deletions(-) + +commit c22280b85088978bd8b45bd23096879459b48008 +Author: Stephane Eranian +Date: Thu Jun 20 11:36:28 2013 +0200 + + Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 + + perf: Disable monitoring on setuid processes for regular users + + There was a a bug in setup_new_exec(), whereby + the test to disabled perf monitoring was not + correct because the new credentials for the + process were not yet committed and therefore + the get_dumpable() test was never firing. + + The patch fixes the problem by moving the + perf_event test until after the credentials + are committed. + + Signed-off-by: Stephane Eranian + Tested-by: Jiri Olsa + Acked-by: Peter Zijlstra + Cc: + Signed-off-by: Ingo Molnar + + fs/exec.c | 16 +++++++++------- + 1 files changed, 9 insertions(+), 7 deletions(-) + +commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 +Author: Brad Spengler +Date: Sat Jun 29 13:10:02 2013 -0400 + + on context switch, make sure we switch DACR when domain support and + KERNEXEC is disabled but UDEREF is enabled + + arch/arm/kernel/entry-armv.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08d017fa51370921694ce087b28c96fec92993d4 +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:26:58 2013 +0300 + + Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 + + macvtap: fix recovery from gup errors + + get user pages might fail partially in macvtap zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Signed-off-by: David S. Miller + + drivers/net/macvtap.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:19:03 2013 +0300 + + Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 + + tun: fix recovery from gup errors + + get user pages might fail partially in tun zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 +Author: Balazs Peter Odor +Date: Sat Jun 22 19:24:43 2013 +0200 + + Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 + + netfilter: nf_nat_sip: fix mangling + + In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) + there were some missing brackets around the logging information, thus + always returning drop. + + Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 + + Signed-off-by: Balazs Peter Odor + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_nat_sip.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 +Author: Anderson Lizardo +Date: Sun Jun 2 16:30:40 2013 -0400 + + Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d + + Bluetooth: Fix crash in l2cap_build_cmd() with small MTU + + If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus + controller, memory corruption happens due to a memcpy() call with + negative length. + + Fix this crash on either incoming or outgoing connections with a MTU + smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: + + [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 + [ 46.888037] IP: [] memcpy+0x1d/0x40 + [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 + [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC + [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common + [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 + [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] + [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 + [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 + [ 46.888037] EIP is at memcpy+0x1d/0x40 + [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 + [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c + [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 + [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 + [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + [ 46.888037] DR6: ffff0ff0 DR7: 00000400 + [ 46.888037] Stack: + [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 + [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 + [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 + [ 46.888037] Call Trace: + [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] + [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] + [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] + [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 + [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 + [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] + [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] + [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] + [ 46.888037] [] process_one_work+0x1a9/0x600 + [ 46.888037] [] ? process_one_work+0x12b/0x600 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] worker_thread+0xf7/0x320 + [ 46.888037] [] ? rescuer_thread+0x290/0x290 + [ 46.888037] [] kthread+0xa8/0xb0 + [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 + [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 + [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 + [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c + [ 46.888037] CR2: 00000000f56ad000 + [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- + + Signed-off-by: Anderson Lizardo + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b0471b6c1160858fc646d8e94628fd1299f61692 +Author: Jaganath Kanakkassery +Date: Fri Jun 21 19:55:11 2013 +0530 + + Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 + + Bluetooth: Fix invalid length check in l2cap_information_rsp() + + The length check is invalid since the length varies with type of + info response. + + This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 + + Because of this, l2cap info rsp is not handled and command reject is sent. + + > ACL data: handle 11 flags 0x02 dlen 16 + L2CAP(s): Info rsp: type 2 result 0 + Extended feature mask 0x00b8 + Enhanced Retransmission mode + Streaming mode + FCS Option + Fixed Channels + < ACL data: handle 11 flags 0x00 dlen 10 + L2CAP(s): Command rej: reason 0 + Command not understood + + Cc: stable@vger.kernel.org + Signed-off-by: Jaganath Kanakkassery + Signed-off-by: Chan-Yeol Park + Acked-by: Johan Hedberg + Signed-off-by: Gustavo Padovan + + net/bluetooth/l2cap_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4184af98c360d825e638b268b1a9847232e8d299 +Author: Eric Dumazet +Date: Wed Jun 26 04:15:07 2013 -0700 + + Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 + + ipv6: ip6_sk_dst_check() must not assume ipv6 dst + + It's possible to use AF_INET6 sockets and to connect to an IPv4 + destination. After this, socket dst cache is a pointer to a rtable, + not rt6_info. + + ip6_sk_dst_check() should check the socket dst cache is IPv6, or else + various corruptions/crashes can happen. + + Dave Jones can reproduce immediate crash with + trinity -q -l off -n -c sendmsg -c connect + + With help from Hannes Frederic Sowa + + Reported-by: Dave Jones + Reported-by: Hannes Frederic Sowa + Signed-off-by: Eric Dumazet + Acked-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 +Author: Zefan Li +Date: Wed Jun 26 15:29:54 2013 +0800 + + Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 + + dlci: acquire rtnl_lock before calling __dev_get_by_name() + + Otherwise the net device returned can be freed at anytime. + + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +commit 1fe6f23c9acd14d832d056909ff326bde418e645 +Author: Zefan Li +Date: Wed Jun 26 15:31:58 2013 +0800 + + Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a + + dlci: validate the net device in dlci_del() + + We triggered an oops while running trinity with 3.4 kernel: + + BUG: unable to handle kernel paging request at 0000000100000d07 + IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] + PGD 640c0d067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP + CPU 3 + ... + Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA + RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] + ... + Call Trace: + [] sock_ioctl+0x153/0x280 + [] do_vfs_ioctl+0xa4/0x5e0 + [] ? fget_light+0x3ea/0x490 + [] sys_ioctl+0x4f/0x80 + [] system_call_fastpath+0x16/0x1b + ... + + It's because the net device is not a dlci device. + + Reported-by: Li Jinyue + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 4d4464407611527ef6b6b5475cfcab6121b3da66 +Merge: 59571a9 963af7f +Author: Brad Spengler +Date: Thu Jun 27 18:54:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 963af7f7f591759b731ce6325ceb583a72fcf423 +Merge: c51e25a 55db48a +Author: Brad Spengler +Date: Thu Jun 27 18:54:42 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 59571a9db7485f530a1e865a13cacc4c991ec41f +Author: Brad Spengler +Date: Wed Jun 26 18:39:08 2013 -0400 + + From: Mathias Krause + To: Steffen Klassert , + "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org, + Herbert Xu + Subject: [PATCH] af_key: fix info leaks in notify messages + + key_notify_sa_flush() and key_notify_policy_flush() miss to initialize + the sadb_msg_reserved member of the broadcasted message and thereby + leak 2 bytes of heap memory to listeners. Fix that. + + Signed-off-by: Mathias Krause + Cc: Steffen Klassert + Cc: "David S. Miller" + Cc: Herbert Xu + + net/key/af_key.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 +Author: Brad Spengler +Date: Wed Jun 26 18:33:06 2013 -0400 + + update rand_threadstack code to continue the search for a gap if the first + choice doesn't have enough space, instead of returning ENOMEM + + mm/mmap.c | 17 ++++++++++------- + 1 files changed, 10 insertions(+), 7 deletions(-) + +commit 87020d4a4d83038d65ff1fd519938840f6888b9e +Merge: 2682346 c51e25a +Author: Brad Spengler +Date: Wed Jun 26 18:25:32 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c51e25a23f30a1198076bd085f19b2073caf164d +Author: Brad Spengler +Date: Wed Jun 26 18:24:54 2013 -0400 + + Update to pax-linux-3.9.7-test12.patch: + - fixed a regression on PARAVIRT/amd64 kernels + - simplified the recent vm_unmapped_area_info based change + + arch/x86/kernel/entry_64.S | 8 ++++---- + mm/mmap.c | 22 ++++++++++++---------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +commit 26823469a08e59cb67bea18d448d9e8c65f82e08 +Author: Brad Spengler +Date: Tue Jun 25 21:26:51 2013 -0400 + + re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX + vm_unmapped_area code is complete + + arch/x86/kernel/sys_i386_32.c | 5 +++++ + grsecurity/Kconfig | 2 +- + mm/mmap.c | 11 ++++++++++- + 3 files changed, 16 insertions(+), 2 deletions(-) + +commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 +Merge: e58fe8c c4e0704 +Author: Brad Spengler +Date: Tue Jun 25 19:08:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/sys_i386_32.c + +commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 +Author: Brad Spengler +Date: Tue Jun 25 19:05:39 2013 -0400 + + Update to pax-linux-3.9.7-test11.patch: + - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) + - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure + - fixed the recent nested nmi related fixes some more + - fixed a regression in kernel memory initialization on relocatable i386 kernels + - empty_zero_page can be read-only on amd64 as well + + arch/arm/mm/mmap.c | 6 -- + arch/x86/kernel/entry_64.S | 8 +-- + arch/x86/kernel/head_64.S | 1 - + arch/x86/kernel/setup.c | 2 +- + arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- + drivers/lguest/core.c | 2 +- + include/linux/mm.h | 6 +- + include/linux/vmalloc.h | 2 +- + mm/mmap.c | 30 +++++++- + 9 files changed, 83 insertions(+), 134 deletions(-) + +commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d +Author: Brad Spengler +Date: Sun Jun 23 14:37:14 2013 -0400 + + second compile fix, reported by forsaken on forums + + include/linux/vmalloc.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f +Author: Brad Spengler +Date: Sun Jun 23 14:36:35 2013 -0400 + + compile fix, reported by KDE on forums + + kernel/printk.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 1fc9a5e2e267205d28302e1e86ca0da434561111 +Author: Ben Hutchings +Date: Sun Jun 16 21:27:12 2013 +0100 + + Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d + + x86/efi: Fix dummy variable buffer allocation + + 1. Check for allocation failure + 2. Clear the buffer contents, as they may actually be written to flash + 3. Don't leak the buffer + + Compile-tested only. + + [ Tested successfully on my buggy ASUS machine - Matt ] + + Signed-off-by: Ben Hutchings + Cc: stable@vger.kernel.org + Signed-off-by: Matt Fleming + + arch/x86/platform/efi/efi.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 +Author: Dave Kleikamp +Date: Tue Jun 18 09:05:36 2013 -0500 + + Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 + + sparc: tsb must be flushed before tlb + + This fixes a race where a cpu may re-load a tlb from a stale tsb right + after it has been flushed by a remote function call. + + I still see some instability when stressing the system with parallel + kernel builds while creating memory pressure by writing to + /proc/sys/vm/nr_hugepages, but this patch improves the stability + significantly. + + Signed-off-by: Dave Kleikamp + Acked-by: Bob Picco + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d93b62f6485db9aadda34322a6867868db07f56f +Merge: 4ef62f5 71d83e9 +Author: Brad Spengler +Date: Fri Jun 21 16:52:55 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 71d83e97c936563913bcfb5a25c45b2021a331eb +Author: Brad Spengler +Date: Fri Jun 21 16:48:42 2013 -0400 + + Update to pax-linux-3.9.7-test10.patch: + - fixed a few format string problems uncovered by -Wformat-nonliteral + - another attempt at fixing the nested nmi/cr0.wp problem + - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) + - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) + - fixed a locking issue with track_exec_limit reported by spender + - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) + + Documentation/dontdiff | 1 + + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ + arch/x86/kernel/vmlinux.lds.S | 2 +- + block/genhd.c | 11 +++-- + crypto/algapi.c | 2 +- + crypto/pcrypt.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/power/sysfs.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/devfreq/devfreq.c | 2 +- + drivers/gpu/drm/drm_encoder_slave.c | 6 +-- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/iommu/irq_remapping.c | 2 +- + drivers/video/output.c | 2 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 2 +- + fs/lockd/svc.c | 2 +- + fs/nfs/callback.c | 4 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfscache.c | 3 +- + init/initramfs.c | 2 +- + kernel/rcutree.c | 2 +- + lib/kobject.c | 2 +- + mm/backing-dev.c | 4 +- + mm/mmap.c | 4 +- + mm/slub.c | 2 +- + mm/vmalloc.c | 15 +++---- + net/bluetooth/hci_core.c | 8 ++-- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/sunrpc/svc.c | 2 +- + security/Kconfig | 15 +++--- + sound/core/sound.c | 2 +- + sound/sound_core.c | 2 +- + 40 files changed, 116 insertions(+), 111 deletions(-) + +commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c +Merge: 39efd8f 256eff7 +Author: Brad Spengler +Date: Fri Jun 21 16:45:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + kernel/printk.c + +commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 +Merge: e6e3059 485f25f +Author: Brad Spengler +Date: Thu Jun 20 22:14:24 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d +Author: Brad Spengler +Date: Tue Jun 18 17:20:18 2013 -0400 + + add apparmor compat patch + + security/apparmor/Kconfig | 9 ++ + security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 240 insertions(+), 0 deletions(-) + +commit 49bee3c5341687504669bf62becf4a419a226ba0 +Author: Brad Spengler +Date: Mon Jun 17 18:48:04 2013 -0400 + + Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" + + This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. + + kernel/sys.c | 29 +++-------------------------- + 1 files changed, 3 insertions(+), 26 deletions(-) + +commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 +Author: Al Viro +Date: Sun Jun 16 18:06:06 2013 +0100 + + Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 + + lseek(fd, n, SEEK_END) does *not* go to eof - n + + When you copy some code, you are supposed to read it. If nothing else, + there's a chance to spot and fix an obvious bug instead of sharing it... + + X-Song: "I Got It From Agnes", by Tom Lehrer + Signed-off-by: Al Viro + [ Tom Lehrer? You're dating yourself, Al ] + Signed-off-by: Linus Torvalds + + drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- + drivers/scsi/bfa/bfad_debugfs.c | 2 +- + drivers/scsi/fnic/fnic_debugfs.c | 2 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +commit 5a450f1c46f0c84379518aee878993d3f4a331b6 +Author: Theodore Ts'o +Date: Thu Jun 6 11:14:31 2013 -0400 + + Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 + + ext4: verify group number in verify_group_input() before using it + + Check the group number for sanity earilier, before calling routines + such as ext4_bg_has_super() or ext4_group_overhead_blocks(). + + Reported-by: Jonathan Salwan + Signed-off-by: "Theodore Ts'o" + + fs/ext4/resize.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 +Author: Neil Horman +Date: Wed Jun 12 14:26:44 2013 -0400 + + Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 + + sctp: fully initialize sctp_outq in sctp_outq_init + + In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 + (refactor sctp_outq_teardown to insure proper re-initalization) + we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the + outq structure. Steve West recently asked me why I removed the q->error = 0 + initalization from sctp_outq_teardown. I did so because I was operating under + the impression that sctp_outq_init would properly initalize that value for us, + but it doesn't. sctp_outq_init operates under the assumption that the outq + struct is all 0's (as it is when called from sctp_association_init), but using + it in __sctp_outq_teardown violates that assumption. We should do a memset in + sctp_outq_init to ensure that the entire structure is in a known state there + instead. + + Signed-off-by: Neil Horman + Reported-by: "West, Steve (NSN - US/Fort Worth)" + CC: Vlad Yasevich + CC: netdev@vger.kernel.org + CC: davem@davemloft.net + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + Conflicts: + + net/sctp/outqueue.c + + net/sctp/outqueue.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit e13515ad7a9c7634599a105b2527752e527a905d +Author: Saurabh Mohan +Date: Mon Jun 10 17:45:10 2013 -0700 + + Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 + + net/ipv4: ip_vti clear skb cb before tunneling. + + If users apply shaper to vti tunnel then it will cause a kernel crash. The + problem seems to be due to the vti_tunnel_xmit function not clearing + skb->opt field before passing the packet to xfrm tunneling code. + + Signed-off-by: Saurabh Mohan + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:36 2013 +0200 + + Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 + + l2tp: Fix sendmsg() return value + + PPPoL2TP sockets should comply with the standard send*() return values + (i.e. return number of bytes sent instead of 0 upon success). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit af361b412e816e894fb42ddff7a0545b7def64c0 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:23 2013 +0200 + + Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 + + l2tp: Fix PPP header erasure and memory leak + + Copy user data after PPP framing header. This prevents erasure of the + added PPP header and avoids leaking two bytes of uninitialised memory + at the end of skb's data buffer. + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1f43aca088c35dda35abf76e08544e534c71fed4 +Author: Daniel Borkmann +Date: Wed Jun 12 16:02:27 2013 +0200 + + Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe + + packet: packet_getname_spkt: make sure string is always 0-terminated + + uaddr->sa_data is exactly of size 14, which is hard-coded here and + passed as a size argument to strncpy(). A device name can be of size + IFNAMSIZ (== 16), meaning we might leave the destination string + unterminated. Thus, use strlcpy() and also sizeof() while we're + at it. We need to memset the data area beforehand, since strlcpy + does not padd the remaining buffer with zeroes for user space, so + that we do not possibly leak anything. + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/packet/af_packet.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f +Author: Andy Lutomirski +Date: Wed Jun 5 19:38:26 2013 +0000 + + Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab + + net: Unbreak compat_sys_{send,recv}msg + + I broke them in this commit: + + commit 1be374a0518a288147c6a7398792583200a67261 + Author: Andy Lutomirski + Date: Wed May 22 14:07:44 2013 -0700 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept + MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It + also reverts some unnecessary checks in sys_socketcall. + + Apparently I was suffering from underscore blindness the first time around. + + Signed-off-by: Andy Lutomirski + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/linux/socket.h | 3 ++ + net/compat.c | 13 +++++++- + net/socket.c | 72 ++++++++++++++++++++++-------------------------- + 3 files changed, 47 insertions(+), 41 deletions(-) + +commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f +Author: Andy Lutomirski +Date: Wed May 22 14:07:44 2013 -0700 + + Upstream commit: 1be374a0518a288147c6a7398792583200a67261 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + To: linux-kernel@vger.kernel.org + Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. + Miller" + Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- + it's a hack that steals a bit to indicate to other networking code + that a compat entry was used. So don't allow it from a non-compat + syscall. + + This prevents an oops when running this code: + + int main() + { + int s; + struct sockaddr_in addr; + struct msghdr *hdr; + + char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (highpage == MAP_FAILED) + err(1, "mmap"); + + s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) + err(1, "socket"); + + addr.sin_family = AF_INET; + addr.sin_port = htons(1); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) + err(1, "connect"); + + void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; + printf("Evil address is %p\n", evil); + + if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) + err(1, "sendmmsg"); + + return 0; + } + + Cc: David S. Miller + Signed-off-by: Andy Lutomirski + Signed-off-by: David S. Miller + + net/socket.c | 33 +++++++++++++++++++++++++++++++-- + 1 files changed, 31 insertions(+), 2 deletions(-) + +commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e +Author: Kees Cook +Date: Fri May 10 14:48:21 2013 -0700 + + Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c + + b43: stop format string leaking into error msgs + + The module parameter "fwpostfix" is userspace controllable, unfiltered, + and is used to define the firmware filename. b43_do_request_fw() populates + ctx->errors[] on error, containing the firmware filename. b43err() + parses its arguments as a format string. For systems with b43 hardware, + this could lead to a uid-0 to ring-0 escalation. + + CVE-2013-2852 + + Signed-off-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/b43/main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit dfb67a67049ace7b94ad7e2febfac69816d50d85 +Author: Mark A. Greer +Date: Wed May 29 12:25:34 2013 -0700 + + Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 + + mwifiex: debugfs: Fix out of bounds array access + + When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', + the following panic occurs: + + $ cat /sys/kernel/debug/mwifiex/p2p0/info + Unable to handle kernel paging request at virtual address 74706164 + pgd = de530000 + [74706164] *pgd=00000000 + Internal error: Oops: 5 [#1] SMP ARM + Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex + CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 + task: de16b6c0 ti: de048000 task.ti: de048000 + PC is at strnlen+0xc/0x4c + LR is at string+0x3c/0xf8 + pc : [] lr : [] psr: a0000013 + sp : de049e10 ip : c06efba0 fp : de6d2092 + r10: bf01a260 r9 : ffffffff r8 : 74706164 + r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 + r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user + Control: 10c5387d Table: 9e530019 DAC: 00000015 + Process cat (pid: 1635, stack limit = 0xde048240) + Stack: (0xde049e10 to 0xde04a000) + 9e00: de6d2092 00000002 bf01a25e de6d209c + 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 + 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 + 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 + 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 + 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 + 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 + 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 + 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 + 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 + 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 + 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 + 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 + 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd + [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) + [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) + [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) + [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) + [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) + [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) + [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) + Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) + ---[ end trace ca98273dc605a04f ]--- + + The panic is caused by the mwifiex_info_read() routine assuming that + there can only be four modes (0-3) which is an invalid assumption. + For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the + code accesses data beyond the bounds of the bss_modes[] array which + causes the panic. Fix this by updating bss_modes[] to support the + current list of modes and adding a check to prevent the out-of-bounds + access from occuring in the future when more modes are added. + + Signed-off-by: Mark A. Greer + Acked-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- + 1 files changed, 17 insertions(+), 5 deletions(-) + +commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 +Author: Johan Hedberg +Date: Tue May 28 13:46:30 2013 +0300 + + Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 + + Bluetooth: Fix missing length checks for L2CAP signalling PDUs + + There has been code in place to check that the L2CAP length header + matches the amount of data received, but many PDU handlers have not been + checking that the data received actually matches that expected by the + specific PDU. This patch adds passing the length header to the specific + handler functions and ensures that those functions fail cleanly in the + case of an incorrect amount of data. + + Signed-off-by: Johan Hedberg + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- + 1 files changed, 52 insertions(+), 18 deletions(-) + +commit 628be2427afb241b5a1aa24bc5907d05287e1f25 +Author: Dan Carpenter +Date: Mon Jun 3 12:00:49 2013 +0300 + + Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 + + ipvs: info leak in __ip_vs_get_dest_entries() + + The entry struct has a 2 byte hole after ->port and another 4 byte + hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your + namespace to hit this information leak. + + Signed-off-by: Dan Carpenter + Acked-by: Julian Anastasov + Signed-off-by: Simon Horman + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/ipvs/ip_vs_ctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 066d9226bc6c569d5f420c978b758e0bddd23444 +Author: Robin Holt +Date: Wed Jun 12 14:04:37 2013 -0700 + + Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db + + reboot: rigrate shutdown/reboot to boot cpu + + We recently noticed that reboot of a 1024 cpu machine takes approx 16 + minutes of just stopping the cpus. The slowdown was tracked to commit + f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in + kernel_restart()"). + + The current implementation does all the work of hot removing the cpus + before halting the system. We are switching to just migrating to the + boot cpu and then continuing with shutdown/reboot. + + This also has the effect of not breaking x86's command line parameter + for specifying the reboot cpu. Note, this code was shamelessly copied + from arch/x86/kernel/reboot.c with bits removed pertaining to the + reboot_cpu command line parameter. + + Signed-off-by: Robin Holt + Tested-by: Shawn Guo + Cc: "Srivatsa S. Bhat" + Cc: H. Peter Anvin + Cc: Thomas Gleixner + Cc: Ingo Molnar + Cc: Russ Anderson + Cc: Robin Holt + Cc: Russell King + Cc: Guan Xuetao + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sys.c | 29 ++++++++++++++++++++++++++--- + 1 files changed, 26 insertions(+), 3 deletions(-) + +commit 94e2a91600b07d39825e7059195f35eb611a39a2 +Merge: 20cc761 e6e3059 +Author: Brad Spengler +Date: Thu Jun 13 16:23:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a +Merge: c6aadb1 4b73feb +Author: Brad Spengler +Date: Thu Jun 13 16:23:39 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 20cc7613e38cde07adc73179a91d6c15292e8d43 +Author: Daniel Borkmann +Date: Thu Jun 6 15:53:47 2013 +0200 + + Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c + + net: sctp: fix NULL pointer dereference in socket destruction + + While stress testing sctp sockets, I hit the following panic: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] sctp_endpoint_free+0xe/0x40 [sctp] + PGD 7cead067 PUD 7ce76067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: sctp(F) libcrc32c(F) [...] + CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 + Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 + task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 + RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 + RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 + RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 + RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 + FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded + ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e + 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e + Call Trace: + [] sctp_destroy_sock+0x3d/0x80 [sctp] + [] sk_common_release+0x1e/0xf0 + [] inet_create+0x2ae/0x350 + [] __sock_create+0x11f/0x240 + [] sock_create+0x30/0x40 + [] SyS_socket+0x4c/0xc0 + [] ? do_page_fault+0xe/0x10 + [] ? page_fault+0x22/0x30 + [] system_call_fastpath+0x16/0x1b + Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f + 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> + 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 + RIP [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP + CR2: 0000000000000020 + ---[ end trace e0d71ec1108c1dd9 ]--- + + I did not hit this with the lksctp-tools functional tests, but with a + small, multi-threaded test program, that heavily allocates, binds, + listens and waits in accept on sctp sockets, and then randomly kills + some of them (no need for an actual client in this case to hit this). + Then, again, allocating, binding, etc, and then killing child processes. + + This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' + is set. The cause for that is actually very simple: in sctp_endpoint_init() + we enter the path of sctp_auth_init_hmacs(). There, we try to allocate + our crypto transforms through crypto_alloc_hash(). In our scenario, + it then can happen that crypto_alloc_hash() fails with -EINTR from + crypto_larval_wait(), thus we bail out and release the socket via + sk_common_release(), sctp_destroy_sock() and hit the NULL pointer + dereference as soon as we try to access members in the endpoint during + sctp_endpoint_free(), since endpoint at that time is still NULL. Now, + if we have that case, we do not need to do any cleanup work and just + leave the destruction handler. + + Signed-off-by: Daniel Borkmann + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 386ba837978cc8a1111440bdcd8600f2df4634a4 +Author: Brad Spengler +Date: Wed Jun 12 20:37:48 2013 -0400 + + fix deadlock when booting i386 kernel without NX + + mm/mmap.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 +Author: Brad Spengler +Date: Tue Jun 11 22:18:07 2013 -0400 + + fix elif / elif defined() typo in recent change + + kernel/events/core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit bc43377e1e757cd37a06be0187884a42af718aab +Merge: 3cdea63 c6aadb1 +Author: Brad Spengler +Date: Tue Jun 11 18:50:39 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 +Author: Brad Spengler +Date: Tue Jun 11 18:49:36 2013 -0400 + + Update to pax-linux-3.9.4-test9.patch: + - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) + - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort + + arch/x86/kernel/setup.c | 2 +- + mm/mlock.c | 1 - + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 3cdea63e90607d8d55820b101854091623feedb8 +Author: Brad Spengler +Date: Mon Jun 10 21:21:44 2013 -0400 + + Fix fanotify infoleak reported by Dan Carpenter at: + https://lkml.org/lkml/2013/6/3/128 + + Requires CAP_SYS_ADMIN, so this is about as low priority as it gets + + fs/notify/fanotify/fanotify_user.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 373a2b5df78f82b9d3db72bd6577e29a71591323 +Author: Brad Spengler +Date: Mon Jun 10 21:16:46 2013 -0400 + + Backport infoleak fix by Dan Carpenter in cpqarray: + https://lkml.org/lkml/2013/6/3/131 + + drivers/block/cpqarray.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 251e84b9b05e063981b20be154c9389862f94759 +Author: Brad Spengler +Date: Mon Jun 10 21:04:17 2013 -0400 + + Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 + + drivers/cdrom/cdrom.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 383d89bf95818b05a485a6e8b118963b5bcbc83e +Author: Brad Spengler +Date: Mon Jun 10 18:34:32 2013 -0400 + + change const to __read_only + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 +Author: Brad Spengler +Date: Mon Jun 10 17:34:13 2013 -0400 + + compile fix, make const values const + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d +Author: Brad Spengler +Date: Mon Jun 10 17:37:13 2013 -0400 + + Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a + + drivers/char/mwave/tp3780i.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1c590aa70c95ebd76ba9672aa23d800b81780615 +Author: Brad Spengler +Date: Sun Jun 9 19:50:35 2013 -0400 + + allow -1 perf_event_paranoid + + kernel/sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 +Merge: 4e85539 117c3fa +Author: Brad Spengler +Date: Sun Jun 9 17:30:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 117c3fa8d26c3806103123560f807d99071b60b6 +Merge: ed9b427 5dd2e98 +Author: Brad Spengler +Date: Sun Jun 9 17:30:00 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 +Author: Eric Dumazet +Date: Mon May 13 21:25:52 2013 +0000 + + Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e + + tcp: fix tcp_md5_hash_skb_data() + + TCP md5 communications fail [1] for some devices, because sg/crypto code + assume page offsets are below PAGE_SIZE. + + This was discovered using mlx4 driver [2], but I suspect loopback + might trigger the same bug now we use order-3 pages in tcp_sendmsg() + + [1] Failure is giving following messages. + + huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, + exited with 00000101? + + [2] mlx4 driver uses order-2 pages to allocate RX frags + + Reported-by: Matt Schnall + Signed-off-by: Eric Dumazet + Cc: Bernhard Beck + Signed-off-by: David S. Miller + + net/ipv4/tcp.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb +Author: Eric Dumazet +Date: Fri May 17 04:53:13 2013 +0000 + + Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a + + ipv6: fix possible crashes in ip6_cork_release() + + commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") + added some code duplication and bad error recovery, leading to potential + crash in ip6_cork_release() as kfree() could be called with garbage. + + use kzalloc() to make sure this wont happen. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + Cc: Herbert Xu + Cc: Hideaki YOSHIFUJI + Cc: Neal Cardwell + + net/ipv6/ip6_output.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5771263fe368cd384127dd17d7596a7e1a4e2eec +Author: Chen Gang +Date: Thu May 16 23:13:04 2013 +0000 + + Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 + + net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. + + 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the + strncpy() will always left the last byte of 'discovery->data.info' + uninitialized. + + When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left + the last byte of 'discovery->data.info' uninitialized, the next + strlen() will cause issue. + + Also 'discovery->data' is 'struct irda_device_info' which defined in + "include/uapi/...", it may copy to user mode, so need whole initialized. + + All together, need use kzalloc() instead of kmalloc() to initialize all + members firstly. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + net/irda/irlap_frame.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c01c9af268cb066f240aec53454b8b74d8d01688 +Author: Dan Carpenter +Date: Sun May 19 08:36:36 2013 +0000 + + Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 + + isdn/kcapi: fix a small underflow + + In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes + from skb->data. The current code can underflow to one space before the + start of the array. + + The sanity check isn't needed in __get_capi_appl_by_nr() but I changed + it to match the others. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/capi/kcapi.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 +Author: Timo Teräs +Date: Wed May 22 01:40:47 2013 +0000 + + Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 + + xfrm: properly handle invalid states as an error + + The error exit path needs err explicitly set. Otherwise it + returns success and the only caller, xfrm_output_resume(), + would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is + NULL. + + Bug introduced in commit bb65a9cb (xfrm: removes a superfluous + check and add a statistic). + + Signed-off-by: Timo Teräs + Cc: Li RongQing + Cc: Steffen Klassert + Signed-off-by: David S. Miller + + net/xfrm/xfrm_output.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd +Author: Jeff Mahoney +Date: Fri May 31 15:07:52 2013 -0400 + + Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab + + reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + + After sleeping for filldir(), we check to see if the file system has + changed and research. The next_pos pointer is updated but its value + isn't pushed into the key used for the search itself. As a result, + the search returns the same item that the last cycle of the loop did + and filldir() is called multiple times with the same data. + + The end result is that the buffer can contain the same name multiple + times. This can be returned to userspace or used internally in the + xattr code where it can manifest with the following warning: + + jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) + + reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over + the xattr names and ends up trying to unlink the same name twice. The + second attempt fails with -ENOENT and the error is returned. At some + point I'll need to add support into reiserfsck to remove the orphaned + directories left behind when this occurs. + + The fix is to push the value into the key before researching. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/dir.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 +Author: Jeff Mahoney +Date: Fri May 31 15:51:17 2013 -0400 + + Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc + + reiserfs: fix deadlock with nfs racing on create/lookup + + Reiserfs is currently able to be deadlocked by having two NFS clients + where one has removed and recreated a file and another is accessing the + file with an open file handle. + + If one client deletes and recreates a file with timing such that the + recreated file obtains the same [dirid, objectid] pair as the original + file while another client accesses the file via file handle, the create + and lookup can race and deadlock if the lookup manages to create the + in-memory inode first. + + The create thread, in insert_inode_locked4, will hold the write lock + while waiting on the other inode to be unlocked. The lookup thread, + anywhere in the iget path, will release and reacquire the write lock while + it schedules. If it needs to reacquire the lock while the create thread + has it, it will never be able to make forward progress because it needs + to reacquire the lock before ultimately unlocking the inode. + + This patch drops the write lock across the insert_inode_locked4 call so + that the ordering of inode_wait -> write lock is retained. Since this + would have been the case before the BKL push-down, this is safe. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/inode.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 +Author: Jeff Mahoney +Date: Fri May 31 15:54:17 2013 -0400 + + Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b + + reiserfs: fix problems with chowning setuid file w/ xattrs + + reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr + and uses it to iterate over all the attrs associated with a file to change + ownership of xattrs (and transfer quota associated with the xattr files). + + When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode + are passed to all the xattrs as well. This means that the xattr directory + will have S_IFREG added to its mode bits. + + This has been prevented in practice by a missing IS_PRIVATE check + in reiserfs_acl_chmod, which caused a double-lock to occur while holding + the write lock. Since the file system was completely locked up, the + writeout of the corrupted mode never happened. + + This patch temporarily clears everything but ATTR_UID|ATTR_GID for the + calls to reiserfs_setattr and adds the missing IS_PRIVATE check. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 14 +++++++++++++- + fs/reiserfs/xattr_acl.c | 3 +++ + 2 files changed, 16 insertions(+), 1 deletions(-) + +commit c18cef940310c06bdf86d64d8cb227e56e165300 +Author: Dave Chinner +Date: Mon May 27 16:38:25 2013 +1000 + + Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b + + xfs: kill suid/sgid through the truncate path. + + XFS has failed to kill suid/sgid bits correctly when truncating + files of non-zero size since commit c4ed4243 ("xfs: split + xfs_setattr") introduced in the 3.1 kernel. Fix it. + + Fix it. + + cc: stable kernel + Signed-off-by: Dave Chinner + Reviewed-by: Brian Foster + Signed-off-by: Ben Myers + + (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) + + fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 files changed, 32 insertions(+), 15 deletions(-) + +commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc +Author: Trond Myklebust +Date: Wed May 29 15:36:40 2013 -0400 + + Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 + + NFSv4: Fix a thinko in nfs4_try_open_cached + + We need to pass the full open mode flags to nfs_may_open() when doing + a delegated open. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + fs/nfs/nfs4proc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c47de62893a9f269be0a272c2840aac1e2a35c68 +Author: Chen Gang +Date: Thu May 30 01:18:43 2013 +0000 + + Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 + + parisc: kernel: using strlcpy() instead of strcpy() + + 'boot_args' is an input args, and 'boot_command_line' has a fix length. + So use strlcpy() instead of strcpy() to avoid memory overflow. + + Signed-off-by: Chen Gang + Acked-by: Kyle McMartin + Signed-off-by: Helge Deller + + arch/parisc/kernel/setup.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce869e6f799f95fcac340420ba3612503df80dbf +Author: Chen Gang +Date: Mon May 27 04:57:09 2013 +0000 + + Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 + + parisc: memory overflow, 'name' length is too short for using + + 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 + * "%u:" + "%u" + '\0') may be 21. + + Since 'name' length is 20, it may be memory overflow. + + And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the + max length of 'name' must be less than 28. + + So simplify thinking, we can use 28 instead of 20 directly, and do not + think of whether 'patchc.bc[i]' can '> 100'. + + Signed-off-by: Chen Gang + Signed-off-by: Helge Deller + + arch/parisc/kernel/drivers.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5dc65cd34d442783118a17c518e2daedb90a31d0 +Author: Brad Spengler +Date: Tue Jun 4 17:52:23 2013 -0400 + + add PERF_HARDEN recommendation + + grsecurity/Kconfig | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c +Author: Brad Spengler +Date: Tue Jun 4 17:22:44 2013 -0400 + + Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN + + grsecurity/Kconfig | 19 +++++++++++++++++++ + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 10 +++++++++- + kernel/sysctl.c | 9 ++++++++- + 4 files changed, 41 insertions(+), 2 deletions(-) + +commit 84619a3501fd38285a72d9e963f58d1827beedd6 +Author: Brad Spengler +Date: Sat Jun 1 14:23:31 2013 -0400 + + remove user-triggerable BUG_ON in do_munlockall() + + mm/mlock.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 +Author: Brad Spengler +Date: Sat Jun 1 13:44:05 2013 -0400 + + Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 + + From: Kees Cook + Date: Thu, 23 May 2013 17:32:17 +0000 + Subject: iscsi-target: fix heap buffer overflow on error + + If a key was larger than 64 bytes, as checked by iscsi_check_key(), the + error response packet, generated by iscsi_add_notunderstood_response(), + would still attempt to copy the entire key into the packet, overflowing + the structure on the heap. + + Remote preauthentication kernel memory corruption was possible if a + target was configured and listening on the network. + + CVE-2013-2850 + + Embargo-screwup-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: Nicholas Bellinger + + drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- + drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e +Author: Brad Spengler +Date: Sat Jun 1 13:43:26 2013 -0400 + + Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" + Applying upstream fix instead + + This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. + + drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 +Author: Dan Carpenter +Date: Sun May 19 21:52:20 2013 +0300 + + Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 + + USB: cxacru: potential underflow in cxacru_cm_get_array() + + commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. + + The value of "offd" comes off the instance->rcv_buf[] and we used it as + the offset into an array. The problem is that we check the upper bound + but not for negative values. + + Signed-off-by: Dan Carpenter + Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Ben Hutchings + + drivers/usb/atm/cxacru.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 +Author: Brad Spengler +Date: Sat Jun 1 11:30:17 2013 -0400 + + Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters + + drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 8578566969d91678a3d7d5251b4eafc6d7775314 +Author: Brad Spengler +Date: Thu May 30 17:44:15 2013 -0400 + + Apply compatibility fix to previous RLIMIT_NPROC change + don't enforce the rlimit check at exec time if the user is root + Prevents problems with sudo if root is listed as part of a group + in limits.conf with process limits enforced + + kernel/sys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 +Merge: 643b294 ed9b427 +Author: Brad Spengler +Date: Wed May 29 19:19:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ed9b4276488528d0c3803df1dc0df804238241e0 +Author: Brad Spengler +Date: Wed May 29 19:18:45 2013 -0400 + + Updated to pax-linux-3.9.4-test8.patch: + - fixed some fallout detected by the checker plugin + + arch/x86/kernel/crash_dump_64.c | 2 +- + drivers/base/devtmpfs.c | 6 +++--- + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- + drivers/i2c/i2c-dev.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- + drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- + fs/9p/vfs_addr.c | 2 +- + fs/binfmt_elf.c | 4 ++-- + fs/compat_ioctl.c | 4 ++-- + fs/exec.c | 2 +- + fs/namespace.c | 8 ++++---- + fs/proc/vmcore.c | 12 ++++++++---- + fs/read_write.c | 2 +- + include/linux/syscalls.h | 8 ++++---- + init/do_mounts_initrd.c | 8 ++++---- + init/main.c | 4 ++-- + kernel/events/core.c | 2 +- + kernel/events/internal.h | 10 +++++----- + mm/page_io.c | 2 +- + security/keys/internal.h | 2 +- + tools/gcc/checker_plugin.c | 1 + + 24 files changed, 63 insertions(+), 54 deletions(-) + +commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 +Author: Brad Spengler +Date: Wed May 29 18:51:31 2013 -0400 + + eliminate gcc warning + + fs/exec.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 +Author: Brad Spengler +Date: Wed May 29 18:30:20 2013 -0400 + + use BUILD_BUG() instead of BUILD_BUG_ON(1) + + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 5343410354267368e5809f3ad8d9a264f141be18 +Author: Brad Spengler +Date: Wed May 29 17:57:41 2013 -0400 + + defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON + for unknown opcodes + + arch/x86/net/bpf_jit_comp.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d +Author: Xiao Guangrong +Date: Fri May 24 15:55:11 2013 -0700 + + Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 + + mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + + Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and + multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: + fix freed page still mapped in secondary MMU"). + + Since hlist_for_each_entry_rcu() is changed now, we can not revert that + patch directly, so this patch reverts the commit and simply fix the bug + spotted by that patch + + This bug spotted by commit 751efd8610d3 is: + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result + of a filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. + + The another issue spotted in the commit is "multiple ->release() + callouts", we needn't care it too much because it is really rare (e.g, + can not happen on kvm since mmu-notify is unregistered after + exit_mmap()) and the later call of multiple ->release should be fast + since all the pages have already been released by the first call. + Anyway, this issue should be fixed in a separate patch. + + -stable suggestions: Any version that has commit 751efd8610d3 need to be + backported. I find the oldest version has this commit is 3.0-stable. + + [akpm@linux-foundation.org: tweak comments] + Signed-off-by: Xiao Guangrong + Tested-by: Robin Holt + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- + 1 files changed, 39 insertions(+), 40 deletions(-) + +commit 163a5539b36247865d39b2bcfa8efc03a62124a6 +Author: Aneesh Kumar K.V +Date: Fri May 24 15:55:21 2013 -0700 + + Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 + + mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + + We should not use set_pmd_at to update pmd_t with pgtable_t pointer. + set_pmd_at is used to set pmd with huge pte entries and architectures + like ppc64, clear few flags from the pte when saving a new entry. + Without this change we observe bad pte errors like below on ppc64 with + THP enabled. + + BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 + + Signed-off-by: Aneesh Kumar K.V + Cc: Hugh Dickins + Cc: Benjamin Herrenschmidt + Reviewed-by: Andrea Arcangeli + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/huge_memory.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 3e54faf888d324d5f362dcba16173ea7bba61e8a +Author: OGAWA Hirofumi +Date: Fri May 24 15:55:08 2013 -0700 + + Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 + + fat: fix possible overflow for fat_clusters + + Intermediate value of fat_clusters can be overflowed on 32bits arch. + + Reported-by: Krzysztof Strasburger + Signed-off-by: OGAWA Hirofumi + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/fat/inode.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d +Author: Jarod Wilson +Date: Fri May 24 15:55:31 2013 -0700 + + Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 + + drivers/char/random.c: fix priming of last_data + + Commit ec8f02da9ea5 ("random: prime last_data value per fips + requirements") added priming of last_data per fips requirements. + + Unfortuantely, it did so in a way that can lead to multiple threads all + incrementing nbytes, but only one actually doing anything with the extra + data, which leads to some fun random corruption and panics. + + The fix is to simply do everything needed to prime last_data in a single + shot, so there's no window for multiple cpus to increment nbytes -- in + fact, we won't even increment or decrement nbytes anymore, we'll just + extract the needed EXTRACT_SIZE one time per pool and then carry on with + the normal routine. + + All these changes have been tested across multiple hosts and + architectures where panics were previously encoutered. The code changes + are are strictly limited to areas only touched when when booted in fips + mode. + + This change should also go into 3.8-stable, to make the myriads of fips + users on 3.8.x happy. + + Signed-off-by: Jarod Wilson + Tested-by: Jan Stancek + Tested-by: Jan Stodola + Cc: Herbert Xu + Acked-by: Neil Horman + Cc: "David S. Miller" + Cc: Matt Mackall + Cc: "Theodore Ts'o" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 30 +++++++++++++++--------------- + 1 files changed, 15 insertions(+), 15 deletions(-) + +commit 2d74639040ba6ce47f57ec010714ec06529c4b42 +Author: Jiri Kosina +Date: Fri May 24 15:55:33 2013 -0700 + + Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 + + random: fix accounting race condition with lockless irq entropy_count update + + Commit 902c098a3663 ("random: use lockless techniques in the interrupt + path") turned IRQ path from being spinlock protected into lockless + cmpxchg-retry update. + + That commit removed r->lock serialization between crediting entropy bits + from IRQ context and accounting when extracting entropy on userspace + read path, but didn't turn the r->entropy_count reads/updates in + account() to use cmpxchg as well. + + It has been observed, that under certain circumstances this leads to + read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets + corrupted and becomes negative, which in turn results in propagating 0 + all the way from account() to the actual read() call. + + Convert the accounting code to be the proper lockless counterpart of + what has been partially done by 902c098a3663. + + Signed-off-by: Jiri Kosina + Cc: Theodore Ts'o + Cc: Greg KH + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 26 +++++++++++++++++--------- + 1 files changed, 17 insertions(+), 9 deletions(-) + +commit 65d05c7ea468c23c175105526dd4f163302a92cf +Merge: 1a98d0a 6ce3a135 +Author: Brad Spengler +Date: Sat May 25 07:48:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/vm86_32.c + +commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 +Merge: 79bdd65 0bfd8ff +Author: Brad Spengler +Date: Sat May 25 07:46:55 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 +Author: Brad Spengler +Date: Thu May 23 18:42:23 2013 -0400 + + use existing local variable + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b2b80ef8586061e32e986b31608717c25d1e7c54 +Merge: cb45fbd 79bdd65 +Author: Brad Spengler +Date: Thu May 23 17:58:53 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 79bdd65dac68267bc1b201c6b4a99966a373c305 +Author: Brad Spengler +Date: Thu May 23 17:57:46 2013 -0400 + + Update to pax-linux-3.9.3-test7.patch: + - fixed some size overflow related warnings (hash table, attributes) + - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html + + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/kernel/head64.c | 2 +- + tools/gcc/constify_plugin.c | 48 ++- + tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ + 4 files changed, 651 insertions(+), 592 deletions(-) + +commit cb45fbda4967b1b544a754fbdc92d73283379522 +Merge: 62588fa 57c11b8 +Author: Brad Spengler +Date: Mon May 20 17:32:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 57c11b85acd841a088aa4df8e60be337880df8cd +Merge: 0598b37 4bb0869 +Author: Brad Spengler +Date: Mon May 20 17:32:08 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 +Merge: e261c7b 0598b37 +Author: Brad Spengler +Date: Fri May 17 22:57:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 +Author: Brad Spengler +Date: Fri May 17 22:57:07 2013 -0400 + + Update to pax-linux-3.9.2-test6.patch: + - fixed a gcc assert in the structleak plugin, reported by Emese Revfy + - fixed pfn extraction from pud/pgd entries, reported by ousado + + arch/x86/include/asm/pgtable.h | 9 +++++++-- + tools/gcc/structleak_plugin.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +commit e261c7bc611e9127bbb7bd95cddd51524bf255ae +Author: Brad Spengler +Date: Thu May 16 22:54:12 2013 -0400 + + add offset to topdown check, fixes compilation + + arch/x86/kernel/sys_x86_64.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 +Author: Brad Spengler +Date: Thu May 16 20:57:41 2013 -0400 + + CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, + reported by lulzh3ad on irc + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0d4593e84707cdf6deb6b925c18c676a476b1613 +Merge: 43cd0c0 39a877f +Author: Brad Spengler +Date: Thu May 16 20:39:11 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 39a877f192ed305d88edac10a14a9e8e1e161f3f +Author: Brad Spengler +Date: Thu May 16 20:37:35 2013 -0400 + + Update to pax-linux-3.9.2-test105.patch: + - fixed !EFI boot problem, reported by spender + - fixed a few compile warnings + - fixed some more compile errors due to constification + - fixed some arm fallout, reported by Michael Tremer + + arch/arm/include/asm/psci.h | 2 +- + arch/arm/kernel/psci.c | 2 +- + arch/x86/kernel/sys_x86_64.c | 3 +-- + arch/x86/realmode/init.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- + drivers/irqchip/irq-gic.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- + drivers/platform/x86/chromeos_laptop.c | 2 +- + fs/jfs/super.c | 4 ++-- + include/linux/irqchip/arm-gic.h | 2 ++ + include/sound/compress_driver.h | 2 +- + net/mac80211/cfg.c | 4 ++-- + sound/soc/fsl/fsl_ssi.c | 2 +- + 14 files changed, 31 insertions(+), 22 deletions(-) + +commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 +Author: Brad Spengler +Date: Thu May 16 20:35:22 2013 -0400 + + Fix usercopy false positive under gcc 4.1 + + arch/x86/kernel/signal.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 56a166129d817f6634c8c230e6ec497669bdfaca +Author: Amerigo Wang +Date: Thu May 9 21:56:37 2013 +0000 + + Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f + + ipv6,gre: do not leak info to user-space + + There is a hole in struct ip6_tnl_parm2, so we have to + zero the struct on stack before copying it to user-space. + + Cc: David S. Miller + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv6/ip6_gre.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit d6f50dae2653ad912952da40417a8ccbd59c7699 +Author: Brad Spengler +Date: Tue May 14 16:52:35 2013 -0400 + + disable unprivileged kernel profiling under HIDESYM, rename + the variable to something more appropriate + + include/linux/perf_event.h | 8 ++++---- + kernel/events/core.c | 6 +++++- + kernel/sysctl.c | 4 ++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +commit 01322c6951bed4eedefbd2178dbd99292b365d99 +Author: Brad Spengler +Date: Mon May 13 17:19:57 2013 -0400 + + mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its + existing stack-heap gap code for the new unified vm_unmapped_area + + grsecurity/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 +Author: Brad Spengler +Date: Mon May 13 15:40:32 2013 -0400 + + fix NX fault on early boot + + arch/x86/realmode/init.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 +Author: Brad Spengler +Date: Mon May 13 10:48:13 2013 -0400 + + compile fix, we weren't using %pa anyway and it's now being used + by upstream for physical address printing + + lib/vsprintf.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d +Author: Brad Spengler +Date: Mon May 13 10:39:52 2013 -0400 + + compile fix + + grsecurity/grsec_chroot.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b +Author: Brad Spengler +Date: Mon May 13 10:35:36 2013 -0400 + + compile fixes + + grsecurity/grsec_chroot.c | 2 +- + include/linux/grinternal.h | 8 ++++---- + include/linux/grsecurity.h | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 +Author: Brad Spengler +Date: Mon May 13 10:27:18 2013 -0400 + + compile fix + + fs/exec.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 +Author: Brad Spengler +Date: Mon May 13 10:23:17 2013 -0400 + + Initial port of grsecurity for 3.9.2 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 6 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/usb/storage/realtek_cr.c | 2 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 181 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 241 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1031 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 387 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 187 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 + + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 242 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 68 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/net/secure_seq.h | 1 + + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 13 +- + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 64 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/8021q/vlan.c | 7 + + net/core/dev_ioctl.c | 4 + + net/core/net-procfs.c | 5 + + net/core/secure_seq.c | 4 +- + net/core/sock_diag.c | 7 + + net/ipv4/af_inet.c | 5 +- + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 2 +- + net/sctp/probe.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/tipc/link.c | 11 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 342 ++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 291 files changed, 15221 insertions(+), 2052 deletions(-) + +commit 88854c350c899bceca4a94598c42bed44d0dc91b +Author: Brad Spengler +Date: Mon May 13 07:37:47 2013 -0400 + + Initial import of pax-linux-3.9.2-test2.patch + + Documentation/dontdiff | 45 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 6 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 15 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/kernel/us3_cpufreq.c | 69 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 21 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 6 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 113 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 530 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 1 - + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 120 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 19 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 248 + + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 57 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 +- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 90 +- + arch/x86/mm/init_32.c | 119 +- + arch/x86/mm/init_64.c | 44 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 4 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 10 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 605 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/super.c | 2 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 6 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 8 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compat.h | 6 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 110 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_fs.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 2 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 77 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 68 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 8 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 6 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 576 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 105 +- + mm/slab.h | 5 +- + mm/slab_common.c | 11 +- + mm/slob.c | 201 +- + mm/slub.c | 99 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 14 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 6 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.pl | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 675 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 518 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 ++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 276 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1555 files changed, 30474 insertions(+), 7126 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 +Merge: 814820a 3a59a59 +Author: Brad Spengler +Date: Sun May 12 21:51:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f +Author: Brad Spengler +Date: Sun May 12 21:50:07 2013 -0400 + + Update to pax-linux-3.8.13-test24.patch: + - fixed sparc/constification compile error, reported by blake + - UDEREF/amd64 should be a bit more efficient when disabled at boot time + - fixed some unnecessary integer truncations that could trip up the size overflow plugin + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + arch/sparc/kernel/us3_cpufreq.c | 4 ++-- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/pgtable.h | 6 ++++-- + arch/x86/include/asm/uaccess.h | 6 +++--- + arch/x86/kernel/kprobes-opt.c | 4 ++++ + arch/x86/lib/copy_user_nocache_64.S | 2 +- + arch/x86/lib/getuser.S | 8 ++++---- + arch/x86/lib/putuser.S | 8 ++++---- + arch/x86/mm/fault.c | 6 +++--- + drivers/net/slip/slhc.c | 2 +- + drivers/staging/iio/ring_sw.c | 2 +- + fs/binfmt_elf.c | 6 +++--- + fs/nfsd/nfscache.c | 2 +- + fs/xattr.c | 21 +++++++++++++++++++++ + include/linux/syscalls.h | 2 +- + include/linux/xattr.h | 3 +++ + init/main.c | 3 +++ + kernel/futex_compat.c | 2 +- + kernel/trace/trace.h | 2 +- + net/socket.c | 2 +- + security/Kconfig | 2 +- + 22 files changed, 67 insertions(+), 34 deletions(-) + +commit 814820abfe5b9a34401d838b2510431a4cd92be9 +Author: Dan Carpenter +Date: Mon May 6 09:31:17 2013 +0000 + + Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa + + tipc: potential divide by zero in tipc_link_recv_fragment() + + The worry here is that fragm_sz could be zero since it comes from + skb->data. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 +Author: Dan Carpenter +Date: Mon May 6 08:28:41 2013 +0000 + + Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc + + tipc: add a bounds check in link_recv_changeover_msg() + + The bearer_id here comes from skb->data and it can be a number from 0 to + 7. The problem is that the ->links[] array has only 2 elements so I + have added a range check. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit ed0428c4ef6c5498870772f212ac651216eb8d0c +Merge: 2452d8d dbf932a +Author: Brad Spengler +Date: Sun May 12 21:18:25 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/cpu/perf_event_intel_uncore.c + arch/x86/mm/init.c + +commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 +Author: Brad Spengler +Date: Sun May 12 20:24:01 2013 -0400 + + compile fix + + grsecurity/gracl.c | 1 + + grsecurity/gracl_segv.c | 1 + + 2 files changed, 2 insertions(+), 0 deletions(-) + +commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 +Author: Brad Spengler +Date: Sun May 12 18:25:26 2013 -0400 + + fix btrfs support here as well + + grsecurity/gracl_segv.c | 17 +++++++++-------- + 1 files changed, 9 insertions(+), 8 deletions(-) + +commit c75e4664fe4d20da1639f70d9def097c4f20856b +Author: Brad Spengler +Date: Sun May 12 18:12:57 2013 -0400 + + Fix RBAC compatibility with btrfs compiled as a module, as + reported on the forums by YuHg at: + http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 + + fs/btrfs/inode.c | 11 +---------- + grsecurity/gracl.c | 19 ++++++++++--------- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_disabled.c | 2 +- + 4 files changed, 13 insertions(+), 21 deletions(-) + +commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 +Author: Brad Spengler +Date: Sat May 11 12:12:00 2013 -0400 + + allow copies just up to the start of kernel code + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 04638852588cf243f865f5a73aa9dab94fab53b7 +Author: Brad Spengler +Date: Fri May 10 16:53:07 2013 -0400 + + MODULES_EXEC_VADDR is a virtual address + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 +Author: Brad Spengler +Date: Fri May 10 16:51:03 2013 -0400 + + exempt module rx areas from usercopy protection under i386 kernexec + their .rodata will be placed between stext/etext causing copies of + constant strings to trigger usercopy reports/terminations + + fs/exec.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da +Author: Brad Spengler +Date: Wed May 8 20:25:52 2013 -0400 + + User jorgus on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 + discovered that the upstreamed version of enforcing RLIMIT_NPROC + at setuid/exec time missed an important corner case: + If RLIMIT_NPROC is set after a setuid occurs and the user's process + limit is reached elsewhere, no enforcement of RLIMIT_NPROC will + happen at exec time for the task with a modified RLIMIT_NPROC. + + This patch fixes that. + + kernel/sys.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff +Merge: 539fff0 2452d8d +Author: Brad Spengler +Date: Wed May 8 18:13:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a +Merge: 6c850d8 9c9ab76 +Author: Brad Spengler +Date: Wed May 8 18:13:31 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/irq.c + kernel/trace/trace_stack.c + +commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a +Author: Brad Spengler +Date: Tue May 7 21:43:00 2013 -0400 + + turn counter into a flag + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 +Author: Brad Spengler +Date: Tue May 7 21:02:39 2013 -0400 + + add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity + useful for Fedora/RHEL users + + grsecurity/Kconfig | 10 ++++++++++ + grsecurity/grsec_chroot.c | 17 +++++++++++++++-- + 2 files changed, 25 insertions(+), 2 deletions(-) + +commit 418102925c0cfb0de51b0a021abaa575e28fafa6 +Author: Peter Zijlstra +Date: Fri May 3 14:11:25 2013 +0200 + + Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 + + perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL + + We should always have proper privileges when requesting kernel + data. + + Signed-off-by: Peter Zijlstra + Cc: + Cc: Andi Kleen + Cc: eranian@google.com + Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl + [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] + Signed-off-by: Ingo Molnar + Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org + + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- + 1 files changed, 10 insertions(+), 3 deletions(-) + +commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 +Author: Eric Dumazet +Date: Mon Apr 29 05:58:52 2013 +0000 + + Upstream commit: aebda156a570782a86fc4426842152237a19427d + + net: defer net_secret[] initialization + + Instead of feeding net_secret[] at boot time, defer the init + at the point first socket is created. + + This permits some platforms to use better entropy sources than + the ones available at boot time. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/net/secure_seq.h | 1 + + net/core/secure_seq.c | 4 +--- + net/ipv4/af_inet.c | 5 ++++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac +Author: Daniel Borkmann +Date: Wed May 1 02:59:23 2013 +0000 + + Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 + + net: sctp: attribute printl with __printf for gcc fmt checks + + Let GCC check for format string errors in sctp's probe printl + function. This patch fixes the warning when compiled with W=1: + + net/sctp/probe.c:73:2: warning: function might be possible candidate + for 'gnu_printf' format attribute [-Wmissing-format-attribute] + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/sctp/probe.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 +Author: Brad Spengler +Date: Thu May 2 19:58:54 2013 -0400 + + remove no-longer-needed vmware 8 compat fix + + mm/page_alloc.c | 6 ------ + 1 files changed, 0 insertions(+), 6 deletions(-) + +commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 +Author: Brad Spengler +Date: Thu May 2 19:55:23 2013 -0400 + + remove unnecessary < 0 check + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f +Author: Brad Spengler +Date: Wed May 1 18:30:48 2013 -0400 + + remove references to CONFIG_X86_WP_WORKS_OK + + arch/um/defconfig | 1 - + security/Kconfig | 2 +- + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 408da6791f93ffe00d26bfe919f1b2218fe0804d +Merge: a8dbe8e 6c850d8 +Author: Brad Spengler +Date: Wed May 1 18:28:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/mm/ultra.S + drivers/tty/tty_io.c + +commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf +Merge: cdbcbef 9fa1d01 +Author: Brad Spengler +Date: Wed May 1 18:25:18 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 +Author: Brad Spengler +Date: Mon Apr 29 18:44:23 2013 -0400 + + add module.h to silence compiler warning, thanks to + Sergei Trofimovich + + fs/btrfs/inode.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 55eba82aca97aa56378e000840c48965557721e8 +Author: Brad Spengler +Date: Mon Apr 29 18:43:03 2013 -0400 + + compilation fix + + kernel/trace/trace.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e3bf912b54af6df7fbebc68b5999554562056c5c +Merge: 5b72e37 cdbcbef +Author: Brad Spengler +Date: Mon Apr 29 18:34:42 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cdbcbef45c4f003cbee11e10668a35d424c17c60 +Author: Brad Spengler +Date: Mon Apr 29 18:33:35 2013 -0400 + + Update to pax-linux-3.8.10-test21.patch: + - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 + note that the false positive is not fixed yet + - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin + - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) + - reverted the nested NMI fix in search for a real one + - simplified the arm_delay_ops constification + + arch/arm/include/asm/delay.h | 8 ++++---- + arch/arm/lib/delay.c | 17 +++++------------ + arch/x86/kernel/entry_64.S | 11 ++++++++++- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kvm/vmx.c | 4 ++-- + drivers/block/pktcdvd.c | 2 +- + fs/btrfs/extent-tree.c | 2 +- + fs/nfsd/nfscache.c | 6 ++++-- + kernel/trace/trace.c | 2 +- + tools/gcc/structleak_plugin.c | 4 ++++ + 11 files changed, 34 insertions(+), 26 deletions(-) + +commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 +Author: Brad Spengler +Date: Fri Apr 26 20:53:06 2013 -0400 + + don't use file_inode() + + drivers/tty/tty_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 +Author: Jiri Slaby +Date: Fri Apr 26 13:48:53 2013 +0200 + + Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee + + TTY: fix atime/mtime regression + + In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") + we removed timestamps from tty inodes to fix a security issue and waited + if something breaks. Well, 'w', the utility to find out logged users + and their inactivity time broke. It shows that users are inactive since + the time they logged in. + + To revert to the old behaviour while still preventing attackers to + guess the password length, we update the timestamps in one-minute + intervals by this patch. + + Signed-off-by: Jiri Slaby + Cc: Greg Kroah-Hartman + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/tty/tty_io.c + + drivers/tty/tty_io.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec +Author: Jiri Slaby +Date: Fri Feb 15 15:25:05 2013 +0100 + + Upstream commit: b0de59b5733d + + TTY: do not update atime/mtime on read/write + + On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find + out length of a password using timestamps of /dev/ptmx. It is + documented in "Timing Analysis of Keystrokes and Timing Attacks on + SSH". To avoid that problem, do not update time when reading + from/writing to a TTY. + + I am afraid of regressions as this is a behavior we have since 0.97 + and apps may expect the time to be current, e.g. for monitoring + whether there was a change on the TTY. Now, there is no change. So + this would better have a lot of testing before it goes upstream. + + References: CVE-2013-0160 + + Signed-off-by: Jiri Slaby + Cc: stable # after 3.9 is out + Signed-off-by: Greg Kroah-Hartman + + drivers/tty/tty_io.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit 5344a24e2320d61dbdb88aae04922f0799deefd0 +Author: Zhao Hongjiang +Date: Fri Apr 26 11:03:53 2013 +0800 + + Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad + + aio: fix possible invalid memory access when DEBUG is enabled + + dprintk() shouldn't access @ring after it's unmapped. + + Signed-off-by: Zhao Hongjiang + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + fs/aio.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 +Author: John David Anglin +Date: Tue Apr 23 22:42:07 2013 +0200 + + Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 + + parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates + + User applications running on SMP kernels have long suffered from instability + and random segmentation faults. This patch improves the situation although + there is more work to be done. + + One of the problems is the various routines in pgtable.h that update page table + entries use different locking mechanisms, or no lock at all (set_pte_at). This + change modifies the routines to all use the same lock pa_dbit_lock. This lock + is used for dirty bit updates in the interruption code. The patch also purges + the TLB entries associated with the PTE to ensure that inconsistent values are + not used after the page table entry is updated. The UP and SMP code are now + identical. + + The change also includes a minor update to the purge_tlb_entries function in + cache.c to improve its efficiency. + + Signed-off-by: John David Anglin + Cc: Helge Deller + Signed-off-by: Helge Deller + + arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- + arch/parisc/kernel/cache.c | 5 +--- + 2 files changed, 26 insertions(+), 26 deletions(-) + +commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 +Merge: ba54c97 4d05084 +Author: Brad Spengler +Date: Fri Apr 26 18:17:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kvm/x86.c + include/linux/capability.h + +commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 +Merge: c664779 bb8dd67 +Author: Brad Spengler +Date: Fri Apr 26 18:15:45 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 +Author: David S. Miller +Date: Wed Apr 24 16:52:18 2013 -0700 + + Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee + + sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. + + Reported-by: Meelis Roos + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 +Author: David S. Miller +Date: Fri Apr 19 17:26:26 2013 -0400 + + Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 + + sparc64: Fix race in TLB batch processing. + + As reported by Dave Kleikamp, when we emit cross calls to do batched + TLB flush processing we have a race because we do not synchronize on + the sibling cpus completing the cross call. + + So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) + and either flushes are missed or flushes will flush the wrong + addresses. + + Fix this by using generic infrastructure to synchonize on the + completion of the cross call. + + This first required getting the flush_tlb_pending() call out from + switch_to() which operates with locks held and interrupts disabled. + The problem is that smp_call_function_many() cannot be invoked with + IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). + + We get the batch processing outside of locked IRQ disabled sections by + using some ideas from the powerpc port. Namely, we only batch inside + of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a + region, we flush TLBs synchronously. + + 1) Get rid of xcall_flush_tlb_pending and per-cpu type + implementations. + + 2) Do TLB batch cross calls instead via: + + smp_call_function_many() + tlb_pending_func() + __flush_tlb_pending() + + 3) Batch only in lazy mmu sequences: + + a) Add 'active' member to struct tlb_batch + b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE + c) Set 'active' in arch_enter_lazy_mmu_mode() + d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() + e) Check 'active' in tlb_batch_add_one() and do a synchronous + flush if it's clear. + + 4) Add infrastructure for synchronous TLB page flushes. + + a) Implement __flush_tlb_page and per-cpu variants, patch + as needed. + b) Likewise for xcall_flush_tlb_page. + c) Implement smp_flush_tlb_page() to invoke the cross-call. + d) Wire up global_flush_tlb_page() to the right routine based + upon CONFIG_SMP + + 5) It turns out that singleton batches are very common, 2 out of every + 3 batch flushes have only a single entry in them. + + The batch flush waiting is very expensive, both because of the poll + on sibling cpu completeion, as well as because passing the tlb batch + pointer to the sibling cpus invokes a shared memory dereference. + + Therefore, in flush_tlb_pending(), if there is only one entry in + the batch perform a completely asynchronous global_flush_tlb_page() + instead. + + Reported-by: Dave Kleikamp + Signed-off-by: David S. Miller + Acked-by: Dave Kleikamp + + arch/sparc/include/asm/pgtable_64.h | 1 + + arch/sparc/include/asm/switch_to_64.h | 3 +- + arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- + arch/sparc/kernel/smp_64.c | 41 ++++++++++- + arch/sparc/mm/tlb.c | 38 +++++++++- + arch/sparc/mm/tsb.c | 57 ++++++++++++---- + arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- + 7 files changed, 241 insertions(+), 55 deletions(-) + +commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 +Author: Linus Torvalds +Date: Fri Apr 19 15:32:32 2013 +0000 + + Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 + + net: fix incorrect credentials passing + + Commit 257b5358b32f ("scm: Capture the full credentials of the scm + sender") changed the credentials passing code to pass in the effective + uid/gid instead of the real uid/gid. + + Obviously this doesn't matter most of the time (since normally they are + the same), but it results in differences for suid binaries when the wrong + uid/gid ends up being used. + + This just undoes that (presumably unintentional) part of the commit. + + Reported-by: Andy Lutomirski + Cc: Eric W. Biederman + Cc: Serge E. Hallyn + Cc: David S. Miller + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + Acked-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + include/net/scm.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 +Author: Brad Spengler +Date: Thu Apr 18 19:22:40 2013 -0400 + + move _etext to only cover kernel code, not read-only data, as reported by Gu1 + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 98ad6adbc48759e4f9eae435d3e51ba487155685 +Author: Brad Spengler +Date: Thu Apr 18 19:17:24 2013 -0400 + + add asm/sections.h for USERCOPY change + + fs/exec.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 +Author: Dmitry Popov +Date: Thu Apr 11 08:55:07 2013 +0000 + + Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 + + tcp: incoming connections might use wrong route under synflood + + There is a bug in cookie_v4_check (net/ipv4/syncookies.c): + flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), + RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); + + Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be + taken. This dst_entry is used by new socket (get_cookie_sock -> + tcp_v4_syn_recv_sock), so its packets may take the wrong path. + + Signed-off-by: Dmitry Popov + Signed-off-by: David S. Miller + + net/ipv4/syncookies.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3600395e8fef3ae712e72f9b68c3609639616df8 +Author: Thomas Graf +Date: Thu Apr 11 10:57:18 2013 +0000 + + Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 + + tcp: Reallocate headroom if it would overflow csum_start + + If a TCP retransmission gets partially ACKed and collapsed multiple + times it is possible for the headroom to grow beyond 64K which will + overflow the 16bit skb->csum_start which is based on the start of + the headroom. It has been observed rarely in the wild with IPoIB due + to the 64K MTU. + + Verify if the acking and collapsing resulted in a headroom exceeding + what csum_start can cover and reallocate the headroom if so. + + A big thank you to Jim Foraker and the team at + LLNL for helping out with the investigation and testing. + + Reported-by: Jim Foraker + Signed-off-by: Thomas Graf + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 +Author: Ivan Vecera +Date: Fri Apr 12 16:49:24 2013 +0200 + + Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f + + be2net: take care of __vlan_put_tag return value + + The driver should use return value of __vlan_put_tag with appropriate + NULL-check instead of old skb pointer. + + Signed-off-by: Ivan Vecera + Signed-off-by: David S. Miller + + drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 +Author: Wei Yongjun +Date: Fri Apr 12 03:17:12 2013 +0000 + + Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 + + tuntap: fix error return code in tun_set_iff() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + [ Bug added in linux-3.8 , commit 4008e97f866db665 + ("tuntap: fix ambigious multiqueue API") ] + + Signed-off-by: Wei Yongjun + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + drivers/net/tun.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c +Author: Wei Yongjun +Date: Sat Apr 13 15:49:03 2013 +0000 + + Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 + + esp4: fix error return code in esp_output() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Acked-by: Steffen Klassert + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 2b45b5f52c2a8930f80c62de392a62516c83e225 +Author: Bjørn Mork +Date: Tue Apr 16 00:17:07 2013 +0000 + + Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 + + net: cdc_mbim: remove bogus sizeof() + + The intention was to test against the constant, not the size of + the constant. + + Signed-off-by: Bjørn Mork + Signed-off-by: David S. Miller + + drivers/net/usb/cdc_mbim.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 17d7408795519037a5a1272c7888238e20830bfe +Author: Vyacheslav Dubeyko +Date: Wed Apr 17 15:58:33 2013 -0700 + + Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 + + hfsplus: fix potential overflow in hfsplus_file_truncate() + + Change a u32 to loff_t hfsplus_file_truncate(). + + Signed-off-by: Vyacheslav Dubeyko + Cc: Christoph Hellwig + Cc: Al Viro + Cc: Hin-Tak Leung + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/hfsplus/extents.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b +Author: Emese Revfy +Date: Wed Apr 17 15:58:36 2013 -0700 + + Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f + + kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + + This fixes a kernel memory contents leak via the tkill and tgkill syscalls + for compat processes. + + This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field + when handling signals delivered from tkill. + + The place of the infoleak: + + int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) + { + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... + } + + Signed-off-by: Emese Revfy + Reviewed-by: PaX Team + Signed-off-by: Kees Cook + Cc: Al Viro + Cc: Oleg Nesterov + Cc: "Eric W. Biederman" + Cc: Serge Hallyn + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/signal.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 +Author: Brad Spengler +Date: Wed Apr 17 20:17:00 2013 -0400 + + Improve PAX_USERCOPY to reject direct copies to/from main kernel text + + fs/exec.c | 29 +++++++++++++++++++++++++++-- + 1 files changed, 27 insertions(+), 2 deletions(-) + +commit 3cb37d0c0c77dc3928ff8417f982139f95366eba +Merge: e87c19f c664779 +Author: Brad Spengler +Date: Wed Apr 17 20:06:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c664779987cb0c27a242029f0e0db812e3236203 +Author: Brad Spengler +Date: Wed Apr 17 19:54:09 2013 -0400 + + add intentional_overflow marking for resource_size() as reasoned by: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + + include/linux/ioport.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e87c19f8312355b8658e5138c16bfa6043a379c8 +Merge: 802d119 d0c636c +Author: Brad Spengler +Date: Wed Apr 17 16:57:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d0c636ceaaf406e606898ce3e770e32fb043ea8a +Merge: bc88628 2396403 +Author: Brad Spengler +Date: Wed Apr 17 16:57:01 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/paravirt.c + +commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b +Author: Brad Spengler +Date: Sun Apr 14 21:39:51 2013 -0400 + + move location of RBAC user check on setfsuid until after capability checks + for consistency with other checks + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1a860d7d67051559ab2e6d10f9888649c92904e6 +Author: Brad Spengler +Date: Sun Apr 14 21:34:46 2013 -0400 + + A denied setfsuid by the RBAC system would result in an abort_creds() being called + with an uninitalized pointer, introduced by a bad forward-port + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 +Merge: c38d142 bc88628 +Author: Brad Spengler +Date: Sun Apr 14 21:28:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit bc88628a6a8fcccaabb90908640809b0540df225 +Author: Brad Spengler +Date: Sun Apr 14 21:26:41 2013 -0400 + + Update to pax-linux-3.8.7-test20.patch: + - fixed KERNEXEC and NMI nesting problem reported by stef&hunger + - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 + - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) + - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) + + arch/powerpc/include/asm/smp.h | 2 +- + arch/x86/Kconfig | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + security/Kconfig | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +commit c38d142744489fc4d9be80188b6435a278438fd9 +Author: Suleiman Souhlal +Date: Sat Apr 13 16:03:06 2013 -0700 + + Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 + + vfs: Revert spurious fix to spinning prevention in prune_icache_sb + + Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). + + This commit doesn't look right: since we are looking at the tail of the + list (sb->s_inode_lru.prev) if we want to skip an inode, we should put + it back at the head of the list instead of the tail, otherwise we will + keep spinning on it. + + Discovered when investigating why prune_icache_sb came top in perf + reports of a swapping load. + + Signed-off-by: Suleiman Souhlal + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org # v3.2+ + Signed-off-by: Linus Torvalds + + fs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93019624b80ba59798393942798d7f6ed0c1dbc6 +Author: Linus Torvalds +Date: Sat Apr 13 15:15:30 2013 -0700 + + Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 + + kobject: fix kset_find_obj() race with concurrent last kobject_put() + + Anatol Pomozov identified a race condition that hits module unloading + and re-loading. To quote Anatol: + + "This is a race codition that exists between kset_find_obj() and + kobject_put(). kset_find_obj() might return kobject that has refcount + equal to 0 if this kobject is freeing by kobject_put() in other + thread. + + Here is timeline for the crash in case if kset_find_obj() searches for + an object tht nobody holds and other thread is doing kobject_put() on + the same kobject: + + THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) + splin_lock() + atomic_dec_return(kobj->kref), counter gets zero here + ... starts kobject cleanup .... + spin_lock() // WAIT thread A in kobj_kset_leave() + iterate over kset->list + atomic_inc(kobj->kref) (counter becomes 1) + spin_unlock() + spin_lock() // taken + // it does not know that thread A increased counter so it + remove obj from list + spin_unlock() + vfree(module) // frees module object with containing kobj + + // kobj points to freed memory area!! + kobject_put(kobj) // OOPS!!!! + + The race above happens because module.c tries to use kset_find_obj() + when somebody unloads module. The module.c code was introduced in + commit 6494a93d55fa" + + Anatol supplied a patch specific for module.c that worked around the + problem by simply not using kset_find_obj() at all, but rather than make + a local band-aid, this just fixes kset_find_obj() to be thread-safe + using the proper model of refusing the get a new reference if the + refcount has already dropped to zero. + + See examples of this proper refcount handling not only in the kref + documentation, but in various other equivalent uses of this pattern by + grepping for atomic_inc_not_zero(). + + [ Side note: the module race does indicate that module loading and + unloading is not properly serialized wrt sysfs information using the + module mutex. That may require further thought, but this is the + correct fix at the kobject layer regardless. ] + + Reported-analyzed-and-tested-by: Anatol Pomozov + Cc: Greg Kroah-Hartman + Cc: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + lib/kobject.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 5277b052b5fab36729e1255fb3b12f47a4b12867 +Author: Dave Hansen +Date: Fri Apr 12 16:23:54 2013 -0700 + + Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 + + x86-32: Fix possible incomplete TLB invalidate with PAE pagetables + + This patch attempts to fix: + + https://bugzilla.kernel.org/show_bug.cgi?id=56461 + + The symptom is a crash and messages like this: + + chrome: Corrupted page table at address 34a03000 + *pdpt = 0000000000000000 *pde = 0000000000000000 + Bad pagetable: 000f [#1] PREEMPT SMP + + Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: + enable tlb flush range support for x86") since that code started to free + unused pagetables. + + On x86-32 PAE kernels, that new code has the potential to free an entire + PMD page and will clear one of the four page-directory-pointer-table + (aka pgd_t entries). + + The hardware aggressively "caches" these top-level entries and invlpg + does not actually affect the CPU's copy. If we clear one we *HAVE* to + do a full TLB flush, otherwise we might continue using a freed pmd page. + (note, we do this properly on the population side in pud_populate()). + + This patch tracks whenever we clear one of these entries in the 'struct + mmu_gather', and ensures that we follow up with a full tlb flush. + + BTW, I disassembled and checked that: + + if (tlb->fullmm == 0) + and + if (!tlb->fullmm && !tlb->need_flush_all) + + generate essentially the same code, so there should be zero impact there + to the !PAE case. + + Signed-off-by: Dave Hansen + Cc: Peter Anvin + Cc: Ingo Molnar + Cc: Artem S Tashkinov + Signed-off-by: Linus Torvalds + + arch/x86/include/asm/tlb.h | 2 +- + arch/x86/mm/pgtable.c | 7 +++++++ + include/asm-generic/tlb.h | 7 ++++++- + mm/memory.c | 1 + + 4 files changed, 15 insertions(+), 2 deletions(-) + +commit 521e573fc77d1783c1d4636dfbb4617a922f043d +Merge: 032f626 f807619 +Author: Brad Spengler +Date: Fri Apr 12 19:29:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f80761993b85df96fc142dfc3a317cadc0f8eae5 +Author: Brad Spengler +Date: Fri Apr 12 19:28:21 2013 -0400 + + Update to pax-linux-3.8.7-test19.patch: + - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld + - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) + - fixed the structleak plugin to compile for gcc 4.5-4.6 as well + + Makefile | 2 +- + arch/x86/xen/enlighten.c | 6 +++--- + tools/gcc/structleak_plugin.c | 5 +++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 +Merge: a3a770e 89886f5 +Author: Brad Spengler +Date: Fri Apr 12 18:38:40 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89886f561cc0d1c42a99624ec8c3704711088155 +Merge: 9123489 531ec28 +Author: Brad Spengler +Date: Fri Apr 12 18:38:30 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a3a770e18578841e4fbe2aa0831a22811b4812cf +Author: Brad Spengler +Date: Thu Apr 11 20:46:20 2013 -0400 + + Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" + Will be fixed with the next PaX patch + + This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 +Author: Konrad Rzeszutek Wilk +Date: Fri Mar 29 10:20:56 2013 -0400 + + Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 + + xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. + + Occassionaly on a DL380 G4 the guest would crash quite early with this: + + (XEN) d244:v0: unhandled page fault (ec=0003) + (XEN) Pagetable walk from ffffffff84dc7000: + (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 + (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d + (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def + (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 + (XEN) domain_crash_sync called from entry.S + (XEN) Domain 244 (vcpu#0) crashed on cpu#3: + (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- + (XEN) CPU: 3 + (XEN) RIP: e033:[] + (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest + (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f + (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 + + The offending code shows it to be a loop writting the value zero + (%rax) in the %rdi (the L4 provided by Xen) register: + + 0: 44 00 00 add %r8b,(%rax) + 3: 31 c0 xor %eax,%eax + 5: b9 40 00 00 00 mov $0x40,%ecx + a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) + 11: 00 00 + 13: ff c9 dec %ecx + 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction + 18: 48 89 47 08 mov %rax,0x8(%rdi) + 1c: 48 89 47 10 mov %rax,0x10(%rdi) + + which fails. xen_setup_kernel_pagetable recycles some of the Xen's + page-table entries when it has switched over to its Linux page-tables. + + Right before try to clear the page, we make a hypercall to change + it from _RO to _RW and that works (otherwise we would hit an BUG()). + And the _RW flag is set for that page: + (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 + + The error code is 3, so PFEC_page_present and PFEC_write_access, so page is + present (correct), and we tried to write to the page, but a violation + occurred. The one theory is that the the page entries in hardware + (which are cached) are not up to date with what we just set. Especially + as we have just done an CR3 write and flushed the multicalls. + + This patch does solve the problem by flusing out the TLB page + entry after changing it from _RO to _RW and we don't hit this + issue anymore. + + Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO + 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] + Reported-and-Tested-by: Saar Maoz + Signed-off-by: Konrad Rzeszutek Wilk + + arch/x86/xen/mmu.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 +Author: Namhyung Kim +Date: Mon Apr 1 21:46:23 2013 +0900 + + Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 + + tracing: Fix double free when function profile init failed + + On the failure path, stat->start and stat->pages will refer same page. + So it'll attempt to free the same page again and get kernel panic. + + Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org + + Cc: Frederic Weisbecker + Cc: Namhyung Kim + Cc: stable@vger.kernel.org + Signed-off-by: Namhyung Kim + Signed-off-by: Steven Rostedt + + kernel/trace/ftrace.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb +Author: Neil Horman +Date: Tue Apr 9 23:19:00 2013 +0000 + + Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 + + e100: Add dma mapping error check + + e100 uses pci_map_single, but fails to check for a dma mapping error after its + use, resulting in a stack trace: + + [ 46.656594] ------------[ cut here ]------------ + [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() + [ 46.657004] Hardware name: To Be Filled By O.E.M. + [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map + error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] + [ 46.657004] Modules linked in: + [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus + snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc + e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp + k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd + sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit + drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core + sata_promise crc_itu_t + [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 + [ 46.657004] Call Trace: + [ 46.657004] [] warn_slowpath_common+0x70/0xa0 + [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 + [ 46.657004] [] check_unmap+0x47b/0x950 + [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 + [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] + [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] + [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] + [ 46.657004] [] ? net_rx_action+0xa1/0x370 + [ 46.657004] [] net_rx_action+0x172/0x370 + [ 46.657004] [] __do_softirq+0xef/0x3d0 + [ 46.657004] [] call_softirq+0x1c/0x30 + [ 46.657004] [] do_softirq+0x85/0xc0 + [ 46.657004] [] irq_exit+0xd5/0xe0 + [ 46.657004] [] do_IRQ+0x56/0xc0 + [ 46.657004] [] common_interrupt+0x72/0x72 + [ 46.657004] [] ? + _raw_spin_unlock_irqrestore+0x3b/0x70 + [ 46.657004] [] __slab_free+0x58/0x38b + [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 + [ 46.657004] [] ? kmem_cache_free+0x97/0x320 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] kmem_cache_free+0x312/0x320 + [ 46.657004] [] sock_destroy_inode+0x34/0x40 + [ 46.657004] [] destroy_inode+0x38/0x60 + [ 46.657004] [] evict+0x10e/0x1a0 + [ 46.657004] [] iput+0xf5/0x180 + [ 46.657004] [] dput+0x248/0x310 + [ 46.657004] [] __fput+0x171/0x240 + [ 46.657004] [] ____fput+0xe/0x10 + [ 46.657004] [] task_work_run+0xac/0xe0 + [ 46.657004] [] do_exit+0x26d/0xc30 + [ 46.657004] [] ? finish_task_switch+0x7c/0x120 + [ 46.657004] [] ? retint_swapgs+0x13/0x1b + [ 46.657004] [] do_group_exit+0x49/0xc0 + [ 46.657004] [] sys_exit_group+0x14/0x20 + [ 46.657004] [] system_call_fastpath+0x16/0x1b + [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- + [ 46.657004] Mapped at: + [ 46.657004] [] debug_dma_map_page+0x91/0x140 + [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] + [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] + [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] + [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 + + Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the + dma_mapping_error check in the obvious place + + This was reported previously here: + http://article.gmane.org/gmane.linux.network/257893 + + But nobody stepped up and fixed it. + + CC: Josh Boyer + CC: e1000-devel@lists.sourceforge.net + Signed-off-by: Neil Horman + Reported-by: Michal Jaegermann + Tested-by: Aaron Brown + Signed-off-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- + 1 files changed, 25 insertions(+), 11 deletions(-) + +commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 +Author: Trond Myklebust +Date: Wed Apr 10 12:44:18 2013 -0400 + + Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 + + NFSv4: Doh! Typo in the fix to nfs41_walk_client_list + + Make sure that we set the status to 0 on success. Missed in testing + because it never appears when doing multiple mounts to _different_ + servers. + + Signed-off-by: Trond Myklebust + Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + fs/nfs/nfs4client.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea +Author: Yuval Mintz +Date: Wed Apr 10 13:34:39 2013 +0300 + + Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b + + bnx2x: Prevent null pointer dereference in AFEX mode + + The cnic module is responsible for initializing various bnx2x structs + via callbacks provided by the bnx2x module. + One such struct is the queue object for the FCoE queue. + + If a device is working in AFEX mode and its configuration allows FCoE yet + the cnic module is not loaded, it's very likely a null pointer dereference + will occur, as the bnx2x will erroneously access the FCoE's queue object. + + Prevent said access until cnic properly registers itself. + + Signed-off-by: Yuval Mintz + Signed-off-by: Ariel Elior + Signed-off-by: Eilon Greenstein + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 2908830232725db624aaa052f7ad38d1f98bf541 +Author: Wei Yongjun +Date: Tue Apr 9 14:16:04 2013 +0800 + + Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc + + can: gw: use kmem_cache_free() instead of kfree() + + Memory allocated by kmem_cache_alloc() should be freed using + kmem_cache_free(), not kfree(). + + Cc: linux-stable # >= v3.2 + Signed-off-by: Wei Yongjun + Acked-by: Oliver Hartkopp + Signed-off-by: Marc Kleine-Budde + + net/can/gw.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit d40b572e845a5fb561e3c4a80cc306cd38888a4e +Author: Christoph Paasch +Date: Sun Apr 7 04:53:15 2013 +0000 + + Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd + + ipv6/tcp: Stop processing ICMPv6 redirect messages + + Tetja Rediske found that if the host receives an ICMPv6 redirect message + after sending a SYN+ACK, the connection will be reset. + + He bisected it down to 093d04d (ipv6: Change skb->data before using + icmpv6_notify() to propagate redirect), but the origin of the bug comes + from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error + handlers.). The bug simply did not trigger prior to 093d04d, because + skb->data did not point to the inner IP header and thus icmpv6_notify + did not call the correct err_handler. + + This patch adds the missing "goto out;" in tcp_v6_err. After receiving + an ICMPv6 Redirect, we should not continue processing the ICMP in + tcp_v6_err, as this may trigger the removal of request-socks or setting + sk_err(_soft). + + Reported-by: Tetja Rediske + Signed-off-by: Christoph Paasch + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c7d5c2524456ef3ea9194840e7a9a75069a46824 +Author: Brad Spengler +Date: Wed Apr 10 20:32:54 2013 -0400 + + - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit acac2380fd97acee4367d2aa24c74322dcf1d22b +Author: Trond Myklebust +Date: Fri Apr 5 16:11:11 2013 -0400 + + Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc + + NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + It is unsafe to use list_for_each_entry_safe() here, because + when we drop the nn->nfs_client_lock, we pin the _current_ list + entry and ensure that it stays in the list, but we don't do the + same for the _next_ list entry. Use of list_for_each_entry() is + therefore the correct thing to do. + + Also fix the refcounting in nfs41_walk_client_list(). + + Finally, ensure that the nfs_client has finished being initialised + and, in the case of NFSv4.1, that the session is set up. + + Signed-off-by: Trond Myklebust + Cc: Chuck Lever + Cc: Bryan Schumaker + Cc: stable@vger.kernel.org [>= 3.7] + + fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- + 1 files changed, 28 insertions(+), 16 deletions(-) + +commit a6cf5f387b882ac0ce655b75f623f86c075517be +Author: Chuck Lever +Date: Fri Mar 22 12:52:59 2013 -0400 + + Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e + + SUNRPC: Remove extra xprt_put() + + While testing error cases where rpc_new_client() fails, I saw + some oopses. + + If rpc_new_client() fails, it already invokes xprt_put(). Thus + __rpc_clone_client() does not need to invoke it again. + + Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" + Fri Sep 14, 2012. + + Signed-off-by: Chuck Lever + Cc: stable@vger.kernel.org [>=3.7] + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 +Author: Trond Myklebust +Date: Fri Apr 5 14:13:21 2013 -0400 + + Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 + + SUNRPC: Fix a potential memory leak in rpc_new_client + + If the call to rpciod_up() fails, we currently leak a reference to the + struct rpc_xprt. + As part of the fix, we also remove the redundant check for xprt!=NULL. + This is already taken care of by the callers. + + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 7 ++----- + 1 files changed, 2 insertions(+), 5 deletions(-) + +commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac +Author: Brad Spengler +Date: Wed Apr 10 19:16:05 2013 -0400 + + From https://lkml.org/lkml/2013/4/8/469: + [PATCH] rtnetlink: call nlmsg_parse() with correct header length + + net/core/rtnetlink.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9529169b8c405874fd543b785f53c74fa0501c2a +Author: Christopher Harvey +Date: Fri Apr 5 10:51:15 2013 -0400 + + Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 + + drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. + + This change properly enables the "requester" in G200ER cards that is + responsible for getting pixels out of memory and clocking them out to + the screen. + + Signed-off-by: Christopher Harvey + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- + 1 files changed, 3 insertions(+), 10 deletions(-) + +commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a +Author: Al Viro +Date: Thu Mar 28 13:30:23 2013 -0400 + + Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee + + ecryptfs: close rmmod race + + Signed-off-by: Al Viro + + fs/ecryptfs/miscdev.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b +Author: Brad Spengler +Date: Wed Apr 10 19:03:45 2013 -0400 + + Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 + + arch/ia64/kernel/palinfo.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 83280e384ae3ceadad30369ced111dc7d4b46085 +Author: Andrey Vagin +Date: Tue Apr 9 17:33:29 2013 +0400 + + Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 + + mnt: release locks on error path in do_loopback + + do_loopback calls lock_mount(path) and forget to unlock_mount + if clone_mnt or copy_mnt fails. + + [ 77.661566] ================================================ + [ 77.662939] [ BUG: lock held when returning to user space! ] + [ 77.664104] 3.9.0-rc5+ #17 Not tainted + [ 77.664982] ------------------------------------------------ + [ 77.666488] mount/514 is leaving the kernel with locks still held! + [ 77.668027] 2 locks held by mount/514: + [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 + [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 + + Signed-off-by: Andrey Vagin + Signed-off-by: Al Viro + + fs/namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 679e536b9d9536d804f049fe942367a596253e6d +Author: Alex Williamson +Date: Tue Mar 26 11:33:16 2013 -0600 + + Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c + + vfio-pci: Fix possible integer overflow + + The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both + of which are unsigned. We attempt to bounds check these, but fail to + account for the case where start is a very large number, allowing + start + count to wrap back into the valid range. Bounds check both + start and start + count. + + Reported-by: Dan Carpenter + Signed-off-by: Alex Williamson + + drivers/vfio/pci/vfio_pci.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 +Author: Brad Spengler +Date: Wed Apr 10 18:48:45 2013 -0400 + + Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b5261a6384ee42499b29495aaae40b271e77d394 +Author: Brad Spengler +Date: Tue Apr 9 17:30:45 2013 -0400 + + some undefined behavior fixups + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_ip.c | 10 +++++----- + grsecurity/gracl_segv.c | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 +Author: Brad Spengler +Date: Tue Apr 9 17:28:54 2013 -0400 + + don't whine about denied ipv6 when it's not enabled + + grsecurity/gracl_ip.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 +Merge: 97bca88 9123489 +Author: Brad Spengler +Date: Tue Apr 9 17:18:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9123489428c58668a89f316db6619739cbdd2c2a +Author: Brad Spengler +Date: Tue Apr 9 17:17:46 2013 -0400 + + Update to pax-linux-3.8.6-test18.patch: + - new size overflow plugin from Emese to work around a gcc optimization + resulting in an intentional overflow, reported by Carlos Carvalho + (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) + + tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- + 1 files changed, 66 insertions(+), 2 deletions(-) + +commit 97bca8889e0f1e853f16b7026c39c6729a8587ab +Merge: 675a41e e9d6073 +Author: Brad Spengler +Date: Mon Apr 8 21:32:59 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/us3_cpufreq.c + +commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef +Author: Brad Spengler +Date: Mon Apr 8 21:19:03 2013 -0400 + + Update to pax-linux-3.8.6-test17.patch: + - fixed ia64/ppc/sparc compilation by spender + - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) + + arch/ia64/include/asm/uaccess.h | 2 - + arch/powerpc/include/asm/uaccess.h | 2 - + arch/sparc/include/asm/uaccess.h | 7 ---- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- + tools/gcc/structleak_plugin.c | 15 ++++---- + 6 files changed, 28 insertions(+), 69 deletions(-) + +commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b +Author: Brad Spengler +Date: Sun Apr 7 12:00:50 2013 -0400 + + fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5a216624a06429488f24ce47db093da042f90e48 +Author: Brad Spengler +Date: Sat Apr 6 13:22:24 2013 -0400 + + fix typo + + arch/sparc/kernel/us3_cpufreq.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit e476ca18d21788898cd3acd1b57049971a2fb70f +Author: Brad Spengler +Date: Sat Apr 6 13:16:13 2013 -0400 + + properly fix cpufreq_driver for ultrasparc III with constification + + arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ + 1 files changed, 17 insertions(+), 18 deletions(-) + +commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae +Author: Brad Spengler +Date: Sat Apr 6 12:58:48 2013 -0400 + + mark prom_sparc_ops __initconst + + arch/sparc/kernel/prom_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 +Author: Brad Spengler +Date: Sat Apr 6 12:53:16 2013 -0400 + + fix ia64/powerpc/sparc compilation + + arch/ia64/include/asm/uaccess.h | 2 -- + arch/powerpc/include/asm/uaccess.h | 2 -- + arch/sparc/include/asm/uaccess.h | 7 ------- + 3 files changed, 0 insertions(+), 11 deletions(-) + +commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 +Author: Johannes Berg +Date: Tue Mar 19 20:26:57 2013 +0100 + + Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d + + cfg80211: fix wdev tracing crash + + Arend reported a crash in tracing if the driver returns an + ERR_PTR() value from the add_virtual_intf() callback. This + is due to the tracing then still attempting to dereference + the "pointer", fix this by using IS_ERR_OR_NULL(). + + Reported-by: Arend van Spriel + Tested-by: Arend van Spriel + Signed-off-by: Johannes Berg + + net/wireless/trace.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd +Author: Johannes Berg +Date: Mon Mar 25 11:51:14 2013 +0100 + + Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b + + mac80211: fix remain-on-channel cancel crash + + If a ROC item is canceled just as it expires, the work + struct may be scheduled while it is running (and waiting + for the mutex). This results in it being run after being + freed, which obviously crashes. + + To fix this don't free it when aborting is requested but + instead mark it as "to be freed", which makes the work a + no-op and allows freeing it outside. + + Cc: stable@vger.kernel.org [3.6+] + Reported-by: Jouni Malinen + Tested-by: Jouni Malinen + Signed-off-by: Johannes Berg + + net/mac80211/cfg.c | 6 ++++-- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/offchannel.c | 23 +++++++++++++++++------ + 3 files changed, 23 insertions(+), 9 deletions(-) + +commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 +Author: Stone Piao +Date: Fri Mar 29 19:21:21 2013 -0700 + + Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f + + mwifiex: limit channel number not to overflow memory + + Limit the channel number in scan request, or the driver scan + config structure memory will be overflowed. + + Cc: # 3.5+ + Signed-off-by: Stone Piao + Signed-off-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 207c411512bdaf0e4271f93ecac6ca26588da36f +Author: Gao feng +Date: Thu Mar 21 19:48:41 2013 +0000 + + Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe + + netfilter: reset nf_trace in nf_reset + + We forgot to clear the nf_trace of sk_buff in nf_reset, + When we use veth device, this nf_trace information will + be leaked from one net namespace to another net namespace. + + Signed-off-by: Gao feng + Signed-off-by: Pablo Neira Ayuso + + include/linux/skbuff.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f +Author: Wei Yongjun +Date: Fri Mar 22 01:28:18 2013 +0000 + + Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c + + netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_queue_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit a79feb7d3251eca577d83d7f69eee2b961ab2924 +Author: Pablo Neira Ayuso +Date: Sat Mar 23 16:57:59 2013 +0100 + + Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 + + netfilter: nfnetlink_acct: return -EINVAL if object name is empty + + If user-space tries to create accounting object with an empty + name, then return -EINVAL. + + Reported-by: Michael Zintakis + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_acct.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 +Author: Matthias Schiffer +Date: Sat Mar 30 10:23:12 2013 +0000 + + Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 + + netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths + + The bitmask used for the prefix mangling was being calculated + incorrectly, leading to the wrong part of the address being replaced + when the prefix length wasn't a multiple of 32. + + Signed-off-by: Matthias Schiffer + Signed-off-by: Pablo Neira Ayuso + + net/ipv6/netfilter/ip6t_NPT.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e +Author: Veaceslav Falico +Date: Wed Apr 3 05:46:33 2013 +0000 + + Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d + + bonding: remove sysfs before removing devices + + We have a race condition if we try to rmmod bonding and simultaneously add + a bond master through sysfs. In bonding_exit() we first remove the devices + (through rtnl_link_unregister() ) and only after that we remove the sysfs. + If we manage to add a device through sysfs after that the devices were + removed - we'll end up with that device/sysfs structure and with the module + unloaded. + + Fix this by first removing the sysfs and only after that calling + rtnl_link_unregister(). + + Signed-off-by: Veaceslav Falico + Signed-off-by: David S. Miller + + drivers/net/bonding/bond_main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d12cae44a9d12441d81c489178803237219d403d +Author: Eric W. Biederman +Date: Wed Apr 3 16:14:47 2013 +0000 + + Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 + + af_unix: If we don't care about credentials coallesce all messages + + It was reported that the following LSB test case failed + https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we + were not coallescing unix stream messages when the application was + expecting us to. + + The problem was that the first send was before the socket was accepted + and thus sock->sk_socket was NULL in maybe_add_creds, and the second + send after the socket was accepted had a non-NULL value for sk->socket + and thus we could tell the credentials were not needed so we did not + bother. + + The unnecessary credentials on the first message cause + unix_stream_recvmsg to start verifying that all messages had the same + credentials before coallescing and then the coallescing failed because + the second message had no credentials. + + Ignoring credentials when we don't care in unix_stream_recvmsg fixes a + long standing pessimization which would fail to coallesce messages when + reading from a unix stream socket if the senders were different even if + we did not care about their credentials. + + I have tested this and verified that the in the LSB test case mentioned + above that the messages do coallesce now, while the were failing to + coallesce without this change. + + Reported-by: Karel Srot + Reported-by: Ding Tianhong + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf +Author: Eric W. Biederman +Date: Wed Apr 3 16:13:35 2013 +0000 + + Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 + + Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" + + This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. + + The problem that the above patch was meant to address is that af_unix + messages are not being coallesced because we are sending unnecesarry + credentials. Not sending credentials in maybe_add_creds totally + breaks unconnected unix domain sockets that wish to send credentails + to other sockets. + + In practice this break some versions of udev because they receive a + message and the sending uid is bogus so they drop the message. + + Reported-by: Sven Joachim + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 +Author: Wei Yongjun +Date: Wed Mar 20 21:31:42 2013 +0000 + + Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e + + lantiq_etop: use free_netdev(netdev) instead of kfree() + + Freeing netdev without free_netdev() leads to net, tx leaks. + And it may lead to dereferencing freed pointer. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f +Author: Cong Wang +Date: Fri Mar 22 19:14:07 2013 +0000 + + Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb + + 8021q: fix a potential use-after-free + + vlan_vid_del() could possibly free ->vlan_info after a RCU grace + period, however, we may still refer to the freed memory area + by 'grp' pointer. Found by code inspection. + + This patch moves vlan_vid_del() as behind as possible. + + Cc: Patrick McHardy + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/8021q/vlan.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit fff29c277024a39845d4b535083c8dafc21b45d9 +Author: Hong zhi guo +Date: Sat Mar 23 02:27:50 2013 +0000 + + Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 + + bridge: fix crash when set mac address of br interface + + When I tried to set mac address of a bridge interface to a mac + address which already learned on this bridge, I got system hang. + + The cause is straight forward: function br_fdb_change_mac_address + calls fdb_insert with NULL source nbp. Then an fdb lookup is + performed. If an fdb entry is found and it's local, it's OK. But + if it's not local, source is dereferenced for printk without NULL + check. + + Signed-off-by: Hong Zhiguo + Signed-off-by: David S. Miller + + net/bridge/br_fdb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 +Author: Kumar Amit Mehta +Date: Sat Mar 23 20:10:25 2013 +0000 + + Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a + + bnx2x: fix assignment of signed expression to unsigned variable + + fix for incorrect assignment of signed expression to unsigned variable. + + Signed-off-by: Kumar Amit Mehta + Acked-by: Dmitry Kravkov + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e +Author: dingtianhong +Date: Mon Mar 25 17:02:04 2013 +0000 + + Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 + + af_unix: dont send SCM_CREDENTIAL when dest socket is NULL + + SCM_SCREDENTIALS should apply to write() syscalls only either source or destination + socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, + and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). + + Origionally-authored-by: Karel Srot + Signed-off-by: Ding Tianhong + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b964e1e61f0f0ccaa380be3342f956c604054bdc +Author: Eric W. Biederman +Date: Thu Mar 21 02:30:41 2013 -0700 + + Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 + + yama: Better permission check for ptraceme + + Change the permission check for yama_ptrace_ptracee to the standard + ptrace permission check, testing if the traceer has CAP_SYS_PTRACE + in the tracees user namespace. + + Reviewed-by: Kees Cook + Signed-off-by: "Eric W. Biederman" + + security/yama/yama_lsm.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit b94e71c7b6abe75989edff18aca2781233fa143b +Author: Stanislav Kinsbursky +Date: Mon Apr 1 11:40:51 2013 +0400 + + Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d + + ipc: set msg back to -EAGAIN if copy wasn't performed + + Make sure that msg pointer is set back to error value in case of + MSG_COPY flag is set and desired message to copy wasn't found. This + garantees that msg is either a error pointer or a copy address. + + Otherwise the last message in queue will be freed without unlinking from + the queue (which leads to memory corruption) and the dummy allocated + copy won't be released. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: Linus Torvalds + + ipc/msg.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 +Author: Jan Kara +Date: Fri Mar 29 15:39:16 2013 +0100 + + Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 + + reiserfs: Fix warning and inode leak when deleting inode with xattrs + + After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs + started failing to delete xattrs from inode. This was due to a buggy + test for '.' and '..' in fill_with_dentries() which resulted in passing + '.' and '..' entries to lookup_one_len() in some cases. That returned + error and so we failed to iterate over all xattrs of and inode. + + Fix the test in fill_with_dentries() along the lines of the one in + lookup_one_len(). + + Reported-by: Pawel Zawora + CC: stable@vger.kernel.org + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9f07957378e0f55abb81da8e23b124a608fbe1cc +Author: Paul Bolle +Date: Wed Apr 3 12:24:45 2013 +0100 + + Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 + + ARM: 7690/1: mm: fix CONFIG_LPAE typos + + CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix + up the two typos under arch/arm/. + + The fix to head.S is slightly scary, but this is just for setting up + an early io-mapping for the serial port when running on a big-endian, + LPAE system. Since these systems don't exist in the wild (at least, I + have no access to one outside of kvmtool, which doesn't provide a serial + port suitable for earlyprintk), then we can revisit the code later if it + causes any problems. + + Signed-off-by: Paul Bolle + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/setup.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 984ba346b2d8f158473e9723ba145031368431ed +Author: Catalin Marinas +Date: Tue Mar 26 23:35:04 2013 +0100 + + Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb + + ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) + + On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down + all use of the old entries. This patch implements the erratum workaround + which consists of: + + 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. + 2. Send IPI to the CPUs that are running the same mm (and ASID) as the + one being invalidated (or all the online CPUs for global pages). + 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception + return code already). + + Signed-off-by: Catalin Marinas + Signed-off-by: Russell King + + Conflicts: + + arch/arm/include/asm/tlbflush.h + arch/arm/kernel/smp_tlb.c + arch/arm/mm/context.c + + arch/arm/Kconfig | 10 +++++ + arch/arm/include/asm/highmem.h | 7 ++++ + arch/arm/include/asm/mmu_context.h | 2 + + arch/arm/include/asm/tlbflush.h | 15 ++++++++ + arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ + arch/arm/mm/context.c | 6 ++- + 6 files changed, 104 insertions(+), 2 deletions(-) + +commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 +Author: Jan Stancek +Date: Thu Apr 4 11:35:10 2013 -0700 + + Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c + + mm: prevent mmap_cache race in find_vma() + + find_vma() can be called by multiple threads with read lock + held on mm->mmap_sem and any of them can update mm->mmap_cache. + Prevent compiler from re-fetching mm->mmap_cache, because other + readers could update it in the meantime: + + thread 1 thread 2 + | + find_vma() | find_vma() + struct vm_area_struct *vma = NULL; | + vma = mm->mmap_cache; | + if (!(vma && vma->vm_end > addr | + && vma->vm_start <= addr)) { | + | mm->mmap_cache = vma; + return vma; | + ^^ compiler may optimize this | + local variable out and re-read | + mm->mmap_cache | + + This issue can be reproduced with gcc-4.8.0-1 on s390x by running + mallocstress testcase from LTP, which triggers: + + kernel BUG at mm/rmap.c:1088! + Call Trace: + ([<000003d100c57000>] 0x3d100c57000) + [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 + [<000000000023baae>] handle_pte_fault+0x41a/0xac8 + [<000000000023d832>] handle_mm_fault+0x17a/0x268 + [<000000000060507a>] do_protection_exception+0x1e2/0x394 + [<0000000000603a04>] pgm_check_handler+0x138/0x13c + [<000003fffcf1f07a>] 0x3fffcf1f07a + Last Breaking-Event-Address: + [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 + + Thanks to Jakub Jelinek for his insight on gcc and helping to + track this down. + + Signed-off-by: Jan Stancek + Acked-by: David Rientjes + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + mm/mmap.c | 2 +- + mm/nommu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 53f5096daa14967938bc154e6c41f9119863fb36 +Merge: e988d7c 0a45285 +Author: Brad Spengler +Date: Fri Apr 5 17:32:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/ethernet/broadcom/tg3.c + +commit 0a452855444d02502df6eb21ef3083cf303f71e1 +Merge: 0277fa1 00cfbb8 +Author: Brad Spengler +Date: Fri Apr 5 17:31:15 2013 -0400 + + Update to pax-linux-3.8.6-test16.patch: + - fixed some attribute leakage into userland headers, patch by Mathias Krause + - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/intel_display.c + +commit e988d7c8d946c816a2cb97f0d38048a1584966b8 +Merge: baec40e 0277fa1 +Author: Brad Spengler +Date: Wed Apr 3 22:05:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0277fa123b486cf11420967e4568d7653e225fd3 +Author: Brad Spengler +Date: Wed Apr 3 22:04:48 2013 -0400 + + Update to pax-linux-3.8.5-test15.patch: + - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) + - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) + + drivers/media/pci/cx88/cx88-video.c | 6 +++--- + include/net/net_namespace.h | 4 ++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +commit baec40e6708fd5ae2000cad6c70c5980c998b91c +Author: Brad Spengler +Date: Tue Apr 2 19:50:32 2013 -0400 + + fix compilation as reported on forums for gcc versions lacking plugin + support + + include/net/net_namespace.h | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 +Merge: 6b69c35 0db9d15 +Author: Brad Spengler +Date: Tue Apr 2 17:47:27 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0db9d156826bdd50510086fde837648a3dfd370e +Author: Brad Spengler +Date: Tue Apr 2 17:46:05 2013 -0400 + + Update to pax-linux-3.8.5-test14.patch: + - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table + + arch/x86/include/asm/uaccess_64.h | 6 +- + include/linux/moduleloader.h | 4 +- + tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- + 3 files changed, 61 insertions(+), 47 deletions(-) + +commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d +Author: Brad Spengler +Date: Tue Apr 2 17:35:06 2013 -0400 + + remove duplicate compiler.h + + include/linux/sysrq.h | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 01e1d503fd2220adaaec0b92ea19441bdff73555 +Author: Brad Spengler +Date: Fri Mar 29 19:53:50 2013 -0400 + + fix intentional_overflow marking on sys_sendto + + include/linux/syscalls.h | 2 +- + net/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit cd5ff114d958470f471c63775278e8c05e774630 +Author: Brad Spengler +Date: Fri Mar 29 18:46:16 2013 -0400 + + fix size_overflow false positive + + kernel/futex_compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 295ba16cc53df2375261accbedd6575ea327770a +Merge: 18340f1 278a989 +Author: Brad Spengler +Date: Fri Mar 29 17:36:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/exec.c + include/linux/thread_info.h + +commit 278a989c831d62193c7b3d119fe2302babd45d12 +Author: Brad Spengler +Date: Fri Mar 29 17:34:34 2013 -0400 + + Resync with pax-linux-3.8.5-test13.patch + + arch/arm/include/asm/pgtable.h | 3 ++- + arch/arm/lib/delay.c | 1 + + fs/exec.c | 8 ++++---- + include/linux/compiler.h | 1 + + include/linux/proc_fs.h | 2 +- + include/linux/thread_info.h | 6 +++--- + include/linux/zlib.h | 3 ++- + init/main.c | 4 ++-- + kernel/user_namespace.c | 2 +- + lib/list_debug.c | 4 ++-- + mm/slab.c | 1 + + mm/slob.c | 1 + + mm/slub.c | 1 + + net/core/sysctl_net_core.c | 3 +-- + tools/gcc/constify_plugin.c | 1 + + 15 files changed, 24 insertions(+), 17 deletions(-) + +commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 +Merge: 05f01ae e8cfeae +Author: Brad Spengler +Date: Fri Mar 29 17:30:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 +Merge: b461cb7 aa4cfde +Author: Brad Spengler +Date: Fri Mar 29 17:30:44 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/i915_gem_execbuffer.c + fs/nfsd/vfs.c + +commit 05f01ae4c3479541586a2387f916a6620889c479 +Author: Brad Spengler +Date: Fri Mar 29 17:05:39 2013 -0400 + + Another infoleak, up to 128 bytes on the stack in __sys_recvmsg + takes user-provided length, copies up to that amount in a sockaddr_storage + struct on the stack, then takes an upper-bounded-only user-provided length + and copies the sockaddr_storage struct back out to userland, complete with + uninitialized data + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eea6ade59490784e83e08ec67322288fcf14cb31 +Author: Brad Spengler +Date: Thu Mar 28 23:07:37 2013 -0400 + + return a proper error, otherwise we could be accessing uninitialized data + (previous define was a positive value) + + drivers/usb/storage/realtek_cr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e +Merge: c3dc9a6 b461cb7 +Author: Brad Spengler +Date: Thu Mar 28 20:54:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b461cb7b1d85490430ef7896c247794af72c3749 +Author: Brad Spengler +Date: Thu Mar 28 20:54:11 2013 -0400 + + Add structleak plugin + + tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 270 insertions(+), 0 deletions(-) + +commit c3dc9a6ef10782894bb11fd088fd712db44d8062 +Author: Brad Spengler +Date: Thu Mar 28 20:53:22 2013 -0400 + + Enable structleak by default for the security auto-config + + security/Kconfig | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e +Merge: d8503a3 74bec16 +Author: Brad Spengler +Date: Thu Mar 28 20:47:10 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 74bec16b657147a5575b1f14f4423a717ba317a6 +Author: Brad Spengler +Date: Thu Mar 28 20:46:13 2013 -0400 + + Update to pax-linux-3.8.4-test13.patch: + - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) + - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland + + Makefile | 5 +++- + arch/x86/include/asm/compat.h | 2 +- + arch/x86/mm/fault.c | 3 +- + fs/binfmt_elf.c | 2 +- + include/linux/compiler.h | 42 ++++++++++++++-------------------------- + security/Kconfig | 16 +++++++++++++++ + tools/gcc/Makefile | 2 + + tools/gcc/constify_plugin.c | 7 +++++- + 8 files changed, 47 insertions(+), 32 deletions(-) + +commit d8503a3a35d68b9ba1615d29335aef3f70d51465 +Author: Brad Spengler +Date: Thu Mar 28 20:02:40 2013 -0400 + + Fix 8-byte stack infoleak in ia32_rt_sigpending + User controls length, kernel only performs check on the upper bound, will + fill in any amount less than sizeof(sigset_t) via a copy_to_user under + KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t + regardless of whether the sigset_t content copied into it has been initialized + or not + + arch/x86/ia32/sys_ia32.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b +Author: Brad Spengler +Date: Tue Mar 26 21:05:05 2013 -0400 + + commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 + Author: J. Bruce Fields + Date: Tue Mar 26 14:11:13 2013 -0400 + + nfsd4: reject "negative" acl lengths + + Since we only enforce an upper bound, not a lower bound, a "negative" + length can get through here. + + The symptom seen was a warning when we attempt to a kmalloc with an + excessive size. + + Reported-by: Toralf Förster + Signed-off-by: J. Bruce Fields + + fs/nfsd/nfs4xdr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 +Author: Jeff Layton +Date: Mon Mar 11 09:52:19 2013 -0400 + + Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 + + cifs: ignore everything in SPNEGO blob after mechTypes + + We've had several reports of people attempting to mount Windows 8 shares + and getting failures with a return code of -EINVAL. The default sec= + mode changed recently to sec=ntlmssp. With that, we expect and parse a + SPNEGO blob from the server in the NEGOTIATE reply. + + The current decode_negTokenInit function first parses all of the + mechTypes and then tries to parse the rest of the negTokenInit reply. + The parser however currently expects a mechListMIC or nothing to follow the + mechTypes, but Windows 8 puts a mechToken field there instead to carry + some info for the new NegoEx stuff. + + In practice, we don't do anything with the fields after the mechTypes + anyway so I don't see any real benefit in continuing to parse them. + This patch just has the kernel ignore the fields after the mechTypes. + We'll probably need to reinstate some of this if we ever want to support + NegoEx. + + Reported-by: Jason Burgess + Reported-by: Yan Li + Signed-off-by: Jeff Layton + Cc: + Signed-off-by: Steve French + + fs/cifs/asn1.c | 53 +++++------------------------------------------------ + 1 files changed, 5 insertions(+), 48 deletions(-) + +commit 0b1c6223105a05d5a84e39a5e951868e37610e1c +Merge: 93ff726 0deb54c +Author: Brad Spengler +Date: Mon Mar 25 18:35:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 +Author: Brad Spengler +Date: Mon Mar 25 18:35:05 2013 -0400 + + fix typo + + arch/x86/mm/ioremap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 +Merge: be9f8b8 f95e53a +Author: Brad Spengler +Date: Mon Mar 25 18:30:06 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f95e53abadb6e4665866e4502ff9f518514193e1 +Author: Brad Spengler +Date: Mon Mar 25 18:29:25 2013 -0400 + + Update to pax-linux-3.8.4-test12.patch: + + - fixed perf compilation reported by Michael Tremer + - fixed USERCOPY reports triggered by SCTP, reported by mcp + - last fix for aslr gap accounting, promise (thanks to spender) + + arch/x86/mm/ioremap.c | 3 +++ + fs/binfmt_elf.c | 5 ++--- + mm/mmap.c | 2 +- + net/sctp/socket.c | 19 +++++++++++++++---- + tools/perf/util/include/linux/compiler.h | 8 ++++++++ + 5 files changed, 29 insertions(+), 8 deletions(-) + +commit be9f8b82b0d8a21d7515fb6e44a907623381c5df +Author: Brad Spengler +Date: Mon Mar 25 16:48:34 2013 -0400 + + From: Al Viro + To: Brad Spengler + Cc: Linus Torvalds + + Umm... I see what you are describing, and AFAICS you are correct; let me + see if I am misreading your analysis: + * vfsmount_lock may act fair; A holding it shared, with B spinning + on attempt to take it exclusive may lead to C spinning on attempt to take + it shared. + * path_is_under() tries get rename_lock while holding vfsmount_lock + shared. + * d_path() et.al. try to take vfsmount_lock shared, while holding + rename_lock. + + All true and yes, it's a bug (I'd probably classify it as a livelock, but + that doesn't make any real difference). There are three possible solutions, + AFAICS: + 1) two-liner in path_is_under() replacing the use of vfsmount_lock + with that of namespace_sem; trivial, but results in function unexpectedly + blocking. The current callers are fine with that, but it's a trouble + waiting to happen. + 2) replace write_seqlock() in prepend_path() callers with + read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike + is_subdir() we need more than just ->d_parent not pointing to something + freed - we also care about ->d_name.len being in sync with ->d_name.name. + It probably can be worked around, but... + + 3) declare that rename_lock nests inside vfsmount_lock and let + the callers of prepend_path() take vfsmount_lock(). I'd probably prefer + that one... + + Nest rename_lock inside vfsmount_lock + + ... lest we get livelocks between path_is_under() and d_path() and friends. + + [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing + the issue ] + + Spotted-by: Brad Spengler + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/dcache.c | 16 +++++++++++----- + grsecurity/gracl.c | 20 ++++++++++---------- + 2 files changed, 21 insertions(+), 15 deletions(-) + +commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee +Author: Linus Torvalds +Date: Fri Mar 22 11:44:04 2013 -0700 + + Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 + + vfs,proc: guarantee unique inodes in /proc + + Dave Jones found another /proc issue with his Trinity tool: thanks to + the namespace model, we can have multiple /proc dentries that point to + the same inode, aliasing directories in /proc//net/ for example. + + This ends up being a total disaster, because it acts like hardlinked + directories, and causes locking problems. We rely on the topological + sort of the inodes pointed to by dentries, and if we have aliased + directories, that odering becomes unreliable. + + In short: don't do this. Multiple dentries with the same (directory) + inode is just a bad idea, and the namespace code should never have + exposed things this way. But we're kind of stuck with it. + + This solves things by just always allocating a new inode during /proc + dentry lookup, instead of using "iget_locked()" to look up existing + inodes by superblock and number. That actually simplies the code a bit, + at the cost of potentially doing more inode [de]allocations. + + That said, the inode lookup wasn't free either (and did a lot of locking + of inodes), so it is probably not that noticeable. We could easily keep + the old lookup model for non-directory entries, but rather than try to + be excessively clever this just implements the minimal and simplest + workaround for the problem. + + Reported-and-tested-by: Dave Jones + Analyzed-by: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/inode.c + + fs/proc/inode.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb +Author: Vladimir Davydov +Date: Fri Mar 22 15:04:51 2013 -0700 + + Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 + + mqueue: sys_mq_open: do not call mnt_drop_write() if read-only + + mnt_drop_write() must be called only if mnt_want_write() succeeded, + otherwise the mnt_writers counter will diverge. + + mnt_writers counters are used to check if remounting FS as read-only is + OK, so after an extra mnt_drop_write() call, it would be impossible to + remount mqueue FS as read-only. Besides, on umount a warning would be + printed like this one: + + ===================================== + [ BUG: bad unlock balance detected! ] + 3.9.0-rc3 #5 Not tainted + ------------------------------------- + a.out/12486 is trying to release lock (sb_writers) at: + mnt_drop_write+0x1f/0x30 + but there are no more locks to release! + + Signed-off-by: Vladimir Davydov + Cc: Doug Ledford + Cc: KOSAKI Motohiro + Cc: "Eric W. Biederman" + Cc: Al Viro + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/mqueue.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e +Author: Brad Spengler +Date: Sat Mar 23 13:02:32 2013 -0400 + + Don't use constify plugin if not enabled in config, + reported by Alexey Vlasov + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afb82e020593249ac394e9859397c3e0ef5341c +Author: Brad Spengler +Date: Sat Mar 23 12:50:13 2013 -0400 + + oded 0day #2 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 20 + + drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 +Author: Brad Spengler +Date: Sat Mar 23 12:15:50 2013 -0400 + + oded 0day #1 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 18 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 +Author: Brad Spengler +Date: Sat Mar 23 12:13:12 2013 -0400 + + remove warning on accessing this /proc entry, HIDESYM already caught the infoleak + + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 44cb11a9470f72157601d0ad4d572d111f90f504 +Author: Brad Spengler +Date: Fri Mar 22 18:11:42 2013 -0400 + + use VM_DONTDUMP + + fs/binfmt_elf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb +Author: Brad Spengler +Date: Fri Mar 22 17:53:09 2013 -0400 + + fix recent RLIMIT_AS changes (due to vm_flags typo) + + Conflicts: + + fs/binfmt_elf.c + + fs/binfmt_elf.c | 2 +- + mm/mmap.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit fd5f0d92b0fbec02029dad124501a9c80e527a32 +Author: Brad Spengler +Date: Fri Mar 22 17:08:48 2013 -0400 + + complete_walk drops rcu-walk mode, no need for our own dropping + method outside of generic_permission + + fs/namei.c | 30 ------------------------------ + 1 files changed, 0 insertions(+), 30 deletions(-) + +commit b49ab1c73edb6442eec609b26bba4d850b3111b6 +Merge: 5e9a707 783ade9 +Author: Brad Spengler +Date: Thu Mar 21 21:56:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 +Author: Brad Spengler +Date: Thu Mar 21 21:55:31 2013 -0400 + + Update to pax-linux-3.8.3-test11.patch: + - rewrote the ASLR gap accounting code once again + - fixed ptrace compat bug found by the size overflow plugin + + fs/binfmt_elf.c | 25 ++++++++++++------------- + fs/exec.c | 7 ++----- + include/linux/compat.h | 2 +- + include/linux/mm.h | 5 +++++ + include/linux/mm_types.h | 2 +- + kernel/ptrace.c | 2 +- + mm/mmap.c | 15 ++++++++++----- + 7 files changed, 32 insertions(+), 26 deletions(-) + +commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a +Author: Brad Spengler +Date: Thu Mar 21 19:37:33 2013 -0400 + + Make the constify plugin usage actually depend on the introduced config option + (it was still forced on) + + tools/gcc/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1974b4f58d9d729c80ac1987785446115304a54c +Author: Brad Spengler +Date: Thu Mar 21 16:12:38 2013 -0400 + + fix failed merge + + arch/arm/mm/fault.c | 15 +++------------ + 1 files changed, 3 insertions(+), 12 deletions(-) + +commit 675a8ab4a8fe8315df348735a37a302a7535224c +Author: Brad Spengler +Date: Wed Mar 20 23:36:14 2013 -0400 + + From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 + From: Kees Cook + Date: Sun, 10 Mar 2013 20:09:31 +0000 + Subject: drm/i915: bounds check execbuffer relocation count + + It is possible to wrap the counter used to allocate the buffer for + relocation copies. This could lead to heap writing overflows. + + CVE-2013-0913 + + Signed-off-by: Kees Cook + Reported-by: Pinkie Pie + Cc: stable@vger.kernel.org + + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 +Author: Andy Honig +Date: Wed Feb 20 14:48:10 2013 -0800 + + Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 + + KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) + + There is a potential use after free issue with the handling of + MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable + memory such as frame buffers then KVM might continue to write to that + address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins + the page in memory so it's unlikely to cause an issue, but if the user + space component re-purposes the memory previously used for the guest, then + the guest will be able to corrupt that memory. + + Tested: Tested against kvmclock unit test + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/include/asm/kvm_host.h | 4 +- + arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +commit 0bcac31b57c381001feb69fd6ec8069e61e03432 +Author: Andy Honig +Date: Mon Mar 11 09:34:52 2013 -0700 + + Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 + + KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) + + If the guest sets the GPA of the time_page so that the request to update the + time straddles a page then KVM will write onto an incorrect page. The + write is done byusing kmap atomic to get a pointer to the page for the time + structure and then performing a memcpy to that page starting at an offset + that the guest controls. Well behaved guests always provide a 32-byte aligned + address, however a malicious guest could use this to corrupt host kernel + memory. + + Tested: Tested against kvmclock unit test. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/kvm/x86.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 695c59887e4ec10b0b695ab4f645d1226c433be0 +Author: Andy Honig +Date: Wed Feb 20 14:49:16 2013 -0800 + + Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 + + KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) + + If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows + that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate + that request. ioapic_read_indirect contains an + ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in + non-debug builds. In recent kernels this allows a guest to cause a kernel + oops by reading invalid memory. In older kernels (pre-3.3) this allows a + guest to read from large ranges of host memory. + + Tested: tested against apic unit tests. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + virt/kvm/ioapic.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e +Merge: aec3cd4 c522e3a +Author: Brad Spengler +Date: Wed Mar 20 19:38:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 +Merge: c57d855 405acc3 +Author: Brad Spengler +Date: Wed Mar 20 19:38:11 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 +Author: Brad Spengler +Date: Tue Mar 19 19:56:04 2013 -0400 + + include linux/compiler.h + + include/linux/zlib.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e +Author: Brad Spengler +Date: Tue Mar 19 18:42:20 2013 -0400 + + fix missing sock_release() + + net/irda/af_irda.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit dd65c05cd24faf8946d4941434a553ee285c35a3 +Author: Brad Spengler +Date: Tue Mar 19 18:36:17 2013 -0400 + + fix mpt fusion infoleak + + drivers/message/fusion/mptbase.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit e297b4f150b769efdc4c547d3caf1e3c0f24735f +Author: Brad Spengler +Date: Tue Mar 19 18:33:45 2013 -0400 + + Fix size_overflow false positive reported by slashbeast + + include/linux/zlib.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be +Author: Brad Spengler +Date: Tue Mar 19 17:35:36 2013 -0400 + + fix up failed merge + + arch/arm/mm/fault.c | 9 ++------- + 1 files changed, 2 insertions(+), 7 deletions(-) + +commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd +Author: Brad Spengler +Date: Tue Mar 19 17:34:36 2013 -0400 + + update documentation on consequences of building without gcc plugin support + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 +Author: Brad Spengler +Date: Tue Mar 19 17:18:13 2013 -0400 + + fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit f00195c633f91cfbd8c1f530d2c371b713026e20 +Author: Brad Spengler +Date: Mon Mar 18 22:27:33 2013 -0400 + + Fix compile error reported by KDE on the forums + + kernel/user_namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 +Merge: 0949569 c57d855 +Author: Brad Spengler +Date: Mon Mar 18 22:20:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + arch/x86/mm/fault.c + fs/exec.c + +commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 +Author: Brad Spengler +Date: Mon Mar 18 21:22:03 2013 -0400 + + Update to pax-linux-3.8.2-test9.patch: + arm changes from spender + - removed userland access to the vectors page + - removed obsolete sigreturn trampoline handling + - added emulation for __kuser_get_tls + - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) + - fixed recent sysfs/power_supply attr breakage reported by Steven Allen + - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) + - changed debian packager rules to include the compiler plugins, from Tyler Coumbes + - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) + - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values + and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. + + arch/arm/kernel/process.c | 5 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/traps.c | 7 - + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 23 +- + arch/arm/mm/mmu.c | 2 +- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/desc.h | 2 +- + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/io.h | 8 +- + arch/x86/include/asm/paravirt.h | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- + arch/x86/kernel/setup_percpu.c | 2 +- + arch/x86/mm/fault.c | 4 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/physaddr.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/lguest/page_tables.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/power/power_supply_core.c | 1 + + drivers/usb/core/message.c | 2 +- + fs/befs/endian.h | 4 +- + fs/binfmt_elf.c | 5 +- + fs/exec.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/ufs/swab.h | 4 +- + include/linux/compat.h | 4 +- + include/linux/completion.h | 6 +- + include/linux/cpumask.h | 12 +- + include/linux/ctype.h | 2 +- + include/linux/err.h | 4 +- + include/linux/math64.h | 6 +- + include/linux/sched.h | 2 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/uapi/linux/byteorder/little_endian.h | 4 +- + include/uapi/linux/swab.h | 6 +- + kernel/sched/core.c | 6 +- + kernel/signal.c | 3 + + kernel/time.c | 2 +- + kernel/timer.c | 2 +- + lib/div64.c | 4 +- + mm/page-writeback.c | 2 +- + net/socket.c | 2 + + scripts/package/builddeb | 1 + + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- + tools/gcc/size_overflow_plugin.c | 1072 ++-- + 53 files changed, 6227 insertions(+), 3951 deletions(-) + +commit 09495691bb31f11ec14d9127429f9a0f3f716f22 +Author: Brad Spengler +Date: Sun Mar 17 20:51:50 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit deb85b00d0f9f886e264e116313f298401ec5c59 +Author: Brad Spengler +Date: Sun Mar 17 20:03:33 2013 -0400 + + Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task + with a subject applied to it with RES_CPU. Otherwise, the limit will only + begin to be applied at fork time. + + Thanks to Bjornar Ness for the report. + + grsecurity/gracl.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 2126421f123513f604ceef2b23ba9ed516de7e58 +Author: Brad Spengler +Date: Sat Mar 16 22:07:43 2013 -0400 + + Move inode auditing prior to our refcnt dropping + + fs/namei.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 +Author: Brad Spengler +Date: Sat Mar 16 22:00:30 2013 -0400 + + Drop reference on completed path walked in RCU mode or when violating + the chroot fchdir check inside a chroot -- possible culprit for a reported + vfsmount_lock hang during unmount + + fs/namei.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 +Author: Brad Spengler +Date: Sat Mar 16 16:43:45 2013 -0400 + + add user_arg_ptr back to exec.c + + fs/exec.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 +Author: Brad Spengler +Date: Sat Mar 16 11:22:36 2013 -0400 + + Don't globally include compat.h -- with the new X32 support it + changes some definitions involving ELF binaries resulting in invalid + coredumps, as reported by KDE on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 + Thanks to the PaX Team for debugging + + fs/exec.c | 3 +++ + grsecurity/grsec_exec.c | 13 +++++++++++++ + include/linux/grsecurity.h | 15 --------------- + 3 files changed, 16 insertions(+), 15 deletions(-) + +commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a +Author: Brad Spengler +Date: Thu Mar 14 20:59:26 2013 -0400 + + Add peer information to /proc/net/unix from Kenan Kalajdzic: + http://marc.info/?l=linux-netdev&m=126745636809191&w=2 + + We use a "P" prefix to the inode number instead of "peer=". This + additional information can be used, for instance, to find what processes + are connected to MySQL's unix domain socket. + + net/unix/af_unix.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +commit 1cd623d11a462d151ea8a5cace4521e1724911a3 +Author: Oliver Neukum +Date: Tue Mar 12 14:52:42 2013 +0100 + + Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa + + USB: cdc-wdm: fix buffer overflow + + The buffer for responses must not overflow. + If this would happen, set a flag, drop the data and return + an error after user space has read all remaining data. + + Signed-off-by: Oliver Neukum + CC: stable@kernel.org + Signed-off-by: Greg Kroah-Hartman + + drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- + 1 files changed, 20 insertions(+), 3 deletions(-) + +commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc +Merge: 9cdf9bc db4cb92 +Author: Brad Spengler +Date: Thu Mar 14 20:23:14 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/keys/compat.c + +commit db4cb924546e3fec3a59f78d056f48176eaf7100 +Author: Brad Spengler +Date: Thu Mar 14 20:22:24 2013 -0400 + + Update to pax-linux-3.8.2-test8.patch + + arch/arm/include/asm/cache.h | 2 ++ + arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- + arch/arm/mach-omap2/omap_device.c | 4 ++-- + arch/arm/mach-omap2/omap_device.h | 4 ++-- + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + 5 files changed, 19 insertions(+), 15 deletions(-) + +commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae +Merge: 3c865f9 1a45c31 +Author: Brad Spengler +Date: Thu Mar 14 20:20:54 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/arm/include/asm/delay.h + arch/arm/include/asm/pgtable.h + arch/arm/lib/delay.c + security/keys/compat.c + +commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 +Author: Al Viro +Date: Tue Mar 12 02:59:49 2013 +0000 + + Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 + + vfs: fix pipe counter breakage + + If you open a pipe for neither read nor write, the pipe code will not + add any usage counters to the pipe, causing the 'struct pipe_inode_info" + to be potentially released early. + + That doesn't normally matter, since you cannot actually use the pipe, + but the pipe release code - particularly fasync handling - still expects + the actual pipe infrastructure to all be there. And rather than adding + NULL pointer checks, let's just disallow this case, the same way we + already do for the named pipe ("fifo") case. + + This is ancient going back to pre-2.4 days, and until trinity, nobody + naver noticed. + + Reported-by: Dave Jones + Signed-off-by: Linus Torvalds + + fs/pipe.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 +Author: Mathieu Desnoyers +Date: Mon Feb 25 10:20:36 2013 -0500 + + Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 + + Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys + + Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to + compat_process_vm_rw() shows that the compatibility code requires an + explicit "access_ok()" check before calling + compat_rw_copy_check_uvector(). The same difference seems to appear when + we compare fs/read_write.c:do_readv_writev() to + fs/compat.c:compat_do_readv_writev(). + + This subtle difference between the compat and non-compat requirements + should probably be debated, as it seems to be error-prone. In fact, + there are two others sites that use this function in the Linux kernel, + and they both seem to get it wrong: + + Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() + also ends up calling compat_rw_copy_check_uvector() through + aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to + be missing. Same situation for + security/keys/compat.c:compat_keyctl_instantiate_key_iov(). + + I propose that we add the access_ok() check directly into + compat_rw_copy_check_uvector(), so callers don't have to worry about it, + and it therefore makes the compat call code similar to its non-compat + counterpart. Place the access_ok() check in the same location where + copy_from_user() can trigger a -EFAULT error in the non-compat code, so + the ABI behaviors are alike on both compat and non-compat. + + While we are here, fix compat_do_readv_writev() so it checks for + compat_rw_copy_check_uvector() negative return values. + + And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error + handling. + + Acked-by: Linus Torvalds + Acked-by: Al Viro + Signed-off-by: Mathieu Desnoyers + Signed-off-by: Linus Torvalds + + Conflicts: + + security/keys/compat.c + + fs/compat.c | 15 +++++++-------- + mm/process_vm_access.c | 8 -------- + security/keys/compat.c | 3 ++- + 3 files changed, 9 insertions(+), 17 deletions(-) + +commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 +Author: Brad Spengler +Date: Mon Mar 11 18:38:38 2013 -0400 + + Fix leak of signal handler addresses across execve, found by Emese Revfy + + kernel/signal.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 79b130c4b11c7940daf2b33d653a17666331c634 +Merge: 6480ce9 3c865f9 +Author: Brad Spengler +Date: Sun Mar 10 20:04:03 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d +Author: Brad Spengler +Date: Sun Mar 10 20:03:12 2013 -0400 + + Update to pax-linux-3.8.2-test7.patch: + - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) + - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) + + fs/binfmt_elf.c | 3 ++- + fs/exec.c | 3 +++ + include/linux/mm_types.h | 2 +- + init/main.c | 4 ++-- + mm/mmap.c | 2 +- + mm/page_alloc.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 11 +++++++---- + 7 files changed, 18 insertions(+), 11 deletions(-) + +commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 +Merge: 4a5305e 25b3569 +Author: Brad Spengler +Date: Sun Mar 10 10:41:16 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 25b356980568bed9958315bb5a551fdc610055ed +Author: Brad Spengler +Date: Sun Mar 10 10:40:48 2013 -0400 + + Update to pax-linux-3.8.2-test6.patch: + - fixed a KERNEXEC false positive on arm reported by Gu1 + - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) + - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) + - added fix from spender for some namespace breakage reported by zakalwe + - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot + + Documentation/kernel-parameters.txt | 5 +++++ + arch/arm/kernel/patch.c | 2 ++ + arch/x86/kernel/sys_i386_32.c | 5 +++-- + drivers/acpi/blacklist.c | 2 +- + drivers/video/aty/mach64_cursor.c | 1 + + init/main.c | 4 ---- + mm/page_alloc.c | 27 +++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 2 +- + security/Kconfig | 5 +++++ + tools/gcc/latent_entropy_plugin.c | 7 +++++-- + 10 files changed, 50 insertions(+), 10 deletions(-) + +commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f +Author: Brad Spengler +Date: Sat Mar 9 11:19:06 2013 -0500 + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause , + Stephen Hemminger + Subject: [PATCH 1/3] bridge: fix mdb info leaks + Date: Sat, 9 Mar 2013 16:52:19 +0100 + + The bridging code discloses heap and stack bytes via the RTM_GETMDB + netlink interface and via the notify messages send to group RTNLGRP_MDB + afer a successful add/del. + + Fix both cases by initializing all unset members/padding bytes with + memset(0). + + Cc: Stephen Hemminger + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices + Date: Sat, 9 Mar 2013 16:52:20 +0100 + + Initialize the mac address buffer with 0 as the driver specific function + will probably not fill the whole buffer. In fact, all in-kernel drivers + fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible + bytes. Therefore we currently leak 26 bytes of stack memory to userland + via the netlink interface. + + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks + Date: Sat, 9 Mar 2013 16:52:21 +0100 + + The dcb netlink interface leaks stack memory in various places: + * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, + * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., + * the same is true for CEE -- no in-kernel driver fills the whole + struct, + + Prevent all of the above stack info leaks by properly initializing the + buffers/structures involved. + + Signed-off-by: Mathias Krause + + net/bridge/br_mdb.c | 4 ++++ + net/core/rtnetlink.c | 1 + + net/dcb/dcbnl.c | 8 ++++++++ + 3 files changed, 13 insertions(+), 0 deletions(-) + +commit 601dd446f896e3a362f706943df18a68d50420a1 +Author: Brad Spengler +Date: Sat Mar 9 09:35:25 2013 -0500 + + add open/close wrappers in __patch_text() as reported by Gu1 on IRC + + arch/arm/kernel/patch.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ae39966fd85a493e9079b357e3faa62245a41222 +Author: Peter Hurley +Date: Fri Mar 8 12:43:27 2013 -0800 + + Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 + + ipc: don't allocate a copy larger than max + + When MSG_COPY is set, a duplicate message must be allocated for the copy + before locking the queue. However, the copy could not be larger than was + sent which is limited to msg_ctlmax. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msg.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 61240e99650ea3e540a03a3e994349c5086f166b +Author: Peter Hurley +Date: Fri Mar 8 12:43:26 2013 -0800 + + Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 + + ipc: fix potential oops when src msg > 4k w/ MSG_COPY + + If the src msg is > 4k, then dest->next points to the + next allocated segment; resetting it just prior to dereferencing + is bad. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msgutil.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 51727f602a267f34fb2e0dc9557f1714028d51a2 +Author: Brad Spengler +Date: Fri Mar 8 22:14:06 2013 -0500 + + add missing 'else' in recent constify fixups + + net/ipv4/ip_fragment.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a38c1a640729b3d8e584d1ab98e908c221bc12cf +Merge: 1580bb3 47c3f47 +Author: Brad Spengler +Date: Fri Mar 8 18:18:37 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe +Author: Brad Spengler +Date: Fri Mar 8 18:17:22 2013 -0500 + + Update to pax-linux-3.8.2-test5.patch: + - fixed some fallout after the last round of constification changes, reported by several people + + arch/arm/common/gic.c | 4 ++-- + arch/arm/include/asm/hardware/gic.h | 3 ++- + arch/x86/include/asm/nmi.h | 2 +- + arch/x86/kernel/nmi.c | 2 +- + arch/x86/pci/irq.c | 2 +- + drivers/base/power/domain.c | 4 ++-- + drivers/cpufreq/cpufreq_governor.c | 4 ++-- + drivers/mfd/twl4030-irq.c | 1 + + drivers/video/vesafb.c | 7 +++++-- + include/linux/irq.h | 1 + + include/linux/pm_domain.h | 2 +- + kernel/sched/core.c | 4 ++++ + lib/Kconfig.debug | 4 ++-- + net/core/sysctl_net_core.c | 2 +- + net/decnet/af_decnet.c | 1 + + net/ipv4/devinet.c | 2 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/route.c | 2 +- + net/ipv4/sysctl_net_ipv4.c | 2 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- + net/ipv6/reassembly.c | 2 +- + scripts/sortextable.h | 6 +++--- + 22 files changed, 36 insertions(+), 25 deletions(-) + +commit 1580bb38b4db0bf2a46316599815e8b234edad81 +Author: Brad Spengler +Date: Thu Mar 7 22:02:59 2013 -0500 + + add an additional open/close wrapper + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 21622672d28d58e0d93a805cd1f9650a894a752a +Author: Brad Spengler +Date: Thu Mar 7 21:58:24 2013 -0500 + + fix oops at shutdown with new constify code + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec +Author: Brad Spengler +Date: Thu Mar 7 21:18:44 2013 -0500 + + Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally + it currently conflicts with some lock debugging options, so made as an + option to allow for debugging when necessary + + Makefile | 2 -- + lib/Kconfig.debug | 6 +++--- + security/Kconfig | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +commit 0885b00b8373a1597b69c38032a0c9eee279303b +Author: Brad Spengler +Date: Thu Mar 7 20:55:19 2013 -0500 + + disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c8a2617165e7127a54f293cbf57d22d50dd83abd +Author: Brad Spengler +Date: Thu Mar 7 20:30:41 2013 -0500 + + Fix error: + drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object + with cast and proper kernexec accessors + + drivers/video/vesafb.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 +Author: Brad Spengler +Date: Thu Mar 7 20:20:28 2013 -0500 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 +Author: Brad Spengler +Date: Thu Mar 7 20:12:17 2013 -0500 + + fix compilation error -- no reason for task_pid_nr to not take a const task ptr + + include/linux/sched.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f +Author: Kees Cook +Date: Mon Feb 25 21:32:25 2013 +0000 + + Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 + + proc connector: reject unprivileged listener bumps + + While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible + for an unprivileged user to turn off notifications for all listeners by + sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as + required for a multicast bind. + + Signed-off-by: Kees Cook + Cc: Evgeniy Polyakov + Cc: Matt Helsley + Cc: stable@vger.kernel.org + Acked-by: Evgeniy Polyakov + Acked-by: Matt Helsley + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit ac6014ded57101e3e608941555ff507e20c1ece3 +Author: Dan Carpenter +Date: Tue Feb 26 19:15:02 2013 +0000 + + Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a + + irda: small read beyond end of array in debug code + + charset comes from skb->data. It's a number in the 0-255 range. + If we have debugging turned on then this could cause a read beyond + the end of the array. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/irda/iriap.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe +Author: Guenter Roeck +Date: Wed Feb 27 10:57:31 2013 +0000 + + Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 + + net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS + + Building sctp may fail with: + + In function ‘copy_from_user’, + inlined from ‘sctp_getsockopt_assoc_stats’ at + net/sctp/socket.c:5656:20: + arch/x86/include/asm/uaccess_32.h:211:26: error: call to + ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() + buffer size is not provably correct + + if built with W=1 due to a missing parameter size validation + before the call to copy_from_user. + + Signed-off-by: Guenter Roeck + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c +Author: Guillaume Nault +Date: Fri Mar 1 05:02:02 2013 +0000 + + Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a + + l2tp: Restore socket refcount when sendmsg succeeds + + The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket + reference counter after successful transmissions. Any successful + sendmsg() call from userspace will then increase the reference counter + forever, thus preventing the kernel's session and tunnel data from + being freed later on. + + The problem only happens when writing directly on L2TP sockets. + PPP sockets attached to L2TP are unaffected as the PPP subsystem + uses pppol2tp_xmit() which symmetrically increase/decrease reference + counters. + + This patch adds the missing call to sock_put() before returning from + pppol2tp_sendmsg(). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 98a9a5f981f5deda4059a255c1196886f2f27e2f +Author: Cong Wang +Date: Sun Mar 3 16:18:11 2013 +0000 + + Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 + + rds: limit the size allocated by rds_message_alloc() + + Dave Jones reported the following bug: + + "When fed mangled socket data, rds will trust what userspace gives it, + and tries to allocate enormous amounts of memory larger than what + kmalloc can satisfy." + + WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() + Hardware name: GA-MA78GM-S2H + Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s + Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 + Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + ---[ end trace eed6ae990d018c8b ]--- + + Reported-by: Dave Jones + Cc: Dave Jones + Cc: David S. Miller + Cc: Venkat Venkatsubra + Signed-off-by: Cong Wang + Acked-by: Venkat Venkatsubra + Signed-off-by: David S. Miller + + net/rds/message.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 +Author: Cong Wang +Date: Sun Mar 3 16:28:27 2013 +0000 + + Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e + + sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE + + Don't definite its own MAX_KMALLOC_SIZE, use the one + defined in mm. + + Cc: Vlad Yasevich + Cc: Sridhar Samudrala + Cc: Neil Horman + Cc: David S. Miller + Signed-off-by: Cong Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + net/sctp/ssnmap.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit 4295a024e812f903fc580c81de5e81cc149503fa +Author: Brad Spengler +Date: Thu Mar 7 17:57:49 2013 -0500 + + Upstream commit: https://lkml.org/lkml/2013/3/6/535 + + security/keys/process_keys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 33edd486a9899a145a15586d7134636b0300aaee +Merge: 4eeeaf3 a2a2094 +Author: Brad Spengler +Date: Thu Mar 7 17:53:00 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/include/asm/domain.h + +commit a2a20947f5e1332e474160a39af520738b3c8c19 +Author: Brad Spengler +Date: Thu Mar 7 17:51:04 2013 -0500 + + Update to pax-linux-3.8.2-test4.patch: + fixed arm compilation problems reported by Michael Tremer + - the constify plugin got smarter that enabled, with some additional patching, + the elimination of about half the static function pointers on amd64/allmod + (up from about 18%), depending on the kernel config it can be even more (70%) + + Documentation/dontdiff | 2 + + arch/arm/include/asm/domain.h | 1 + + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/nmi.h | 4 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 2 +- + arch/x86/kernel/apic/io_apic.c | 10 +- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/cpu/perf_event.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/i8259.c | 6 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/nmi.c | 6 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 2 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/base/bus.c | 4 +- + drivers/base/node.c | 2 +- + drivers/base/syscore.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 4 +- + drivers/char/random.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 ++- + drivers/cpufreq/cpufreq.c | 7 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpu/drm/drm_drv.c | 2 +- + drivers/gpu/drm/drm_ioc32.c | 9 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/intel_display.c | 26 ++- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/iommu/iommu.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/mfd/twl4030-irq.c | 8 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/macvlan.c | 16 +- + drivers/net/vxlan.c | 2 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 6 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/usb/storage/usb.h | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 4 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 ++- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 4 +- + drivers/video/uvesafb.c | 14 +- + fs/exec.c | 6 +- + fs/ext4/super.c | 2 +- + fs/jfs/super.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/proc/proc_sysctl.c | 18 +- + include/drm/drmP.h | 12 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 2 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fscache.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/hwmon-sysfs.h | 5 +- + include/linux/iommu.h | 2 +- + include/linux/irq.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kobject.h | 1 + + include/linux/kobject_ns.h | 2 +- + include/linux/list.h | 14 +- + include/linux/mod_devicetable.h | 2 +- + include/linux/module.h | 5 +- + include/linux/net.h | 2 +- + include/linux/netfilter.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/rculist.h | 16 ++ + include/linux/sched.h | 2 +- + include/linux/sock_diag.h | 2 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 1 + + include/linux/xattr.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/ip.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/net_namespace.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/xfrm.h | 4 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + kernel/kmod.c | 2 +- + kernel/ksysfs.c | 2 +- + kernel/module.c | 4 +- + kernel/pid_namespace.c | 2 +- + kernel/rcutree_plugin.h | 2 +- + kernel/sched/core.c | 39 ++-- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 2 +- + kernel/sysctl.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 2 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 57 ++++- + lib/swiotlb.c | 2 +- + mm/hugetlb.c | 16 +- + mm/memory-failure.c | 2 +- + mm/slab_common.c | 2 +- + net/9p/mod.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 11 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 15 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 12 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/ip_fragment.c | 9 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/route.c | 14 +- + net/ipv4/sysctl_net_ipv4.c | 43 ++-- + net/ipv6/addrconf.c | 4 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 6 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- + net/ipv6/reassembly.c | 11 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/phonet/sysctl.c | 2 +- + net/rds/rds.h | 2 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/sysctl.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/unix/sysctl_net_unix.c | 2 +- + net/xfrm/xfrm_policy.c | 11 +- + net/xfrm/xfrm_state.c | 29 ++- + net/xfrm/xfrm_sysctl.c | 2 +- + security/apparmor/lsm.c | 2 +- + security/keys/key.c | 18 +- + security/yama/yama_lsm.c | 22 +- + tools/gcc/Makefile | 4 +- + tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ + tools/gcc/size_overflow_plugin.c | 7 +- + 248 files changed, 994 insertions(+), 668 deletions(-) + +commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b +Author: Brad Spengler +Date: Wed Mar 6 12:58:21 2013 -0500 + + Make slab_state __read_only, it's only written to during init + + mm/slab_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a +Author: Brad Spengler +Date: Wed Mar 6 12:31:35 2013 -0500 + + Make two new helper functions: + gr_is_global_root() and gr_is_global_nonroot() + + grsecurity/gracl.c | 10 +++++----- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_link.c | 4 ++-- + grsecurity/grsec_sig.c | 10 +++++----- + grsecurity/grsec_tpe.c | 6 +++--- + include/linux/uidgid.h | 2 ++ + 6 files changed, 18 insertions(+), 16 deletions(-) + +commit d45d88eddd4998b280b1e5b5384289ee11ca7088 +Author: Brad Spengler +Date: Wed Mar 6 12:14:41 2013 -0500 + + convert remaining task->pid to task_pid_nr(task) + + grsecurity/gracl.c | 22 +++++++++++----------- + grsecurity/gracl_shm.c | 2 +- + grsecurity/grsec_chroot.c | 4 ++-- + grsecurity/grsec_sig.c | 4 ++-- + 4 files changed, 16 insertions(+), 16 deletions(-) + +commit c877f2ece03ee2232dd281c1977ae59507297124 +Author: Brad Spengler +Date: Tue Mar 5 17:29:54 2013 -0500 + + compat-log is only used anymore by vm86-on-64bit and allows unlimited + spamming of the kernel log buffer (and since it includes the changable + process name, can avoid syslog log deduplication) + Turn it off by default + + fs/compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7c1964c4b7276889d7967bee70e46918cdca1b14 +Author: Brad Spengler +Date: Mon Mar 4 17:19:10 2013 -0500 + + fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP + is enabled, introduced with recent userns support + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 +Author: Brad Spengler +Date: Sun Mar 3 18:46:12 2013 -0500 + + Prevent TOMOYO from auto-loading modules by unprivileged users + (Only reachable if TOMOYO is actually used) + + security/tomoyo/mount.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 79e142f9455b398759ff9d93d4963a21b98dddda +Author: Brad Spengler +Date: Sun Mar 3 18:28:45 2013 -0500 + + For now, don't permit any special access to /proc in a user namespace + Later we can go back and allow a userns-uid0 special access to a /proc + with a non-global pid namespace + + fs/proc/base.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8b91fb393049ce5f3c0a86f62247409853fd9700 +Merge: d931eb8 603ef05 +Author: Brad Spengler +Date: Sun Mar 3 17:42:09 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b +Author: Brad Spengler +Date: Sun Mar 3 17:41:31 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/mach-omap2/wd_timer.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b4c9ce81fdd7839a150c97873c710c479e788280 +Author: Brad Spengler +Date: Sun Mar 3 17:39:53 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d931eb81ab3da46896268fd61373a6aa7bbea930 +Merge: bfa7f44 5948f93 +Author: Brad Spengler +Date: Sun Mar 3 17:34:36 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 +Merge: ab30472 19b00d2 +Author: Brad Spengler +Date: Sun Mar 3 17:34:08 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 +Author: Brad Spengler +Date: Sun Mar 3 15:12:12 2013 -0500 + + Initial support for user namespaces, as we previously didn't allow + the option to be enabled at all. + + RBAC will act on the global uids/gids only, so all uids/gids in user + namespaces will be converted + + Because Eric Biederman is insulted that I didn't support his + backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN + check in for user namespaces, so this is generally irrelevant. + + fs/exec.c | 6 +- + fs/proc/base.c | 2 +- + fs/proc/proc_net.c | 4 +- + grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- + grsecurity/gracl_cap.c | 4 +- + grsecurity/gracl_ip.c | 16 +++--- + grsecurity/gracl_segv.c | 12 +++- + grsecurity/gracl_shm.c | 4 +- + grsecurity/grsec_disabled.c | 10 ++-- + grsecurity/grsec_fifo.c | 6 +- + grsecurity/grsec_init.c | 24 ++++---- + grsecurity/grsec_log.c | 3 - + grsecurity/grsec_tpe.c | 6 +- + include/linux/grinternal.h | 12 ++-- + include/linux/grsecurity.h | 12 ++-- + include/linux/uidgid.h | 3 + + init/Kconfig | 2 - + ipc/shm.c | 2 +- + kernel/cred.c | 5 +- + kernel/kallsyms.c | 2 +- + kernel/kmod.c | 6 +- + kernel/sys.c | 12 ++-- + 22 files changed, 166 insertions(+), 115 deletions(-) + +commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff +Author: Linus Torvalds +Date: Wed Feb 27 08:36:04 2013 -0800 + + Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 + + mm: do not grow the stack vma just because of an overrun on preceding vma + + The stack vma is designed to grow automatically (marked with VM_GROWSUP + or VM_GROWSDOWN depending on architecture) when an access is made beyond + the existing boundary. However, particularly if you have not limited + your stack at all ("ulimit -s unlimited"), this can cause the stack to + grow even if the access was really just one past *another* segment. + + And that's wrong, especially since we first grow the segment, but then + immediately later enforce the stack guard page on the last page of the + segment. So _despite_ first growing the stack segment as a result of + the access, the kernel will then make the access cause a SIGSEGV anyway! + + So do the same logic as the guard page check does, and consider an + access to within one page of the next segment to be a bad access, rather + than growing the stack to abut the next segment. + + Reported-and-tested-by: Heiko Carstens + Signed-off-by: Linus Torvalds + + mm/mmap.c | 27 +++++++++++++++++++++++++++ + 1 files changed, 27 insertions(+), 0 deletions(-) + +commit 5596211af754867ca825f58e6e0300a8439950fe +Author: H. Peter Anvin +Date: Wed Feb 27 12:46:40 2013 -0800 + + Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c + + x86: Make sure we can boot in the case the BDA contains pure garbage + + On non-BIOS platforms it is possible that the BIOS data area contains + garbage instead of being zeroed or something equivalent (firmware + people: we are talking of 1.5K here, so please do the sane thing.) + + We need on the order of 20-30K of low memory in order to boot, which + may grow up to < 64K in the future. We probably want to avoid the + lowest of the low memory. At the same time, it seems extremely + unlikely that a legitimate EBDA would ever reach down to the 128K + (which would require it to be over half a megabyte in size.) Thus, + pick 128K as the cutoff for "this is insane, ignore." We may still + end up reserving a bunch of extra memory on the low megabyte, but that + is not really a major issue these days. In the worst case we lose + 512K of RAM. + + This code really should be merged with trim_bios_range() in + arch/x86/kernel/setup.c, but that is a bigger patch for a later merge + window. + + Reported-by: Darren Hart + Signed-off-by: H. Peter Anvin + Cc: Matt Fleming + Cc: + Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org + + arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- + 1 files changed, 34 insertions(+), 19 deletions(-) + +commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea +Author: Wei Yongjun +Date: Wed Feb 27 17:05:46 2013 -0800 + + Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 + + memstick: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Maxim Levitsky + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/memstick/host/r592.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 +Author: Xi Wang +Date: Wed Feb 27 17:05:21 2013 -0800 + + Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 + + sysctl: fix null checking in bin_dn_node_address() + + The null check of `strchr() + 1' is broken, which is always non-null, + leading to OOB read. Instead, check the result of strchr(). + + Signed-off-by: Xi Wang + Cc: "Eric W. Biederman" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sysctl_binary.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 7ca96db0817416fd40761e7437d1939fc0731380 +Author: Tejun Heo +Date: Wed Feb 27 17:03:34 2013 -0800 + + Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 + + idr: fix a subtle bug in idr_get_next() + + The iteration logic of idr_get_next() is borrowed mostly verbatim from + idr_for_each(). It walks down the tree looking for the slot matching + the current ID. If the matching slot is not found, the ID is + incremented by the distance of single slot at the given level and + repeats. + + The implementation assumes that during the whole iteration id is aligned + to the layer boundaries of the level closest to the leaf, which is true + for all iterations starting from zero or an existing element and thus is + fine for idr_for_each(). + + However, idr_get_next() may be given any point and if the starting id + hits in the middle of a non-existent layer, increment to the next layer + will end up skipping the same offset into it. For example, an IDR with + IDs filled between [64, 127] would look like the following. + + [ 0 64 ... ] + /----/ | + | | + NULL [ 64 ... 127 ] + + If idr_get_next() is called with 63 as the starting point, it will try + to follow down the pointer from 0. As it is NULL, it will then try to + proceed to the next slot in the same level by adding the slot distance + at that level which is 64 - making the next try 127. It goes around the + loop and finds and returns 127 skipping [64, 126]. + + Note that this bug also triggers in idr_for_each_entry() loop which + deletes during iteration as deletions can make layers go away leaving + the iteration with unaligned ID into missing layers. + + Fix it by ensuring proceeding to the next slot doesn't carry over the + unaligned offset - ie. use round_up(id + 1, slot_distance) instead of + id += slot_distance. + + Signed-off-by: Tejun Heo + Reported-by: David Teigland + Cc: KAMEZAWA Hiroyuki + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/idr.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 745362f28034f54242ba2e64eaa7374ab9869613 +Author: Brad Spengler +Date: Fri Mar 1 20:31:42 2013 -0500 + + Fix dentry use-after-free after failed complete_walk() with RBAC enabled + Many thanks to zakalwe from #grsecurity for the report and debugging help + + fs/namei.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit b53b3b14330920c6f7cfb74c8508a3026e1be620 +Author: Brad Spengler +Date: Thu Feb 28 18:29:26 2013 -0500 + + Fix bad git merge + + fs/namespace.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede +Merge: 1cce1dd ab30472 +Author: Brad Spengler +Date: Thu Feb 28 17:45:14 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/core/sock_diag.c + +commit ab3047280e1dfb43f1b301a296123757b4ac4f6e +Merge: 4b61d21 4c91a0e +Author: Brad Spengler +Date: Thu Feb 28 17:43:56 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 +Author: Brad Spengler +Date: Wed Feb 27 22:20:22 2013 -0500 + + add compiler.h to sysrq.h to fix compilation problem reported by micu on forums + + include/linux/sysrq.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 +Author: Brad Spengler +Date: Wed Feb 27 17:52:31 2013 -0500 + + declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel + + kernel/printk.c | 12 +++++++----- + 1 files changed, 7 insertions(+), 5 deletions(-) + +commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 +Author: Brad Spengler +Date: Wed Feb 27 17:23:46 2013 -0500 + + Fix upstream vulnerability from addition of a /dev/kmsg device + while neglecting to add the same set of existing permission checks + from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. + A temporary workaround without this patch would be to + chmod 0600 /dev/kmsg (and is likely a good idea anyway). + + Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek + Initially reported to Redhat bugzilla by Christian Kujau: + https://bugzilla.redhat.com/show_bug.cgi?id=903192 + + kernel/printk.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 66c04806f5660988c3cb4855e60de294e77e3d0e +Author: David Howells +Date: Thu Feb 21 12:00:25 2013 +0000 + + Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f + + KEYS: Revert one application of "Fix unreachable code" patch + + A patch to fix some unreachable code in search_my_process_keyrings() got + applied twice by two different routes upstream as commits e67eab39bee2 + and b010520ab3d2 (both "fix unreachable code"). + + Unfortunately, the second application removed something it shouldn't + have and this wasn't detected by GIT. This is due to the patch not + having sufficient lines of context to distinguish the two places of + application. + + The effect of this is relatively minor: inside the kernel, the keyring + search routines may search multiple keyrings and then prioritise the + errors if no keys or negative keys are found in any of them. With the + extra deletion, the presence of a negative key in the thread keyring + (causing ENOKEY) is incorrectly overridden by an error searching the + process keyring. + + So revert the second application of the patch. + + Signed-off-by: David Howells + Cc: Jiri Kosina + Cc: Andrew Morton + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + security/keys/process_keys.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 954b0c8a95b08c09c3d15ec38106ce403bf714da +Author: Wei Yongjun +Date: Thu Feb 21 16:42:43 2013 -0800 + + Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a + + configfs: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Joel Becker + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/configfs/dir.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 +Author: Nicolas Pitre +Date: Sun Feb 24 20:06:09 2013 -0500 + + Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 + + tty vt: fix character insertion overflow + + Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on + command line edition") broke insert_char() in multiple ways. Then + commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") + partially fixed it. However, the buffer being moved is still too large + and overflowing beyond the end of the current line, corrupting existing + characters on the next line. + + Example test case: + + echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" + + Expected result: + + ab c + de + + Current result: + + ab c + e + + Needless to say that this is very annoying when inserting words in the + middle of paragraphs with certain text editors. + + Signed-off-by: Nicolas Pitre + Cc: Jean-François Moine + Cc: Greg Kroah-Hartman + Cc: + Signed-off-by: Linus Torvalds + + drivers/tty/vt/vt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6cda35071669b4aabde081bd039e0ffea36f997a +Author: Robin Holt +Date: Fri Feb 22 16:35:34 2013 -0800 + + Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 + + mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result of a + filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + Additionally, the list traversal in __mmu_notifier_release() is not + protected by the by the mmu_notifier_mm->hlist_lock which can result in + callouts to the ->release() notifier from both mmu_notifier_unregister() + and __mmu_notifier_release(). + + -stable suggestions: + + The stable trees prior to 3.7.y need commits 21a92735f660 and + 70400303ce0c cherry-picked in that order prior to cherry-picking this + commit. The 3.7.y tree already has those two commits. + + Signed-off-by: Robin Holt + Cc: Andrea Arcangeli + Cc: Wanpeng Li + Cc: Xiao Guangrong + Cc: Avi Kivity + Cc: Hugh Dickins + Cc: Marcelo Tosatti + Cc: Sagi Grimberg + Cc: Haggai Eran + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- + 1 files changed, 42 insertions(+), 40 deletions(-) + +commit bf5167ed78ba6131c6874887f714bda50c2cab83 +Author: Mike Galbraith +Date: Mon Jan 28 12:19:25 2013 +0100 + + Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 + + sched: Fix select_idle_sibling() bouncing cow syndrome + + If the previous CPU is cache affine and idle, select it. + + The current implementation simply traverses the sd_llc domain, + taking the first idle CPU encountered, which walks buddy pairs + hand in hand over the package, inflicting excruciating pain. + + 1 tbench pair (worst case) in a 10 core + SMT package: + + pre 15.22 MB/sec 1 procs + post 252.01 MB/sec 1 procs + + Signed-off-by: Mike Galbraith + Cc: Peter Zijlstra + Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net + Signed-off-by: Ingo Molnar + + kernel/sched/fair.c | 21 +++++++-------------- + 1 files changed, 7 insertions(+), 14 deletions(-) + +commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c +Author: Eric W. Biederman +Date: Fri Dec 28 18:58:39 2012 -0800 + + Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f + + userns: Avoid recursion in put_user_ns + + When freeing a deeply nested user namespace free_user_ns calls + put_user_ns on it's parent which may in turn call free_user_ns again. + When -fno-optimize-sibling-calls is passed to gcc one stack frame per + user namespace is left on the stack, potentially overflowing the + kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls + so we can't count on gcc to optimize this code. + + Remove struct kref and use a plain atomic_t. Making the code more + flexible and easier to comprehend. Make the loop in free_user_ns + explict to guarantee that the stack does not overflow with + CONFIG_FRAME_POINTER enabled. + + I have tested this fix with a simple program that uses unshare to + create a deeply nested user namespace structure and then calls exit. + With 1000 nesteuser namespaces before this change running my test + program causes the kernel to die a horrible death. With 10,000,000 + nested user namespaces after this change my test program runs to + completion and causes no harm. + + Acked-by: Serge Hallyn + Pointed-out-by: Vasily Kulikov + Signed-off-by: "Eric W. Biederman" + + include/linux/user_namespace.h | 10 +++++----- + kernel/user.c | 4 +--- + kernel/user_namespace.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 16 deletions(-) + +commit 81501c7106ccc186c94806f4db954626295b5ebe +Author: Brad Spengler +Date: Tue Feb 26 17:12:30 2013 -0500 + + Pass the same flags to kern_path_create as the original function + + fs/namei.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a677c8eee35afe48868f92c7d6745bfe809cd481 +Author: Al Viro +Date: Fri Feb 22 22:45:42 2013 -0500 + + Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 + + get rid of unprotected dereferencing of mnt->mnt_ns + + It's safe only under namespace_sem or vfsmount_lock; all places + in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use + current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in + there). + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/namespace.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit 89298124d0c96dc34a60377e7a1308f8f532ff75 +Author: Greg Thelen +Date: Fri Feb 22 16:36:01 2013 -0800 + + Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 + + tmpfs: fix use-after-free of mempolicy object + + The tmpfs remount logic preserves filesystem mempolicy if the mpol=M + option is not specified in the remount request. A new policy can be + specified if mpol=M is given. + + Before this patch remounting an mpol bound tmpfs without specifying + mpol= mount option in the remount request would set the filesystem's + mempolicy object to a freed mempolicy object. + + To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: + # mkdir /tmp/x + + # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 + + # mount -o remount,size=200M nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 + # note ? garbage in mpol=... output above + + # dd if=/dev/zero of=/tmp/x/f count=1 + # panic here + + Panic: + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [< (null)>] (null) + [...] + Oops: 0010 [#1] SMP DEBUG_PAGEALLOC + Call Trace: + mpol_shared_policy_init+0xa5/0x160 + shmem_get_inode+0x209/0x270 + shmem_mknod+0x3e/0xf0 + shmem_create+0x18/0x20 + vfs_create+0xb5/0x130 + do_last+0x9a1/0xea0 + path_openat+0xb3/0x4d0 + do_filp_open+0x42/0xa0 + do_sys_open+0xfe/0x1e0 + compat_sys_open+0x1b/0x20 + cstar_dispatch+0x7/0x1f + + Non-debug kernels will not crash immediately because referencing the + dangling mpol will not cause a fault. Instead the filesystem will + reference a freed mempolicy object, which will cause unpredictable + behavior. + + The problem boils down to a dropped mpol reference below if + shmem_parse_options() does not allocate a new mpol: + + config = *sbinfo + shmem_parse_options(data, &config, true) + mpol_put(sbinfo->mpol) + sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ + + This patch avoids the crash by not releasing the mempolicy if + shmem_parse_options() doesn't create a new mpol. + + How far back does this issue go? I see it in both 2.6.36 and 3.3. I did + not look back further. + + Signed-off-by: Greg Thelen + Acked-by: Hugh Dickins + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/shmem.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 +Author: Brad Spengler +Date: Sat Feb 23 11:08:05 2013 -0500 + + Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY + with a family greater or equal then AF_MAX -- the array size of + sock_diag_handlers[]. The current code does not test for this + condition therefore is vulnerable to an out-of-bound access opening + doors for a privilege escalation. + + Signed-off-by: Mathias Krause + + The sock_diag_lock_handler() and sock_diag_unlock_handler() actually + make the code less readable. Get rid of them and make the lock usage + and access to sock_diag_handlers[] clear on the first sight. + + Signed-off-by: Mathias Krause + + net/core/sock_diag.c | 27 ++++++++++----------------- + 1 files changed, 10 insertions(+), 17 deletions(-) + +commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 +Author: Brad Spengler +Date: Sat Feb 23 10:58:52 2013 -0500 + + Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined + + arch/arm/include/asm/domain.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7b729586eb81f344fdedf0942fab0acc738a6725 +Author: Brad Spengler +Date: Fri Feb 22 19:02:51 2013 -0500 + + Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. + + kernel/fork.c | 17 +++++++++++++++++ + 1 files changed, 17 insertions(+), 0 deletions(-) + +commit fadc560d0c486af88da83177735f5515e88acdcc +Author: Brad Spengler +Date: Thu Feb 21 23:06:48 2013 -0500 + + put is_hugetlbfs_mnt inside ifdefs + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8252176922d405484f986eb2cc350b7cd3ae586e +Author: Brad Spengler +Date: Thu Feb 21 23:02:07 2013 -0500 + + remove unused label + + kernel/module.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit dad4a980f0b625059e215d13da728aa7fd02a374 +Author: Brad Spengler +Date: Thu Feb 21 23:00:52 2013 -0500 + + compile fix + + fs/open.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 +Author: Brad Spengler +Date: Thu Feb 21 22:57:49 2013 -0500 + + remove kmalloc_array_error for the same reasons as kcalloc_error + + include/linux/slab.h | 9 --------- + 1 files changed, 0 insertions(+), 9 deletions(-) + +commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a +Author: Brad Spengler +Date: Thu Feb 21 22:49:35 2013 -0500 + + Initial port of grsecurity for Linux 3.8 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 10 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 14 +- + arch/arm/include/asm/cache.h | 2 + + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 27 +- + arch/arm/mm/mmap.c | 6 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 3 +- + arch/ia64/mm/hugetlbpage.c | 3 +- + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 3 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 19 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 6 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 3 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 3 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + crypto/ablkcipher.c | 12 +- + crypto/aead.c | 9 +- + crypto/ahash.c | 2 +- + crypto/blkcipher.c | 6 +- + crypto/crypto_user.c | 38 +- + crypto/pcompress.c | 3 +- + crypto/rng.c | 2 +- + crypto/shash.c | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 5 + + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 6 + + fs/btrfs/inode.c | 10 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 18 + + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 155 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 5 + + fs/fs_struct.c | 26 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 269 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1021 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4017 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 384 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 299 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 357 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 174 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 329 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 ++ + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 257 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 66 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/vermagic.h | 9 +- + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 5 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 109 +- + kernel/exit.c | 10 +- + kernel/fork.c | 24 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 80 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 38 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 62 +- + mm/mprotect.c | 8 + + mm/page_alloc.c | 6 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev.c | 9 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 4 +- + net/sctp/proc.c | 3 +- + net/socket.c | 62 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 19 + + security/Kconfig | 320 ++- + security/apparmor/lsm.c | 2 +- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/yama/Kconfig | 2 +- + tools/gcc/Makefile | 2 +- + 286 files changed, 15083 insertions(+), 2067 deletions(-) + +commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 +Author: Brad Spengler +Date: Wed Feb 20 21:00:42 2013 -0500 + + Initial import of pax-linux-3.8-test3.patch + + Documentation/dontdiff | 43 +- + Documentation/kernel-parameters.txt | 7 + + Makefile | 97 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 10 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 +++- + arch/arm/include/asm/cache.h | 3 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/delay.h | 8 +- + arch/arm/include/asm/domain.h | 32 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 4 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 10 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 20 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 14 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/fault.c | 78 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 186 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 28 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 13 +- + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/hugetlbpage.c | 2 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 6 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/uaccess.h | 142 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 8 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 +++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 4 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 31 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + + arch/x86/crypto/sha1_ssse3_asm.S | 3 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 12 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 ++- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 65 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/io.h | 13 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/page_64_types.h | 2 +- + arch/x86/include/asm/paravirt.h | 44 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 110 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 6 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 29 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 512 +++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head32.c | 4 +- + arch/x86/kernel/head_32.S | 237 ++- + arch/x86/kernel/head_64.S | 158 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 10 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes-opt.c | 12 +- + arch/x86/kernel/kprobes.c | 30 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 11 + + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 14 +- + arch/x86/kernel/setup_percpu.c | 27 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 247 ++ + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 47 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 68 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 ++- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 555 +++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 92 +- + arch/x86/mm/init_32.c | 122 +- + arch/x86/mm/init_64.c | 48 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 12 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_driver.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 18 +- + drivers/block/loop.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 8 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm.c | 2 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_generic.c | 2 +- + drivers/cpufreq/cpufreq.c | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 20 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 4 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 6 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 9 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 2 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/ramster/tmem.c | 54 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/udlfb.c | 32 +- + drivers/video/uvesafb.c | 39 +- + drivers/video/vesafb.c | 51 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 604 ++++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/relocation.c | 2 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 4 +- + fs/exec.c | 356 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/vfs.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/udf/misc.c | 2 +- + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 ++ + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 5 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 1 + + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 72 +- + include/linux/cpu.h | 2 +- + include/linux/crypto.h | 6 +- + include/linux/decompress/mm.h | 2 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 3 + + include/linux/mm.h | 91 +- + include/linux/mm_types.h | 22 +- + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 4 +- + include/linux/module.h | 55 +- + include/linux/moduleloader.h | 18 +- + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/random.h | 5 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 64 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/clnt.h | 8 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sysrq.h | 2 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/gro_cells.h | 6 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 6 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/structs.h | 4 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 4 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 24 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 78 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 2 +- + kernel/kprobes.c | 8 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 333 ++- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 6 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 72 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 18 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 2 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/softirq.c | 16 +- + kernel/srcu.c | 6 +- + kernel/stop_machine.c | 2 +- + kernel/sys.c | 12 +- + kernel/sysctl.c | 37 +- + kernel/sysctl_binary.c | 14 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 6 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/list_debug.c | 89 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 54 + + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 18 +- + mm/memory.c | 404 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 573 +++- + mm/mprotect.c | 138 +- + mm/mremap.c | 44 +- + mm/nommu.c | 11 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 14 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 104 +- + mm/slab.h | 5 +- + mm/slab_common.c | 9 +- + mm/slob.c | 200 +- + mm/slub.c | 98 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/rtnetlink.c | 2 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 2 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv6/addrconf.c | 2 +- + net/ipv6/ip6_gre.c | 2 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/raw.c | 19 +- + net/ipv6/udp.c | 8 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 4 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 10 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 2 +- + net/sctp/protocol.c | 8 +- + net/sctp/socket.c | 2 + + net/socket.c | 34 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 16 +- + net/xfrm/xfrm_state.c | 4 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/pnmtologo.c | 6 +- + security/Kconfig | 654 ++++- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 43 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 359 +++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 +++ + tools/gcc/latent_entropy_plugin.c | 321 ++ + tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/perf/util/include/asm/alternative-asm.h | 3 + + virt/kvm/kvm_main.c | 32 +- + 1311 files changed, 26668 insertions(+), 6394 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c +Merge: c3ccfb2 777e08c +Author: Brad Spengler +Date: Sun Sep 8 19:49:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 +Author: Brad Spengler +Date: Sun Sep 8 19:47:32 2013 -0400 + + Update to pax-linux-3.10.11-test26.patch: + - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger + - fixed an uninitialized read in splice, reported by hunger + + fs/splice.c | 1 + + include/linux/syscalls.h | 14 +- + tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- + 3 files changed, 247 insertions(+), 194 deletions(-) + +commit 5c3161364270c842d901789faac731f79a9f9cd6 +Merge: cf9c476 85cdabb +Author: Brad Spengler +Date: Sun Sep 8 19:24:25 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c3ccfb29794a03413095422100ce90d40ef7df0f +Author: Jakob Bornecrantz +Date: Thu Aug 29 02:32:53 2013 +0200 + + Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f + + drm/vmwgfx: Split GMR2_REMAP commands if they are to large + + This fixes the piglit test texturing/max-texture-size + causing the VM to die due to a too large SVGA command. + + Signed-off-by: Jakob Bornecrantz + Reviewed-by: Biran Paul + Reviewed-by: Zack Rusin + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- + 1 files changed, 39 insertions(+), 19 deletions(-) + +commit d260badf708d6aa16c44f56f54727532dcae826e +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 +Author: Dan Carpenter +Date: Thu Aug 29 11:47:00 2013 +0300 + + Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 + + mISDN: return -EINVAL on error in dsp_control_req() + + If skb->len is too short then we should return an error. Otherwise we + read beyond the end of skb->data for several bytes. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/mISDN/dsp_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit da68dbcd96c617923a0aedb177d36b2701f9c858 +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with + CAP_SYS_ADMIN. This allows for more inventive uses of the feature + that would be impossible otherwise (like toggling it while the screen is + locked, etc) + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit ce0e893adc830ee110f97071cc17e661fb35ae3d +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what + GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for + users who know they want the functionality but don't want to bother + with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + security/security.c | 4 ++++ + 4 files changed, 24 insertions(+), 2 deletions(-) + +commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd +Merge: 7ee3899 cf9c476 +Author: Brad Spengler +Date: Sun Sep 1 13:56:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cf9c47690fa0f3da590de766ea8c6a543984ee3c +Author: Brad Spengler +Date: Sun Sep 1 13:56:16 2013 -0400 + + Update to pax-linux-3.10.10-test25.patch: + - fixed a few more REFCOUNT false positives, by Mathias Krause + - got inet_getid and ipv6_select_ident rid of the cmpxchg loop + + block/blk-cgroup.c | 4 ++-- + drivers/video/hyperv_fb.c | 4 ++-- + fs/namespace.c | 4 ++-- + include/net/inetpeer.h | 13 +++++-------- + kernel/trace/trace_clock.c | 4 ++-- + net/ipv6/output_core.c | 15 ++++++--------- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- + 7 files changed, 21 insertions(+), 27 deletions(-) + +commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa +Merge: fd0338c 2bdeae7 +Author: Brad Spengler +Date: Sat Aug 31 22:07:38 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 +Author: Brad Spengler +Date: Sat Aug 31 22:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test24.patch: + - fixed a REFCOUNT false positive, by Mathias Krause + - fixed a bunch more after a quick audit of atomic_inc_return users + + drivers/acpi/apei/ghes.c | 4 ++-- + drivers/ata/libata-core.c | 4 ++-- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/block/drbd/drbd_nl.c | 4 ++-- + drivers/crypto/hifn_795x.c | 4 ++-- + drivers/edac/edac_device.c | 4 ++-- + drivers/edac/edac_pci.c | 4 ++-- + drivers/firewire/core-card.c | 4 ++-- + drivers/hv/hv_balloon.c | 18 +++++++++--------- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/input/misc/ims-pcu.c | 4 ++-- + drivers/input/serio/serio_raw.c | 4 ++-- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 ++-- + drivers/media/v4l2-core/v4l2-device.c | 4 ++-- + drivers/net/usb/sierra_net.c | 4 ++-- + drivers/pci/hotplug/pciehp_hpc.c | 4 +--- + drivers/regulator/core.c | 4 ++-- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ + drivers/staging/android/timed_output.c | 6 +++--- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/target/sbp/sbp_target.c | 4 ++-- + drivers/tty/hvc/hvsi.c | 12 ++++++------ + drivers/tty/hvc/hvsi_lib.c | 6 +++--- + drivers/tty/serial/ioc4_serial.c | 6 +++--- + drivers/tty/serial/msm_serial.c | 4 ++-- + drivers/usb/misc/appledisplay.c | 4 ++-- + fs/afs/inode.c | 4 ++-- + fs/btrfs/delayed-inode.c | 6 +++--- + fs/btrfs/delayed-inode.h | 4 ++-- + fs/fscache/cookie.c | 4 ++-- + include/media/v4l2-device.h | 2 +- + net/ceph/messenger.c | 4 ++-- + net/core/netpoll.c | 4 ++-- + net/xfrm/xfrm_state.c | 4 ++-- + security/selinux/avc.c | 6 +++--- + 43 files changed, 93 insertions(+), 95 deletions(-) + +commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 +Merge: 1bdf7ec 85099d2 +Author: Brad Spengler +Date: Sat Aug 31 21:07:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed +Author: Brad Spengler +Date: Sat Aug 31 21:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test23.patch: + - added the necessary atomic_unchecked_t conversion for mips + - audited and fixed arm and sparc for proper atomic_unchecked_t usage + + arch/arm/kvm/arm.c | 8 ++++---- + arch/arm/mm/context.c | 10 +++++----- + arch/mips/kernel/irq.c | 6 +++--- + arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ + arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- + arch/sparc/kernel/smp_64.c | 12 ++++++------ + arch/sparc/kernel/traps_64.c | 14 +++++++------- + arch/sparc/mm/init_64.c | 10 +++++----- + 8 files changed, 45 insertions(+), 45 deletions(-) + +commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 +Merge: 995a168 38ee86c +Author: Brad Spengler +Date: Fri Aug 30 19:23:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 38ee86c05df0f8db582df8776b9f23f317d42bbb +Author: Brad Spengler +Date: Fri Aug 30 19:23:11 2013 -0400 + + Update to pax-linux-3.10.10-test22.patch: + - fixed !REFCOUNT/mips compilation, by Corey Minyard + - fixed a few more format strings + + arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- + drivers/md/bcache/super.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- + drivers/pci/hotplug/pciehp_hpc.c | 2 +- + drivers/platform/x86/wmi.c | 2 +- + drivers/scsi/sd.c | 2 +- + drivers/vfio/vfio.c | 4 ++-- + fs/ntfs/super.c | 6 +++--- + include/linux/workqueue.h | 6 +++--- + net/mac80211/main.c | 2 +- + sound/pci/hda/hda_codec.c | 8 ++------ + 11 files changed, 32 insertions(+), 25 deletions(-) + +commit 995a16841e2097c3a9dfc652e856469679c4a0ba +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 +Merge: be2497c 1052971 +Author: Brad Spengler +Date: Thu Aug 29 20:44:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + include/linux/sched.h + +commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 +Merge: e902dad 8bf3379 +Author: Brad Spengler +Date: Thu Aug 29 20:39:50 2013 -0400 + + Update to pax-linux-3.10.10-test21.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 +Merge: 081c22b e902dad +Author: Brad Spengler +Date: Wed Aug 28 20:52:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 +Author: Brad Spengler +Date: Wed Aug 28 20:51:21 2013 -0400 + + Update to pax-linux-3.10.9-test21.patch: + - removed unnecessary type cast in do_PrefetchAbort, noticed by spender + - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov + - fixed a REFCOUNT false positive in UHID + - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) + Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout + (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): + - icmpv6_filter: no memory corruption, probably just some logical error in the caller + - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) + - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) + - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now + - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless + - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network + + arch/arm/mm/fault.c | 2 +- + arch/mips/kernel/traps.c | 2 -- + drivers/hid/uhid.c | 6 +++--- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/i4l/isdn_common.c | 2 ++ + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + drivers/usb/dwc3/gadget.c | 2 -- + net/ieee802154/6lowpan.c | 2 +- + net/ipv6/raw.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- + 10 files changed, 14 insertions(+), 16 deletions(-) + +commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit + Kees' recent findings are motivation enough to publish it + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 8044382257ec75a03f3d784ce048ef14e94b90ca +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit 270ba9096ddecdc3cf6c4d76e6892184820116be +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 60115e8108e508060815bce5ef9504233c81898c +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 38627769bb2b9a550e251b2caf1babda7566fb4a +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 813f51e0881e4ea6d221da828b1cced02ad9694d +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 95e3cfb5a995dabe45b98cafb77e59d074de151f +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 96a55ce1b2f3af376c400a02059174e79ce4399c +Author: Brad Spengler +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + From: Kees Cook + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + --- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit eb1106eef5f17bfda833ca3cf89e315919173257 +Author: Dan Carpenter +Date: Fri Aug 9 12:52:31 2013 +0300 + + Upstream commit: 909bd5926d474e275599094acad986af79671ac9 + + Hostap: copying wrong data prism2_ioctl_giwaplist() + + We want the data stored in "addr" and "qual", but the extra ampersands + mean we are copying stack data instead. + + Signed-off-by: Dan Carpenter + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 +Author: Brad Spengler +Date: Wed Aug 28 17:01:21 2013 -0400 + + fix typo in ipv6 backport + + net/ipv6/addrconf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 +Author: Andy Lutomirski +Date: Thu Aug 22 11:39:15 2013 -0700 + + Upstream commit: d661684cf6820331feae71146c35da83d794467e + + net: Check the correct namespace when spoofing pid over SCM_RIGHTS + + This is a security bug. + + The follow-up will fix nsproxy to discourage this type of issue from + happening again. + + Cc: stable@vger.kernel.org + Signed-off-by: Andy Lutomirski + Reviewed-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/core/scm.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 +Author: Hannes Frederic Sowa +Date: Fri Aug 16 13:02:27 2013 +0200 + + Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 + + ipv6: remove max_addresses check from ipv6_create_tempaddr + + Because of the max_addresses check attackers were able to disable privacy + extensions on an interface by creating enough autoconfigured addresses: + + + + But the check is not actually needed: max_addresses protects the + kernel to install too many ipv6 addresses on an interface and guards + addrconf_prefix_rcv to install further addresses as soon as this limit + is reached. We only generate temporary addresses in direct response of + a new address showing up. As soon as we filled up the maximum number of + addresses of an interface, we stop installing more addresses and thus + also stop generating more temp addresses. + + Even if the attacker tries to generate a lot of temporary addresses + by announcing a prefix and removing it again (lifetime == 0) we won't + install more temp addresses, because the temporary addresses do count + to the maximum number of addresses, thus we would stop installing new + autoconfigured addresses when the limit is reached. + + This patch fixes CVE-2013-0343 (but other layer-2 attacks are still + possible). + + Thanks to Ding Tianhong to bring this topic up again. + + Cc: Ding Tianhong + Cc: George Kargiotakis + Cc: P J P + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Acked-by: Ding Tianhong + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/addrconf.c + + net/ipv6/addrconf.c | 10 ++++------ + 1 files changed, 4 insertions(+), 6 deletions(-) + +commit 8333e0981469a226a47d0142ff31090a48db95a4 +Author: David Vrabel +Date: Thu Aug 15 13:21:06 2013 +0100 + + Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 + + xen/events: initialize local per-cpu mask for all possible events + + The sizeof() argument in init_evtchn_cpu_bindings() is incorrect + resulting in only the first 64 (or 32 in 32-bit guests) ports having + their bindings being initialized to VCPU 0. + + In most cases this does not cause a problem as request_irq() will set + the irq affinity which will set the correct local per-cpu mask. + However, if the request_irq() is called on a VCPU other than 0, there + is a window between the unmasking of the event and the affinity being + set were an event may be lost because it is not locally unmasked on + any VCPU. If request_irq() is called on VCPU 0 then local irqs are + disabled during the window and the race does not occur. + + Fix this by initializing all NR_EVENT_CHANNEL bits in the local + per-cpu masks. + + Signed-off-by: David Vrabel + Signed-off-by: Konrad Rzeszutek Wilk + CC: stable@vger.kernel.org + + drivers/xen/events.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2a9a83768433937a2b7a97001ba1627156c0efed +Author: Roland Dreier +Date: Mon Aug 5 17:55:01 2013 -0700 + + Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 + + [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal + + There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances + leads to one process writing data into the address space of some other + random unrelated process if the ioctl is interrupted by a signal. + What happens is the following: + + - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the + underlying SCSI command will transfer data from the SCSI device to + the buffer provided in the ioctl) + + - Before the command finishes, a signal is sent to the process waiting + in the ioctl. This will end up waking up the sg_ioctl() code: + + result = wait_event_interruptible(sfp->read_wait, + (srp_done(sfp, srp) || sdp->detached)); + + but neither srp_done() nor sdp->detached is true, so we end up just + setting srp->orphan and returning to userspace: + + srp->orphan = 1; + write_unlock_irq(&sfp->rq_list_lock); + return result; /* -ERESTARTSYS because signal hit process */ + + At this point the original process is done with the ioctl and + blithely goes ahead handling the signal, reissuing the ioctl, etc. + + - Eventually, the SCSI command issued by the first ioctl finishes and + ends up in sg_rq_end_io(). At the end of that function, we run through: + + write_lock_irqsave(&sfp->rq_list_lock, iflags); + if (unlikely(srp->orphan)) { + if (sfp->keep_orphan) + srp->sg_io_owned = 0; + else + done = 0; + } + srp->done = done; + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (likely(done)) { + /* Now wake up any sg_read() that is waiting for this + * packet. + */ + wake_up_interruptible(&sfp->read_wait); + kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); + kref_put(&sfp->f_ref, sg_remove_sfp); + } else { + INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); + schedule_work(&srp->ew.work); + } + + Since srp->orphan *is* set, we set done to 0 (assuming the + userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN + ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() + to run in a workqueue. + + - In workqueue context we go through sg_rq_end_io_usercontext() -> + sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> + bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). + + The key point here is that we are doing copy_to_user() on a + workqueue -- that is, we're on a kernel thread with current->mm + equal to whatever random previous user process was scheduled before + this kernel thread. So we end up copying whatever data the SCSI + command returned to the virtual address of the buffer passed into + the original ioctl, but it's quite likely we do this copying into a + different address space! + + As suggested by James Bottomley , + add a check for current->mm (which is NULL if we're on a kernel thread + without a real userspace address space) in bio_uncopy_user(), and skip + the copy if we're on a kernel thread. + + There's no reason that I can think of for any caller of bio_uncopy_user() + to want to do copying on a kernel thread with a random active userspace + address space. + + Huge thanks to Costa Sapuntzakis for the + original pointer to this bug in the sg code. + + Signed-off-by: Roland Dreier + Tested-by: David Milburn + Cc: Jens Axboe + Cc: + Signed-off-by: James Bottomley + + fs/bio.c | 20 +++++++++++++++----- + 1 files changed, 15 insertions(+), 5 deletions(-) + +commit e6fe57dee152671afd618d6bc8cbf23155be6c34 +Merge: cdc8f7d f2095a4 +Author: Brad Spengler +Date: Tue Aug 27 18:13:35 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + security/Kconfig + +commit f2095a4787f7d332e5919f0bd00f8de6021ad612 +Author: Brad Spengler +Date: Tue Aug 27 18:08:23 2013 -0400 + + Update to pax-linux-3.10.9-test20.patch: + - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy + - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard + - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard + - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do + - added REFCOUNT support for mips, by Corey Minyard + - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) + - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) + + arch/arm/mm/fault.c | 11 +- + arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- + arch/mips/kernel/traps.c | 14 +- + arch/x86/include/asm/tlbflush.h | 4 + + arch/x86/include/asm/uaccess_64.h | 2 +- + fs/ntfs/file.c | 2 +- + kernel/events/internal.h | 4 +- + kernel/events/uprobes.c | 2 +- + kernel/futex.c | 2 +- + mm/filemap.c | 8 +- + security/Kconfig | 2 +- + tools/gcc/kernexec_plugin.c | 18 +- + tools/gcc/latent_entropy_plugin.c | 26 +- + tools/gcc/size_overflow_plugin.c | 3 +- + 14 files changed, 750 insertions(+), 70 deletions(-) + +commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 +Merge: 5a9ae57 745975e +Author: Brad Spengler +Date: Mon Aug 26 20:27:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 745975e3b3b74b64e00e85778f9a22714d1274f2 +Author: Brad Spengler +Date: Mon Aug 26 20:26:33 2013 -0400 + + Fix compilation when UDEREF is enabled and KERNEXEC is disabled, + as reported by fabled on the forums: + http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 + + arch/arm/include/asm/pgtable.h | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 +Merge: 486ec00 f68df21 +Author: Brad Spengler +Date: Tue Aug 20 20:15:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 +Author: Brad Spengler +Date: Tue Aug 20 20:14:50 2013 -0400 + + Update to pax-linux-3.10.9-test18.patch: + - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) + - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) + - forward port to 3.10.9 + + arch/x86/kernel/entry_64.S | 18 +++++++++--------- + arch/x86/kernel/i386_ksyms_32.c | 4 ++++ + arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ + 3 files changed, 17 insertions(+), 9 deletions(-) + +commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f +Merge: f47a293 d8fed0e +Author: Brad Spengler +Date: Tue Aug 20 20:12:47 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 +Merge: f6ace8e 0a4b6d4 +Author: Brad Spengler +Date: Tue Aug 20 20:12:33 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit f47a293a1440da2a3e2c239d43d636e37ca74f10 +Merge: f1e8ec7 f6ace8e +Author: Brad Spengler +Date: Tue Aug 20 18:20:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/kernel/perf_event.c + include/linux/sched.h + +commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 +Merge: b4fa847 6f54059 +Author: Brad Spengler +Date: Tue Aug 20 18:18:02 2013 -0400 + + Update to pax-linux-3.10.8-test18.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca +Merge: 6f88011 b4fa847 +Author: Brad Spengler +Date: Tue Aug 20 18:05:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 +Author: Brad Spengler +Date: Tue Aug 20 18:04:14 2013 -0400 + + Update to pax-linux-3.10.7-test18.patch: + - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) + - fixed a UDEREF resume regression due to the constification of clone_pgd_mask + - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause + + arch/arm/kernel/process.c | 2 +- + arch/x86/include/asm/processor.h | 25 ++----------------------- + arch/x86/kernel/cpu/common.c | 4 ++++ + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/staging/zcache/tmem.c | 4 ++-- + drivers/staging/zcache/tmem.h | 6 ++---- + 6 files changed, 47 insertions(+), 30 deletions(-) + +commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) + as reported by pipacs + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 +Merge: 6eba999 5de93c8 +Author: Brad Spengler +Date: Sun Aug 18 22:03:19 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db +Author: Brad Spengler +Date: Sun Aug 18 22:02:47 2013 -0400 + + Update to pax-linux-3.10.7-test15.patch: + - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) + - fixed some new REFCOUNT false positives, caught by inspection + + arch/x86/kernel/cpu/common.c | 5 +++-- + arch/x86/kernel/entry_64.S | 11 +++++++---- + fs/ceph/super.c | 4 ++-- + mm/backing-dev.c | 4 ++-- + 4 files changed, 14 insertions(+), 10 deletions(-) + +commit 94c119587c76723c1072237b98fff9886ccb7689 +Author: Brad Spengler +Date: Sun Aug 18 20:49:39 2013 -0400 + + fix pipacs' DEMORGAN typo + + arch/x86/include/asm/tlbflush.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 +Merge: df347f6 64a293e +Author: Brad Spengler +Date: Sun Aug 18 18:13:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 +Author: Brad Spengler +Date: Sun Aug 18 18:12:37 2013 -0400 + + Update to pax-linux-3.10.7-test14.patch: + - fixed compile error introduced by the previous PCID change + - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) + + arch/x86/include/asm/tlbflush.h | 2 +- + kernel/posix-timers.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 +Merge: d8efbc5 e11b314 +Author: Brad Spengler +Date: Sun Aug 18 08:15:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e11b314734c5b7317f5468be75305ad812e78c2b +Author: Brad Spengler +Date: Sun Aug 18 08:14:26 2013 -0400 + + Update to pax-linux-3.10.7-test13.patch: + - always enable the use of PCID and INVPCID when available in the CPU + - kvm guest kernels can use these features even if the host kernel lacks UDEREF + + arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- + arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- + 2 files changed, 70 insertions(+), 47 deletions(-) + +commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 6c8feffa95ce2db280160015027b52bb41a344c8 +Merge: dbf6930 0bb1c2b +Author: Brad Spengler +Date: Sat Aug 17 11:57:50 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 +Author: Brad Spengler +Date: Sat Aug 17 11:56:43 2013 -0400 + + Update to pax-linux-3.10.7-test12.patch: + - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause + - fixed some arm compile problems + + arch/x86/include/asm/tlbflush.h | 2 +- + drivers/clocksource/bcm_kona_timer.c | 2 +- + kernel/signal.c | 4 ++++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +commit dbf69305ad4f8a037aae95af90f9201f556dcb48 +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 +Merge: 68bd16f f562e3e +Author: Brad Spengler +Date: Sat Aug 17 10:35:02 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f562e3ef7737ea8d80431a722479b36a12504ace +Author: Brad Spengler +Date: Sat Aug 17 10:34:51 2013 -0400 + + add uderef_64.c + + arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 files changed, 37 insertions(+), 0 deletions(-) + +commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 +Author: Asbjoern Sloth Toennesen +Date: Mon Aug 12 16:30:09 2013 +0000 + + Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 + + rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header + + Fix the iproute2 command `bridge vlan show`, after switching from + rtgenmsg to ifinfomsg. + + Let's start with a little history: + + Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in + the 3.9 merge window. + In the kernel commit 6cbdceeb, he added attribute support to + bridge GETLINK requests sent with rtgenmsg. + + Mar 6th: Vlad got this iproute2 reference implementation of the bridge + vlan netlink interface accepted (iproute2 9eff0e5c) + + Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) + http://patchwork.ozlabs.org/patch/239602/ + http://marc.info/?t=136680900700007 + + Apr 28th: Linus released 3.9 + + Apr 30th: Stephen released iproute2 3.9.0 + + The `bridge vlan show` command haven't been working since the switch to + ifinfomsg, or in a released version of iproute2. Since the kernel side + only supports rtgenmsg, which iproute2 switched away from just prior to + the iproute2 3.9.0 release. + + I haven't been able to find any documentation, about neither rtgenmsg + nor ifinfomsg, and in which situation to use which, but kernel commit + 88c5b5ce seams to suggest that ifinfomsg should be used. + + Fixing this in kernel will break compatibility, but I doubt that anybody + have been using it due to this bug in the user space reference + implementation, at least not without noticing this bug. That said the + functionality is still fully functional in 3.9, when reversing iproute2 + commit 63338dca. + + This could also be fixed in iproute2, but thats an ugly patch that would + reintroduce rtgenmsg in iproute2, and from searching in netdev it seams + like rtgenmsg usage is discouraged. I'm assuming that the only reason + that Vlad implemented the kernel side to use rtgenmsg, was because + iproute2 was using it at the time. + + Signed-off-by: Asbjoern Sloth Toennesen + Reviewed-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/core/rtnetlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8c7bc5bafddddff55ed4687203a977e96f72540a +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb +Author: Daniel Borkmann +Date: Fri Aug 9 16:25:21 2013 +0200 + + Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e + + net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption + + Probably this one is quite unlikely to be triggered, but it's more safe + to do the call_rcu() at the end after we have dropped the reference on + the asoc and freed sctp packet chunks. The reason why is because in + sctp_transport_destroy_rcu() the transport is being kfree()'d, and if + we're unlucky enough we could run into corrupted pointers. Probably + that's more of theoretical nature, but it's safer to have this simple fix. + + Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings + for deferred call_rcu's"). I also did the 8c98653f regression test and + it's fine that way. + + Signed-off-by: Daniel Borkmann + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/transport.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3925eab5483946fd746575a46f97bee9d566bb77 +Author: Stephane Grosjean +Date: Fri Aug 9 11:44:06 2013 +0200 + + Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e + + can: pcan_usb: fix wrong memcpy() bytes length + + Fix possibly wrong memcpy() bytes length since some CAN records received from + PCAN-USB could define a DLC field in range [9..15]. + In that case, the real DLC value MUST be used to move forward the record pointer + but, only 8 bytes max. MUST be copied into the data field of the struct + can_frame object of the skb given to the network core. + + Cc: linux-stable + Signed-off-by: Stephane Grosjean + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c1ac6642baae4a400d1f87115024d1bb1ef53598 +Author: Linus Lüssing +Date: Tue Aug 6 20:21:15 2013 +0200 + + Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 + + batman-adv: fix potential kernel paging errors for unicast transmissions + + There are several functions which might reallocate skb data. Currently + some places keep reusing their old ethhdr pointer regardless of whether + they became invalid after such a reallocation or not. This potentially + leads to kernel paging errors. + + This patch fixes these by refetching the ethdr pointer after the + potential reallocations. + + Signed-off-by: Linus Lüssing + Signed-off-by: Marek Lindner + Signed-off-by: Antonio Quartulli + + net/batman-adv/bridge_loop_avoidance.c | 2 ++ + net/batman-adv/gateway_client.c | 13 ++++++++++++- + net/batman-adv/gateway_client.h | 3 +-- + net/batman-adv/soft-interface.c | 9 ++++++++- + net/batman-adv/unicast.c | 13 ++++++++++--- + 5 files changed, 33 insertions(+), 7 deletions(-) + +commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb +Author: Yuchung Cheng +Date: Fri Aug 9 17:21:27 2013 -0700 + + Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 + + netfilter: nf_conntrack: fix tcp_in_window for Fast Open + + Currently the conntrack checks if the ending sequence of a packet + falls within the observed receive window. However it does so even + if it has not observe any packet from the remote yet and uses an + uninitialized receive window (td_maxwin). + + If a connection uses Fast Open to send a SYN-data packet which is + dropped afterward in the network. The subsequent SYNs retransmits + will all fail this check and be discarded, leading to a connection + timeout. This is because the SYN retransmit does not contain data + payload so + + end == initial sequence number (isn) + 1 + sender->td_end == isn + syn_data_len + receiver->td_maxwin == 0 + + The fix is to only apply this check after td_maxwin is initialized. + + Reported-by: Michael Chan + Signed-off-by: Yuchung Cheng + Acked-by: Eric Dumazet + Acked-by: Jozsef Kadlecsik + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec +Author: Dan Carpenter +Date: Thu Aug 1 12:36:57 2013 +0300 + + Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 + + netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message + + These structs have a "_pad" member. Also the "phw" structs have an 8 + byte "hw_addr[]" array but sometimes only the first 6 bytes are + initialized. + + Signed-off-by: Dan Carpenter + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_log.c | 6 +++++- + net/netfilter/nfnetlink_queue_core.c | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:46:46 2013 +0200 + + Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 + + netfilter: xt_TCPOPTSTRIP: fix possible off by one access + + Fix a possible off by one access since optlen() + touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. + + This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen + that stores the TCP header length, to save some cycles. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +commit 4634def261cf5f635bc60afe8a6ad436b3ec151e +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:37:49 2013 +0200 + + Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd + + netfilter: xt_TCPMSS: fix handling of malformed TCP header and options + + Make sure the packet has enough room for the TCP header and + that it is not malformed. + + While at it, store tcph->doff*4 in a variable, as it is used + several times. + + This patch also fixes a possible off by one in case of malformed + TCP options. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ + 1 files changed, 16 insertions(+), 12 deletions(-) + +commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 +Author: Dave Jones +Date: Fri Aug 9 11:16:34 2013 -0700 + + Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e + + 8139cp: Fix skb leak in rx_status_loop failure path. + + Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 + ("8139cp: Add dma_mapping_error checking") + + Signed-off-by: Dave Jones + Signed-off-by: David S. Miller + + drivers/net/ethernet/realtek/8139cp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 227b279491a0bbcc70ca3654f34903282c378600 +Author: Timo Teräs +Date: Tue Aug 6 13:45:43 2013 +0300 + + Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b + + ip_gre: fix ipgre_header to return correct offset + + Fix ipgre_header() (header_ops->create) to return the correct + amount of bytes pushed. Most callers of dev_hard_header() seem + to care only if it was success, but af_packet.c uses it as + offset to the skb to copy from userspace only once. In practice + this fixes packet socket sendto()/sendmsg() to gre tunnels. + + Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 + ("GRE: Refactor GRE tunneling code.") + + Cc: Pravin B Shelar + Signed-off-by: Timo Teräs + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb +Author: Eric Dumazet +Date: Mon Aug 5 11:18:49 2013 -0700 + + Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 + + fib_trie: remove potential out of bound access + + AddressSanitizer [1] dynamic checker pointed a potential + out of bound access in leaf_walk_rcu() + + We could allocate one more slot in tnode_new() to leave the prefetch() + in-place but it looks not worth the pain. + + Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") + + [1] : + https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + + Reported-by: Andrey Konovalov + Signed-off-by: Eric Dumazet + Cc: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv4/fib_trie.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 +Author: Daniel Borkmann +Date: Mon Aug 5 12:49:35 2013 +0200 + + Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 + + net: esp{4,6}: fix potential MTU calculation overflows + + Commit 91657eafb ("xfrm: take net hdr len into account for esp payload + size calculation") introduced a possible interger overflow in + esp{4,6}_get_mtu() handlers in case of x->props.mode equals + XFRM_MODE_TUNNEL. Thus, the following expression will overflow + + unsigned int net_adj; + ... + + net_adj = 0; + ... + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - + net_adj) & ~(align - 1)) + (net_adj - 2); + + where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned + context. Fix it by simply removing brackets as those operations here + do not need to have special precedence. + + Signed-off-by: Daniel Borkmann + Cc: Benjamin Poirier + Cc: Steffen Klassert + Acked-by: Benjamin Poirier + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit f02bce292d1c2fe610be509c96593e70b3de387b +Author: Julia Lawall +Date: Mon Aug 5 16:47:38 2013 +0200 + + Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 + + net/vmw_vsock/af_vsock.c: drop unneeded semicolon + + Drop the semicolon at the end of the list_for_each_entry loop header. + + Signed-off-by: Julia Lawall + Signed-off-by: David S. Miller + + net/vmw_vsock/af_vsock.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 +Author: Tiger Yang +Date: Tue Aug 13 16:00:58 2013 -0700 + + Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 + + ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page + + Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as + the struct file pointer, it finally result in a null pointer dereference + in ocfs2_duplicate_clusters_by_page. + + This patch replace file pointer with inode pointer in + cow_duplicate_clusters to fix this issue. + + [jeff.liu@oracle.com: rebased patch against linux-next tree] + Signed-off-by: Tiger Yang + Signed-off-by: Jie Liu + Cc: Joel Becker + Cc: Mark Fasheh + Acked-by: Tao Ma + Tested-by: David Weber + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/ocfs2/aops.c | 2 +- + fs/ocfs2/file.c | 6 ++-- + fs/ocfs2/move_extents.c | 2 +- + fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- + fs/ocfs2/refcounttree.h | 6 ++-- + 5 files changed, 16 insertions(+), 53 deletions(-) + +commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 +Author: Dan Carpenter +Date: Thu Aug 15 15:52:57 2013 +0300 + + Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e + + tun: signedness bug in tun_get_user() + + The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is + not totally correct. Because "len" and "sizeof()" are size_t type, that + means they are never less than zero. + + Signed-off-by: Dan Carpenter + Acked-by: Michael S. Tsirkin + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 26ad267ddda451919357965a0cf271ca24d1bcf2 +Author: Weiping Pan +Date: Tue Aug 13 21:46:56 2013 +0800 + + Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 + + tun: compare with 0 instead of total_len + + Since we set "len = total_len" in the beginning of tun_get_user(), + so we should compare the new len with 0, instead of total_len, + or the if statement always returns false. + + Signed-off-by: Weiping Pan + Signed-off-by: David S. Miller + + drivers/net/tun.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 +Author: Guenter Roeck +Date: Fri Aug 16 20:50:55 2013 -0700 + + Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 + + s390: Fix broken build + + Fix this build error: + + In file included from fs/exec.c:61:0: + arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' + arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] + arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': + arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' + + Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range + invalidation corner cases"). + + Cc: Greg Kroah-Hartman + Cc: stable@vger.kernel.org + Signed-off-by: Guenter Roeck + [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] + Signed-off-by: Linus Torvalds + + arch/s390/include/asm/tlb.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4e57312c2de2a25ddb181d129dafbc0251062c33 +Author: Linus Torvalds +Date: Thu Aug 15 11:42:25 2013 -0700 + + Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce + + Fix TLB gather virtual address range invalidation corner cases + + Ben Tebulin reported: + + "Since v3.7.2 on two independent machines a very specific Git + repository fails in 9/10 cases on git-fsck due to an SHA1/memory + failures. This only occurs on a very specific repository and can be + reproduced stably on two independent laptops. Git mailing list ran + out of ideas and for me this looks like some very exotic kernel issue" + + and bisected the failure to the backport of commit 53a59fc67f97 ("mm: + limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). + + That commit itself is not actually buggy, but what it does is to make it + much more likely to hit the partial TLB invalidation case, since it + introduces a new case in tlb_next_batch() that previously only ever + happened when running out of memory. + + The real bug is that the TLB gather virtual memory range setup is subtly + buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: + enable tlb flush range in generic mmu_gather"), and the range handling + was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB + range flushed when __tlb_remove_page() runs out of slots"), but that fix + was not complete. + + The problem with the TLB gather virtual address range is that it isn't + set up by the initial tlb_gather_mmu() initialization (which didn't get + the TLB range information), but it is set up ad-hoc later by the + functions that actually flush the TLB. And so any such case that forgot + to update the TLB range entries would potentially miss TLB invalidates. + + Rather than try to figure out exactly which particular ad-hoc range + setup was missing (I personally suspect it's the hugetlb case in + zap_huge_pmd(), which didn't have the same logic as zap_pte_range() + did), this patch just gets rid of the problem at the source: make the + TLB range information available to tlb_gather_mmu(), and initialize it + when initializing all the other tlb gather fields. + + This makes the patch larger, but conceptually much simpler. And the end + result is much more understandable; even if you want to play games with + partial ranges when invalidating the TLB contents in chunks, now the + range information is always there, and anybody who doesn't want to + bother with it won't introduce subtle bugs. + + Ben verified that this fixes his problem. + + Reported-bisected-and-tested-by: Ben Tebulin + Build-testing-by: Stephen Rothwell + Build-testing-by: Richard Weinberger + Reviewed-by: Michal Hocko + Acked-by: Peter Zijlstra + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + arch/arm/include/asm/tlb.h | 7 +++++-- + arch/arm64/include/asm/tlb.h | 7 +++++-- + arch/ia64/include/asm/tlb.h | 9 ++++++--- + arch/s390/include/asm/tlb.h | 8 ++++++-- + arch/sh/include/asm/tlb.h | 6 ++++-- + arch/um/include/asm/tlb.h | 6 ++++-- + fs/exec.c | 4 ++-- + include/asm-generic/tlb.h | 2 +- + mm/hugetlb.c | 2 +- + mm/memory.c | 36 +++++++++++++++++++++--------------- + mm/mmap.c | 4 ++-- + 11 files changed, 57 insertions(+), 34 deletions(-) + +commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 +Merge: 5568c80 ffceabf +Author: Brad Spengler +Date: Sat Aug 17 09:11:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ffceabfcc65c60109ba5fca694d78d4dc7047809 +Author: Brad Spengler +Date: Sat Aug 17 09:10:44 2013 -0400 + + Update to pax-linux-3.10.7-test11.patch: + - simplified some arm code + - disabled preemption when calling show_regs, reported by Corey Minyard + - added PCID based support for UDEREF on amd64 (blog will have more details) + - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc + - nopcid turns it off + - by default a strong form of UDEREF is used under PCID + - pax_weakuderef switches to the older, less secure UDEREF + - fixed several bugs that would also have manifested under SMAP + - INVPCID is used when available (Haswell) + - added a few more return insn instrumentation in new amd64 crypto code + + Documentation/kernel-parameters.txt | 7 + + arch/arm/include/asm/uaccess.h | 3 + + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ + arch/x86/ia32/ia32_signal.c | 2 +- + arch/x86/ia32/ia32entry.S | 24 ++++- + arch/x86/include/asm/cpufeature.h | 3 +- + arch/x86/include/asm/fpu-internal.h | 2 + + arch/x86/include/asm/futex.h | 4 + + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- + arch/x86/include/asm/pgtable.h | 10 +- + arch/x86/include/asm/processor.h | 15 +++- + arch/x86/include/asm/segment.h | 5 +- + arch/x86/include/asm/smap.h | 64 +++++++++++- + arch/x86/include/asm/tlbflush.h | 63 +++++++++-- + arch/x86/include/asm/uaccess.h | 18 +++- + arch/x86/include/asm/xsave.h | 4 + + arch/x86/kernel/cpu/common.c | 38 +++++++ + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- + arch/x86/kernel/head_32.S | 2 +- + arch/x86/kernel/head_64.S | 8 +- + arch/x86/kernel/process_64.c | 5 + + arch/x86/kernel/setup.c | 8 +- + arch/x86/kernel/signal.c | 4 +- + arch/x86/kernel/smpboot.c | 15 ++- + arch/x86/lib/copy_user_64.S | 50 +-------- + arch/x86/lib/copy_user_nocache_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 11 ++- + arch/x86/lib/memcpy_64.S | 4 +- + arch/x86/lib/memmove_64.S | 2 +- + arch/x86/lib/memset_64.S | 4 +- + arch/x86/lib/usercopy_64.c | 5 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/fault.c | 29 ++++-- + arch/x86/mm/init.c | 7 +- + arch/x86/mm/init_64.c | 9 ++- + arch/x86/mm/pageattr.c | 2 +- + arch/x86/mm/pgtable.c | 3 + + arch/x86/platform/efi/efi_32.c | 2 +- + arch/x86/platform/efi/efi_64.c | 2 +- + arch/x86/realmode/rm/trampoline_64.S | 1 + + fs/exec.c | 2 + + include/asm-generic/uaccess.h | 8 ++ + include/linux/compat.h | 1 + + include/linux/preempt.h | 19 +++ + include/linux/signal.h | 1 + + include/linux/smp.h | 2 + + init/main.c | 14 ++- + kernel/signal.c | 16 +++ + security/Kconfig | 5 + + tools/lib/lk/Makefile | 2 +- + tools/perf/Makefile | 2 +- + 64 files changed, 673 insertions(+), 136 deletions(-) + +commit 5568c8059e78d6d002815409df4e90c83b3b08a8 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 +Author: Brad Spengler +Date: Fri Aug 16 22:55:24 2013 -0400 + + Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b + + arch/arm/kernel/perf_event.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit 3637bc893b57a227b01852fe34685ab237285b10 +Author: Stephen Boyd +Date: Wed Aug 7 16:18:08 2013 -0700 + + Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb + + perf/arm: Fix armpmu_map_hw_event() + + Fix constraint check in armpmu_map_hw_event(). + + Reported-and-tested-by: Vince Weaver + Cc: + Signed-off-by: Ingo Molnar + Signed-off-by: Linus Torvalds + + arch/arm/kernel/perf_event.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 11802e1f961a088c39af58d1c1b14d861eedfb35 +Author: Brad Spengler +Date: Fri Aug 16 22:53:30 2013 -0400 + + More ARM backports + + arch/arm/kernel/entry-armv.S | 3 ++- + arch/arm/kernel/fiq.c | 8 ++------ + 2 files changed, 4 insertions(+), 7 deletions(-) + +commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: + http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 +Author: yonghua zheng +Date: Tue Aug 13 16:01:03 2013 -0700 + + fs/proc/task_mmu.c: fix buffer overflow in add_page_map() + + Recently we met quite a lot of random kernel panic issues after enabling + CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something + to do with following bug in pagemap: + + In struct pagemapread: + + struct pagemapread { + int pos, len; + pagemap_entry_t *buffer; + bool v2; + }; + + pos is number of PM_ENTRY_BYTES in buffer, but len is the size of + buffer, it is a mistake to compare pos and len in add_page_map() for + checking buffer is full or not, and this can lead to buffer overflow and + random kernel panic issue. + + Correct len to be total number of PM_ENTRY_BYTES in buffer. + + [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] + Signed-off-by: Yonghua Zheng + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/task_mmu.c + + fs/proc/task_mmu.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 0a3dac834746de241c10d4978bf61b4f146ba89d +Merge: dc19474 e12de30 +Author: Brad Spengler +Date: Fri Aug 16 17:39:01 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 +Author: Brad Spengler +Date: Fri Aug 16 17:34:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch: + - Emese fixed a size overflow false positive reported by Sven Vermeulen + - fixed some arm compile problems reported by spender + - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard + eventually we'll have full REFCOUNT support on mips + + arch/arm/kernel/process.c | 5 ++- + arch/arm/mm/Kconfig | 2 +- + arch/arm/mm/fault.c | 3 ++ + arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ + mm/internal.h | 2 +- + 5 files changed, 65 insertions(+), 4 deletions(-) + +commit dc19474d0ea6ea3c939544ae5f906067b1784a10 +Merge: 51b78c0 82266f9 +Author: Brad Spengler +Date: Thu Aug 15 21:47:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 82266f90a3f87ab5017329fb539aebf94c42253a +Author: Brad Spengler +Date: Thu Aug 15 21:14:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch + + arch/arm/kernel/process.c | 6 ++---- + 1 files changed, 2 insertions(+), 4 deletions(-) + +commit 51b78c06d1f41614f593cd36456b4af559e9d7fa +Merge: e32d904 cb77ead +Author: Brad Spengler +Date: Thu Aug 15 20:53:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit cb77ead0eccb5abb75f7e437a3725d0254558ccd +Merge: 13675b8 519be45 +Author: Brad Spengler +Date: Thu Aug 15 20:50:47 2013 -0400 + + Update to pax-linux-3.10.7-test8.patch + + Merge branch 'linux-3.10.y' into pax-test + +commit e32d904b87292288e74e2637b900fd1115687b8e +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators + on sparc64 hugepages + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c +Author: Oleg Nesterov +Date: Thu Aug 8 18:55:32 2013 +0200 + + Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 + + another local DoS found in reaction to the one I reported, + we don't allow unpriv user ns use so this doesn't matter much to us + + userns: limit the maximum depth of user_namespace->parent chain + + Ensure that user_namespace->parent chain can't grow too much. + Currently we use the hardroded 32 as limit. + + Reported-by: Andy Lutomirski + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + include/linux/user_namespace.h | 1 + + kernel/user_namespace.c | 4 ++++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit 223ac007ef18bf3a5095ba0a56675c1f16200149 +Merge: 1c92de4 13675b8 +Author: Brad Spengler +Date: Thu Aug 8 20:45:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 13675b848cf02bffd26924b2b84d927095bc253d +Author: Brad Spengler +Date: Thu Aug 8 20:43:52 2013 -0400 + + Update to pax-linux-3.10.5-test8.patch: + - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) + - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard + - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard + + arch/arm/include/asm/pgtable-2level.h | 4 +++- + arch/arm/mm/proc-v7-2level.S | 3 --- + arch/mips/mm/fault.c | 8 ++++++++ + arch/x86/include/asm/processor.h | 3 ++- + include/linux/math64.h | 2 +- + security/Kconfig | 2 -- + 6 files changed, 14 insertions(+), 8 deletions(-) + +commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 +Merge: e65aa3d 1660f49 +Author: Brad Spengler +Date: Mon Aug 5 18:50:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 1660f496848b8400d263f7920989dae15e72185a +Merge: 7f91ba1 dc51cd2 +Author: Brad Spengler +Date: Mon Aug 5 18:50:12 2013 -0400 + + Update to pax-linux-3.10.5-test7.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/head_64.S + mm/mempolicy.c + +commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the + gentoo-hardened bugzilla: + https://bugs.gentoo.org/show_bug.cgi?id=382793 + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 +Author: Dan Carpenter +Date: Tue Jul 30 13:23:39 2013 +0300 + + Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 + + net_sched: info leak in atm_tc_dump_class() + + The "pvc" struct has a hole after pvc.sap_family which is not cleared. + + Signed-off-by: Dan Carpenter + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/sched/sch_atm.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 50d20ebce56b6e0b9622685930e007e46c7c04bb +Author: Daniel Borkmann +Date: Fri Aug 2 11:32:43 2013 +0200 + + Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 + + net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails + + Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa + resource that was allocated via inet_alloc_ifa() unfreed when returning + the function with -EINVAL. Thus, free it first via inet_free_ifa(). + + Signed-off-by: Daniel Borkmann + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/ipv4/devinet.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 +Author: Himanshu Madhani +Date: Fri Aug 2 23:15:56 2013 -0400 + + Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 + + qlcnic: Free up memory in error path. + + Signed-off-by: Himanshu Madhani + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a +Author: Shahed Shaikh +Date: Fri Aug 2 23:15:54 2013 -0400 + + Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f + + qlcnic: Fix MAC address filter issue on 82xx adapter + + Driver was passing the address of a pointer instead of + the pointer itself. + + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we + cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 24 ++++++++++++++++++++++-- + 2 files changed, 22 insertions(+), 19 deletions(-) + +commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b8966a5d577e9220fbc63306eee978f819f24e2e +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out + all others as suggested by pipacs + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1704c23fdc55b68f512dc9927940e72237f3f43e +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) + Remove textrel logging option, combine into rwx logging option + Enhance RWX logging option to display when PT_GNU_STACK-enabled library + is loaded under an MPROTECTed binary + Enhance RWX mprotect logging to display stack/heap instead of just + anon mapping + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit faf81c100c8565524e21c9af780a0ad2ce3fd925 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c +Merge: 65019c9 7f91ba1 +Author: Brad Spengler +Date: Wed Jul 31 17:47:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 65019c9bd05f860437071cbf00e2027fd2d68615 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 +Author: Brad Spengler +Date: Wed Jul 31 17:46:00 2013 -0400 + + Update to pax-linux-3.10.4-test7.patch: + - added a few more missing format strings + - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable + - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time + - fixed a UDEREF/i386 regression, __get_user_8 would always fail + + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/dumpstack.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/lib/getuser.S | 4 +- + arch/x86/xen/smp.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- + drivers/video/backlight/backlight.c | 2 +- + drivers/video/backlight/lcd.c | 2 +- + fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- + fs/exec.c | 50 +++++++++++++-------------- + include/linux/sched.h | 2 + + 14 files changed, 88 insertions(+), 47 deletions(-) + +commit 043130da54cb7cc8dc44e0ce889d426e889a0532 +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ed0a195abd4e41c2449a020a53a19c74dc866d78 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit e75b3f504692b97960a7530ad0855d91441d79c0 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e5abbaf95313066a724e1a843d4fc902a9a6450e +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 877d6c2f8b3518ff39601084560bb33c58d35a1f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 23278a1ee1c7738dd1e7005241394d32b82196e4 +Author: Brad Spengler +Date: Tue Jul 30 19:48:58 2013 -0400 + + revert recent PaX change that causes boot failures with 32bit userland + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit ec27f71a813656fea8ab37faecb2b485fe99d08e +Merge: 3a11bcf 05f0a61 +Author: Brad Spengler +Date: Tue Jul 30 19:42:21 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 +Author: Brad Spengler +Date: Tue Jul 30 19:41:44 2013 -0400 + + Update to pax-linux-3.10.4-test6.patch: + - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender + + include/linux/syscalls.h | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 8b744005f8bae565e24c1fd88af77e6e619b9434 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit b93b829afcc98b6108b18d99ff63c53642d0b951 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit ac695a081d1124fb28bec46814535d34c5e40611 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 82631f451cc7432b6c5578cf8d24155473feb25c +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading + Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 84c4a433dfb096e4a1162ee5e68025122c70b421 +Merge: c9d3ed3 9fe5897 +Author: Brad Spengler +Date: Mon Jul 29 17:08:56 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9fe58978938e357642885866ca48090a7753d403 +Merge: 8f693ad 6f7bb6b +Author: Brad Spengler +Date: Mon Jul 29 17:08:43 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 +Merge: d5e5bfd 8f693ad +Author: Brad Spengler +Date: Sun Jul 28 10:03:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8f693ade9b3e448f92706d34148b00a087637f70 +Author: Brad Spengler +Date: Sun Jul 28 10:02:16 2013 -0400 + + Update to pax-linux-3.10.3-test5.patch: + - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) + - fixed handling of faulting userland accesses for UDEREF/arm, from spender + - updated the size overflow hash table, from Emese + + arch/arm/kernel/entry-armv.S | 3 +- + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- + 7 files changed, 513 insertions(+), 55 deletions(-) + +commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 +Merge: 19e077b 8a8a0d0 +Author: Brad Spengler +Date: Thu Jul 25 21:05:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 +Author: Brad Spengler +Date: Thu Jul 25 21:04:09 2013 -0400 + + Update to pax-linux-3.10.3-test4.patch: + - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. + this is finer grained sanitization than the existing per-page based approach (which + is still done) at a somewhat higher performance cost. the pax_sanitize_slab command + line option can be used to enable/disable it on boot (it's enabled by default when + CONFIG_PAX_MEMORY_SANITIZE is enabled). + + Documentation/kernel-parameters.txt | 4 ++++ + fs/buffer.c | 2 +- + fs/dcache.c | 3 ++- + include/linux/slab.h | 7 +++++++ + include/linux/slab_def.h | 4 ++++ + kernel/fork.c | 2 +- + mm/rmap.c | 6 ++++-- + mm/slab.c | 27 +++++++++++++++++++++++++++ + mm/slab.h | 12 +++++++++++- + mm/slab_common.c | 14 ++++++++++++++ + mm/slob.c | 5 +++++ + mm/slub.c | 11 +++++++++++ + net/core/skbuff.c | 6 ++++-- + security/Kconfig | 23 +++++++++++++++++------ + 14 files changed, 112 insertions(+), 14 deletions(-) + +commit 19e077bfff54ca211d0142c07cb6dd88069a390c +Merge: 960ec51 c8f7f51 +Author: Brad Spengler +Date: Thu Jul 25 19:53:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c8f7f51591207b82530214300e86277028919286 +Merge: d5142e3 81a4648 +Author: Brad Spengler +Date: Thu Jul 25 19:52:29 2013 -0400 + + Update to pax-linux-3.10.3-test3.patch: + - fixed some compile issues reported by Michael Tremer and spender + - fixed an i386 regression with the lower address space gap on i386, reported by cnu + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + kernel/time/tick-broadcast.c + +commit 960ec51ab2142544fbae563d4fd5744775408965 +Author: Al Viro +Date: Sat Jul 20 03:13:55 2013 +0400 + + Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 + + livelock avoidance in sget() + + Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about + to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, + ->s_active is 1. Along comes two more processes, trying to mount the same + thing; sget() in each is picking that superblock, bumping ->s_count and + trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) + finally gets to deactivate_locked_super() on failure; ->s_active is 2, + superblock is still ->fs_supers because shutdown will *not* happen until + ->s_active hits 0. ->s_umount is dropped and now we have two processes + chasing each other: + s_active = 2, A acquired ->s_umount, B blocked + A sees that the damn thing is stillborn, does deactivate_locked_super() + s_active = 1, A drops ->s_umount, B gets it + A restarts the search and finds the same superblock. And bumps it ->s_active. + s_active = 2, B holds ->s_umount, A blocked on trying to get it + ... and we are in the earlier situation with A and B switched places. + + The root cause, of course, is that ->s_active should not grow until we'd + got MS_BORN. Then failing ->mount() will have deactivate_locked_super() + shut the damn thing down. Fortunately, it's easy to do - the key point + is that grab_super() is called only for superblocks currently on ->fs_supers, + so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and + bump ->s_active; we must never increment ->s_count for superblocks past + ->kill_sb(), but grab_super() is never called for those. + + The bug is pretty old; we would've caught it by now, if not for accidental + exclusion between sget() for block filesystems; the things like cgroup or + e.g. mtd-based filesystems don't have anything of that sort, so they get + bitten. The right way to deal with that is obviously to fix sget()... + + Signed-off-by: Al Viro + + fs/super.c | 25 ++++++++++--------------- + 1 files changed, 10 insertions(+), 15 deletions(-) + +commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 +Merge: ab95b58 d5142e3 +Author: Brad Spengler +Date: Sun Jul 21 22:47:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d5142e31785f8c32c7338c51fcc27313bdd4a84e +Merge: f36ae8c 0f4a56e +Author: Brad Spengler +Date: Sun Jul 21 22:47:34 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit ab95b5842899d61ff5c30f4582e72029b3155be8 +Author: Brad Spengler +Date: Sun Jul 21 22:28:40 2013 -0400 + + compile fix with constification reported by Michael Tremer + + drivers/gpu/host1x/drm/dc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 817cd2d1e7a55720326599dd8f542578eef30927 +Author: Hannes Frederic Sowa +Date: Fri Jul 12 23:46:33 2013 +0200 + + Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 + + ipv6: only static routes qualify for equal cost multipathing + + Static routes in this case are non-expiring routes which did not get + configured by autoconf or by icmpv6 redirects. + + To make sure we actually get an ecmp route while searching for the first + one in this fib6_node's leafs, also make sure it matches the ecmp route + assumptions. + + v2: + a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + + v3: + a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + + Cc: Nicolas Dichtel + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_fib.c | 15 +++++++++++---- + 1 files changed, 11 insertions(+), 4 deletions(-) + +commit 77db8196d51b043e2e2d124094da101b0f01bccb +Author: Dan Carpenter +Date: Fri Jul 12 09:39:03 2013 +0300 + + Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 + + svcrdma: underflow issue in decode_write_list() + + My static checker marks everything from ntohl() as untrusted and it + complains we could have an underflow problem doing: + + return (u32 *)&ary->wc_array[nchunks]; + + Also on 32 bit systems the upper bound check could overflow. + + Cc: stable@vger.kernel.org + Signed-off-by: Dan Carpenter + Signed-off-by: J. Bruce Fields + + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ + 1 files changed, 14 insertions(+), 6 deletions(-) + +commit 926473317fd7953137ef97835edd36dabc584b01 +Author: Brad Spengler +Date: Wed Jul 17 21:29:02 2013 -0400 + + add missing asm/pgtable.h include, reported by Michael Tremer + + drivers/clk/socfpga/clk.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c592ae0001b31932ef1491784dfa374058797c66 +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 +Merge: 9c96441 f36ae8c +Author: Brad Spengler +Date: Sun Jul 14 19:23:13 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f36ae8c741ae32b1caff10825be12c327792c925 +Author: Brad Spengler +Date: Sun Jul 14 19:22:15 2013 -0400 + + Update to pax-linux-3.10-test2.patch: + - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer + - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer + - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer + - spender fixed an madvise regression, reported by Peter Keel + - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) + - fixed a headers_install regression, reported by Mathias Krause + - fixed a SLOB compile regression, reported by Mathias Krause + + arch/arm/include/asm/uaccess.h | 4 ++-- + arch/arm/mm/mmu.c | 15 +++++++++++++-- + drivers/clk/socfpga/clk.c | 6 ++++-- + mm/madvise.c | 4 ++-- + mm/slab.c | 4 ++-- + mm/slob.c | 4 ++-- + scripts/headers_install.sh | 2 +- + 7 files changed, 26 insertions(+), 13 deletions(-) + +commit 9c9644156a49637050741d9165df79174e59b0ef +Author: Brad Spengler +Date: Sun Jul 14 19:19:54 2013 -0400 + + Fix sparc64 compilation, reported by Blake Self + + arch/sparc/kernel/sys_sparc_64.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + mm/madvise.c | 15 +++++++-------- + 1 files changed, 7 insertions(+), 8 deletions(-) + +commit a10e377d0eddd37e8a3665b135e546ab03d9d171 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 08c5adca34d408772255b313f90d82c250c1d967 +Author: Brad Spengler +Date: Sun Jul 14 11:26:34 2013 -0400 + + don't make high vector mapping non-present on old ARM architectures, no + point in emulating some vector entries when the processor doesn't even support XN + + arch/arm/mm/mmu.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 2b40781d4197a89a003616af584884e36361c5b2 +Author: Brad Spengler +Date: Sun Jul 14 09:51:58 2013 -0400 + + Temporary compile fix for code incorrectly modifying const data + Wrap a cast version of the code with open/close + + Thanks to Michael Tremer for the report + + drivers/clk/socfpga/clk.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit a8258c1b4098c396cd4ea719e20858182feac1c1 +Author: Brad Spengler +Date: Sun Jul 14 09:41:16 2013 -0400 + + Fix missing right parens in pipacs' "improvement" of my ARM code ;) + Thanks to Michael Tremer for reporting + + arch/arm/include/asm/uaccess.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 8542e1e973be7cc9a009d2ada8033576b2890e6f +Merge: 86f446e 2577f8e +Author: Brad Spengler +Date: Sat Jul 13 20:46:58 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + mm/memcontrol.c + +commit 2577f8e4ec41efb347706a59c6838de20f0c90da +Merge: 75a36f0 cb5d8be +Author: Brad Spengler +Date: Sat Jul 13 20:43:42 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + crypto/algapi.c + drivers/block/nbd.c + +commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 +Author: Brad Spengler +Date: Fri Jul 12 23:02:11 2013 -0400 + + we always want the vector page to be noaccess for userland + therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY + which turns into supervisor rwx, userland rx, we instead omit that entirely, + leaving it as supervisor rwx only + + Fixes booting on ARMv5 and earlier, which need to write directly + to the high vector mapping via set_tls when context switching + + Thanks to Michael Tremer for the bugreport + + arch/arm/mm/mmu.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 90cd0827eef656ec884f19c977873fefe2f2e47d +Author: Cong Wang +Date: Sat Jun 29 12:02:59 2013 +0800 + + Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 + + gre: fix a regression in ioctl + + When testing GRE tunnel, I got: + + # ip tunnel show + get tunnel gre0 failed: Invalid argument + get tunnel gre1 failed: Invalid argument + + This is a regression introduced by commit c54419321455631079c7d + ("GRE: Refactor GRE tunneling code.") because previously we + only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, + after that commit, the check is moved for all commands. + + So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + + After this patch I got: + + # ip tunnel show + gre0: gre/ip remote any local any ttl inherit nopmtudisc + gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit + + Cc: Pravin B Shelar + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 +Author: Cong Wang +Date: Sat Jun 29 13:00:57 2013 +0800 + + Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 + + vti: remove duplicated code to fix a memory leak + + vti module allocates dev->tstats twice: in vti_fb_tunnel_init() + and in vti_tunnel_init(), this lead to a memory leak of + dev->tstats. + + Just remove the duplicated operations in vti_fb_tunnel_init(). + + (candidate for -stable) + + Cc: Stephen Hemminger + Cc: Saurabh Mohan + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd +Author: Michal Schmidt +Date: Mon Jul 1 17:23:05 2013 +0200 + + Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a + + bnx2x: remove zeroing of dump data buffer + + There is no need to initialize the dump data with zeros. + data is allocated with vzalloc, so it's already zero-filled. + + More importantly, the memset is harmful, because dump->len (the length + requested by userspace) can be bigger than the allocated buffer (whose + size is determined by asking the driver's .get_dump_flag method). + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit c771072b72c261f9bddd6734dca6979c1b96e7df +Author: Michal Schmidt +Date: Mon Jul 1 17:23:06 2013 +0200 + + Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 + + bnx2x: fix dump flag handling + + bnx2x interprets the dump flag as an index of a register preset. + It is important to validate the index to avoid out of bounds + memory accesses. + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit aed315c8fad9b2044143b46b239574b1b72135ce +Author: Michal Schmidt +Date: Mon Jul 1 17:23:30 2013 +0200 + + Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 + + ethtool: make .get_dump_data() harder to misuse by drivers + + As the patch "bnx2x: remove zeroing of dump data buffer" showed, + it is too easy implement .get_dump_data incorrectly in a driver. + + Let's make sure drivers cannot get confused by userspace requesting + a too big dump. + + Also WARN if the driver sets dump->len to something weird and make + sure the length reported to userspace is the actual length of data + copied to userspace. + + Signed-off-by: Michal Schmidt + Reviewed-by: Ben Hutchings + Signed-off-by: David S. Miller + + net/core/ethtool.c | 21 ++++++++++++++++++++- + 1 files changed, 20 insertions(+), 1 deletions(-) + +commit 5c57991e66216e386dcc875d34c33f0edd038569 +Author: Wei Yongjun +Date: Tue Jul 2 09:02:07 2013 +0800 + + Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd + + l2tp: add missing .owner to struct pppox_proto + + Add missing .owner of struct pppox_proto. This prevents the + module from being removed from underneath its users. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 +Author: Benjamin Herrenschmidt +Date: Sun Jun 30 14:37:11 2013 +1000 + + Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 + + cxgb3: Missing rtnl lock in error recovery + + When exercising error injection on IBM pseries machine, I hit the + following warning: + + [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 + [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) + [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 + [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) + [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 + [ 254.895474] Call Trace: + [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) + [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c + [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 + [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] + [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] + [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 + [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 + [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 + [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 + [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 + [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 + + It appears that t3_resume_ports() is called with the rtnl_lock held from + the fatal error task but not from the PCI error callbacks. This fixes it. + + Signed-off-by: Benjamin Herrenschmidt + Signed-off-by: David S. Miller + + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 +Author: Hannes Frederic Sowa +Date: Mon Jul 1 20:21:30 2013 +0200 + + Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 + + ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data + + We accidentally call down to ip6_push_pending_frames when uncorking + pending AF_INET data on a ipv6 socket. This results in the following + splat (from Dave Jones): + + skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:126! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth + +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c + CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 + task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 + RIP: 0010:[] [] skb_panic+0x63/0x65 + RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 + RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 + RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 + RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 + R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 + FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 + Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 + Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 + Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 + RIP [] skb_panic+0x63/0x65 + RSP + + This patch adds a check if the pending data is of address family AF_INET + and directly calls udp_push_ending_frames from udp_v6_push_pending_frames + if that is the case. + + This bug was found by Dave Jones with trinity. + + (Also move the initialization of fl6 below the AF_INET check, even if + not strictly necessary.) + + Cc: Dave Jones + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +commit cd83094a85d9bbd5a67332156407d53cf8835432 +Author: Hannes Frederic Sowa +Date: Tue Jul 2 08:04:05 2013 +0200 + + Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be + + ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size + + If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track + of this when appending the second frame on a corked socket. This results + in the following splat: + + [37598.993962] ------------[ cut here ]------------ + [37598.994008] kernel BUG at net/core/skbuff.c:2064! + [37598.994008] invalid opcode: 0000 [#1] SMP + [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat + +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi + +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm + [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc + +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video + [37598.994008] CPU 0 + [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG + [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 + [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 + [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 + [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 + [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 + [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 + [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 + [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 + [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) + [37598.994008] Stack: + [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 + [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 + [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 + [37598.994008] Call Trace: + [37598.994008] [] ip6_append_data+0xccf/0xfe0 + [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 + [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 + [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 + [37598.994008] [] ? sock_has_perm+0x75/0x90 + [37598.994008] [] inet_sendmsg+0x63/0xb0 + [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 + [37598.994008] [] sock_sendmsg+0xb0/0xe0 + [37598.994008] [] ? __switch_to+0x181/0x4a0 + [37598.994008] [] sys_sendto+0x12d/0x180 + [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 + [37598.994008] [] ? syscall_trace_enter+0x231/0x240 + [37598.994008] [] tracesys+0xdd/0xe2 + [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 + [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP + [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + + While there, also check if path mtu discovery is activated for this + socket. The logic was adapted from ip6_append_data when first writing + on the corked socket. + + This bug was introduced with commit + 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec + fragment"). + + v2: + a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. + b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). + c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + + Acked-by: Gao feng + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 files changed, 10 insertions(+), 6 deletions(-) + +commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c +Author: Michael S. Tsirkin +Date: Sun Jul 7 14:26:53 2013 +0300 + + Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 + + vhost-net: fix use-after-free in vhost_net_flush + + vhost_net_ubuf_put_and_wait has a confusing name: + it will actually also free it's argument. + Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" + vhost_net_flush tries to use the argument after passing it + to vhost_net_ubuf_put_and_wait, this results + in use after free. + To fix, don't free the argument in vhost_net_ubuf_put_and_wait, + add an new API for callers that want to free ubufs. + + Acked-by: Asias He + Acked-by: Jason Wang + Signed-off-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/vhost/net.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 088806db74ac2f08c106202bc5498585a9ee529f +Author: Michal Hocko +Date: Mon Jul 8 16:00:29 2013 -0700 + + Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b + + memcg, kmem: fix reference count handling on the error path + + mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. + This is not correct because only memcg_propagate_kmem takes an + additional reference while mem_cgroup_sockets_init is allowed to fail as + well (although no current implementation fails) but it doesn't take any + reference. This all suggests that it should be memcg_propagate_kmem + that should clean up after itself so this patch moves mem_cgroup_put + over there. + + Unfortunately this is not that easy (as pointed out by Li Zefan) because + memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is + marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if + memcg_propagate_kmem fails so the additional reference is dropped in + that case in kmem_cgroup_destroy which means that the reference would be + dropped two times. + + The easiest way then would be to simply remove mem_cgrroup_put from + mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right + thing. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.8] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 08bfb6e700d13886ed722c2236e1ec10f03a95df +Author: Michal Hocko +Date: Mon Jul 8 16:00:27 2013 -0700 + + Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 + + Revert "memcg: avoid dangling reference count in creation failure" + + This reverts commit e4715f01be697a. + + mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops + an additional reference from all parents so the additional + mem_cgrroup_put(parent) potentially causes use-after-free. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.9+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 3267ec559f48327a1836eccecd53215afc5810d0 +Author: Tyler Hicks +Date: Thu Jun 20 13:13:59 2013 -0700 + + Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e + + libceph: Fix NULL pointer dereference in auth client code + + A malicious monitor can craft an auth reply message that could cause a + NULL function pointer dereference in the client's kernel. + + To prevent this, the auth_none protocol handler needs an empty + ceph_auth_client_ops->build_request() function. + + CVE-2013-1059 + + Signed-off-by: Tyler Hicks + Reported-by: Chanam Park + Reviewed-by: Seth Arnold + Reviewed-by: Sage Weil + Cc: stable@vger.kernel.org + + net/ceph/auth_none.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit cdfeb4049e7cb38702215b2c356ce0407974ac79 +Author: Eric Paris +Date: Wed Jul 3 15:08:29 2013 -0700 + + Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 + + fork: reorder permissions when violating number of processes limits + + When a task is attempting to violate the RLIMIT_NPROC limit we have a + check to see if the task is sufficiently priviledged. The check first + looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. + + A result is that tasks which are allowed by the uid=0 check are first + checked against the security subsystem. This results in the security + subsystem auditting a denial for sys_admin and sys_resource and then the + task passing the uid=0 check. + + This patch rearranges the code to first check uid=0, since if we pass that + we shouldn't hit the security system at all. We then check sys_resource, + since it is the smallest capability which will solve the problem. Lastly + we check the fallback everything cap_sysadmin. We don't want to give this + capability many places since it is so powerful. + + This will eliminate many of the false positive/needless denial messages we + get when a root task tries to violate the nproc limit. (note that + kthreads count against root, so on a sufficiently large machine we can + actually get past the default limits before any userspace tasks are + launched.) + + Signed-off-by: Eric Paris + Cc: Al Viro + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/fork.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08c87e049c8a50707908785d950fd48c334f4c09 +Author: Chen Gang +Date: Sat Jun 22 13:26:09 2013 +0800 + + Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 + + arch: sparc: kernel: check the memory length before use strcpy(). + + For the related next strcpy(), the destination length is less than 512, + but the source maximize length may be 'OPROMMAXPARAM' (4096) which is + more than 512. + + One work flow may: + openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) + getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. + opromsetopt() -> devide the buffer into 'var' and 'value' + of_set_property() -> pass + prom_setprop() -> pass + ldom_set_var() + + And do not mind the additional 4 alignment buffer increasing, since + 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 +Author: Brad Spengler +Date: Fri Jul 12 20:38:45 2013 -0400 + + Fix SLAB boot errors due to PAX_USERCOPY reported on the forums + + Unlike slub, slab can initally create two of the kmalloc_caches + which will be used later for generic kmallocs of their particular + aligned size (since the later loop in the unified allocator code + skips any already-existing kmalloc_caches) + + mm/slab.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e2d027c7e0f106be683c0c72482b8285daefcbe6 +Author: Brad Spengler +Date: Tue Jul 9 20:58:40 2013 -0400 + + commit successful merges + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 129 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 4 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/mwave/tp3780i.c | 1 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/resize.c | 17 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 234 ++- + fs/namespace.c | 16 + + fs/notify/fanotify/fanotify_user.c | 1 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 70 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 343 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 ++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 242 files changed, 4385 insertions(+), 2042 deletions(-) + +commit 043a378c0f72ed92cc30182c48abce39867ac93f +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 +Author: Brad Spengler +Date: Tue Jul 9 17:35:47 2013 -0400 + + Initial import of pax-linux-3.10-test1.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 14 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 122 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 33 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 28 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 +- + arch/x86/kernel/entry_64.S | 548 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 143 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 2 + + arch/x86/kernel/setup.c | 21 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 13 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 98 +- + arch/x86/mm/init_32.c | 113 +- + arch/x86/mm/init_64.c | 38 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 11 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/algapi.c | 2 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 45 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 6 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/output.c | 2 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 607 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/lockd/svc.c | 2 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 10 +- + fs/nfs/callback.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 40 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 65 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 42 +- + include/linux/slab_def.h | 28 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 10 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 83 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditfilter.c | 2 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 10 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 11 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 22 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 76 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 6 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 15 +- + mm/mmap.c | 606 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 79 +- + mm/slab.h | 5 +- + mm/slab_common.c | 46 +- + mm/slob.c | 201 +- + mm/slub.c | 79 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_core.c | 8 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 676 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + sound/sound_core.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 +++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 277 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1607 files changed, 30734 insertions(+), 7318 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 +Author: Brad Spengler +Date: Thu Jul 4 23:05:14 2013 -0400 + + always enforce a non-zero gap for RAND_THREADSTACK + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 40d67e38a42d4e94b43b3d7400addc662b9857dc +Author: Brad Spengler +Date: Thu Jul 4 16:09:28 2013 -0400 + + fix up file comparisons + + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_sig.c | 4 ++-- + include/linux/grinternal.h | 12 ++++++++++++ + 3 files changed, 15 insertions(+), 3 deletions(-) + +commit a1fff2c95162314626dd96bec71d951a8c1c4708 +Author: Brad Spengler +Date: Thu Jul 4 15:33:18 2013 -0400 + + fix suid binary matching + + grsecurity/grsec_sig.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 00131c458eea5200971c8fc326e90fdb6c2d0baa +Merge: 37b97a9 47beb61 +Author: Brad Spengler +Date: Thu Jul 4 15:02:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 +Author: Brad Spengler +Date: Thu Jul 4 15:01:37 2013 -0400 + + Update to pax-linux-3.9.9-test13.patch: + - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) + - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) + + arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- + arch/arm/kernel/armksyms.c | 2 +- + arch/arm/kernel/entry-armv.S | 4 ++-- + arch/arm/mm/Kconfig | 2 +- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/page.h | 1 + + arch/x86/kernel/entry_32.S | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + arch/x86/kernel/head64.c | 12 ++++++------ + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/init.c | 8 ++++++++ + arch/x86/mm/init_32.c | 6 ------ + arch/x86/mm/init_64.c | 6 ------ + arch/x86/platform/efi/efi_32.c | 5 +++++ + arch/x86/platform/efi/efi_64.c | 10 ++++++++++ + 15 files changed, 64 insertions(+), 44 deletions(-) + +commit 89085d2d0643813a62f23d1199a335dc1e129bc0 +Merge: 963af7f 0adf2e7 +Author: Brad Spengler +Date: Thu Jul 4 14:55:44 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 +Author: Brad Spengler +Date: Thu Jul 4 13:46:02 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 +Author: Brad Spengler +Date: Thu Jul 4 13:29:51 2013 -0400 + + update log arguments + + grsecurity/grsec_sig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 +Author: Brad Spengler +Date: Thu Jul 4 13:20:23 2013 -0400 + + Update logging of suid exec ban + + Conflicts: + + grsecurity/grsec_sig.c + + grsecurity/grsec_sig.c | 3 +-- + include/linux/grmsg.h | 1 + + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ef808866c070aa1901bd2224521baaf5d145a3a7 +Author: Brad Spengler +Date: Thu Jul 4 12:58:33 2013 -0400 + + Additional improvements to the user banning code: + + Separate the kernel-bruteforcing case from the suid bruteforcing case + In the suid bruteforcing case, only kill existing copies of the bruteforced + binary. Instead of preventing all future execs by this user, prevent them + from executing any suid/sgid binaries for the next 15 minutes. + + Kernel case is mostly unchanged from before, except the task trying to change + real uid to the banned user will be terminated instead of failing the setuid + call. + + Configuration help has been updated to reflect the new changes. + + fs/exec.c | 13 +++++--- + grsecurity/Kconfig | 5 ++- + grsecurity/gracl.c | 6 ++-- + grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 9 +++-- + 6 files changed, 65 insertions(+), 45 deletions(-) + +commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 +Author: Brad Spengler +Date: Wed Jul 3 16:14:09 2013 -0400 + + fix renamed export of csum_partial_copy_from_user, as reported by fabled + on the forums + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 318235973c2a548c3d25562645d6b69f66e85934 +Author: Brad Spengler +Date: Wed Jul 3 16:09:16 2013 -0400 + + make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error + reported on the forums by fabled + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b569a7f60fab7a522d8c142765c8b847bbce8a1e +Author: Brad Spengler +Date: Wed Jul 3 15:53:12 2013 -0400 + + Revise the user ban code to kill the process issuing a banned + set*id instead of returning an error. For the sake of keeping + unified user banning between the suid and kernel bruteforce case, + we will apply this killing to the suid bruteforce case, despite + a check just at exec time (that already existed) being sufficient. + + Returning an error could enable exploitation of the "failure to check + setuid return value" case which was recently effectively closed + upstream, albeit in a rare situation with a suitable binary and + two colluding users. + + Many thanks to stealth for reviewing the user ban code. + + grsecurity/gracl.c | 4 ++-- + grsecurity/grsec_sig.c | 16 +++++++++++++--- + 2 files changed, 15 insertions(+), 5 deletions(-) + +commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f +Author: Artem Bityutskiy +Date: Fri Jun 28 14:15:15 2013 +0300 + + Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d + + UBIFS: fix a horrid bug + + Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no + mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are + in the middle of 'ubifs_readdir()'. + + This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses + it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, + but this may corrupt memory and lead to all kinds of problems like crashes an + security holes. + + This patch fixes the problem by using the 'file->f_version' field, which + '->llseek()' always unconditionally sets to zero. We set it to 1 in + 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a + seek and it is time to clear the state saved in 'file->private_data'. + + I tested this patch by writing a user-space program which runds readdir and + seek in parallell. I could easily crash the kernel without these patches, but + could not crash it with these patches. + + Cc: stable@vger.kernel.org + Reported-by: Al Viro + Tested-by: Artem Bityutskiy + Signed-off-by: Artem Bityutskiy + Signed-off-by: Al Viro + + fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- + 1 files changed, 27 insertions(+), 3 deletions(-) + +commit c22280b85088978bd8b45bd23096879459b48008 +Author: Stephane Eranian +Date: Thu Jun 20 11:36:28 2013 +0200 + + Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 + + perf: Disable monitoring on setuid processes for regular users + + There was a a bug in setup_new_exec(), whereby + the test to disabled perf monitoring was not + correct because the new credentials for the + process were not yet committed and therefore + the get_dumpable() test was never firing. + + The patch fixes the problem by moving the + perf_event test until after the credentials + are committed. + + Signed-off-by: Stephane Eranian + Tested-by: Jiri Olsa + Acked-by: Peter Zijlstra + Cc: + Signed-off-by: Ingo Molnar + + fs/exec.c | 16 +++++++++------- + 1 files changed, 9 insertions(+), 7 deletions(-) + +commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 +Author: Brad Spengler +Date: Sat Jun 29 13:10:02 2013 -0400 + + on context switch, make sure we switch DACR when domain support and + KERNEXEC is disabled but UDEREF is enabled + + arch/arm/kernel/entry-armv.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08d017fa51370921694ce087b28c96fec92993d4 +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:26:58 2013 +0300 + + Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 + + macvtap: fix recovery from gup errors + + get user pages might fail partially in macvtap zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Signed-off-by: David S. Miller + + drivers/net/macvtap.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:19:03 2013 +0300 + + Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 + + tun: fix recovery from gup errors + + get user pages might fail partially in tun zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 +Author: Balazs Peter Odor +Date: Sat Jun 22 19:24:43 2013 +0200 + + Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 + + netfilter: nf_nat_sip: fix mangling + + In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) + there were some missing brackets around the logging information, thus + always returning drop. + + Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 + + Signed-off-by: Balazs Peter Odor + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_nat_sip.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 +Author: Anderson Lizardo +Date: Sun Jun 2 16:30:40 2013 -0400 + + Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d + + Bluetooth: Fix crash in l2cap_build_cmd() with small MTU + + If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus + controller, memory corruption happens due to a memcpy() call with + negative length. + + Fix this crash on either incoming or outgoing connections with a MTU + smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: + + [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 + [ 46.888037] IP: [] memcpy+0x1d/0x40 + [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 + [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC + [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common + [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 + [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] + [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 + [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 + [ 46.888037] EIP is at memcpy+0x1d/0x40 + [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 + [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c + [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 + [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 + [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + [ 46.888037] DR6: ffff0ff0 DR7: 00000400 + [ 46.888037] Stack: + [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 + [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 + [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 + [ 46.888037] Call Trace: + [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] + [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] + [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] + [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 + [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 + [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] + [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] + [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] + [ 46.888037] [] process_one_work+0x1a9/0x600 + [ 46.888037] [] ? process_one_work+0x12b/0x600 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] worker_thread+0xf7/0x320 + [ 46.888037] [] ? rescuer_thread+0x290/0x290 + [ 46.888037] [] kthread+0xa8/0xb0 + [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 + [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 + [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 + [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c + [ 46.888037] CR2: 00000000f56ad000 + [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- + + Signed-off-by: Anderson Lizardo + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b0471b6c1160858fc646d8e94628fd1299f61692 +Author: Jaganath Kanakkassery +Date: Fri Jun 21 19:55:11 2013 +0530 + + Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 + + Bluetooth: Fix invalid length check in l2cap_information_rsp() + + The length check is invalid since the length varies with type of + info response. + + This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 + + Because of this, l2cap info rsp is not handled and command reject is sent. + + > ACL data: handle 11 flags 0x02 dlen 16 + L2CAP(s): Info rsp: type 2 result 0 + Extended feature mask 0x00b8 + Enhanced Retransmission mode + Streaming mode + FCS Option + Fixed Channels + < ACL data: handle 11 flags 0x00 dlen 10 + L2CAP(s): Command rej: reason 0 + Command not understood + + Cc: stable@vger.kernel.org + Signed-off-by: Jaganath Kanakkassery + Signed-off-by: Chan-Yeol Park + Acked-by: Johan Hedberg + Signed-off-by: Gustavo Padovan + + net/bluetooth/l2cap_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4184af98c360d825e638b268b1a9847232e8d299 +Author: Eric Dumazet +Date: Wed Jun 26 04:15:07 2013 -0700 + + Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 + + ipv6: ip6_sk_dst_check() must not assume ipv6 dst + + It's possible to use AF_INET6 sockets and to connect to an IPv4 + destination. After this, socket dst cache is a pointer to a rtable, + not rt6_info. + + ip6_sk_dst_check() should check the socket dst cache is IPv6, or else + various corruptions/crashes can happen. + + Dave Jones can reproduce immediate crash with + trinity -q -l off -n -c sendmsg -c connect + + With help from Hannes Frederic Sowa + + Reported-by: Dave Jones + Reported-by: Hannes Frederic Sowa + Signed-off-by: Eric Dumazet + Acked-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 +Author: Zefan Li +Date: Wed Jun 26 15:29:54 2013 +0800 + + Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 + + dlci: acquire rtnl_lock before calling __dev_get_by_name() + + Otherwise the net device returned can be freed at anytime. + + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +commit 1fe6f23c9acd14d832d056909ff326bde418e645 +Author: Zefan Li +Date: Wed Jun 26 15:31:58 2013 +0800 + + Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a + + dlci: validate the net device in dlci_del() + + We triggered an oops while running trinity with 3.4 kernel: + + BUG: unable to handle kernel paging request at 0000000100000d07 + IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] + PGD 640c0d067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP + CPU 3 + ... + Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA + RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] + ... + Call Trace: + [] sock_ioctl+0x153/0x280 + [] do_vfs_ioctl+0xa4/0x5e0 + [] ? fget_light+0x3ea/0x490 + [] sys_ioctl+0x4f/0x80 + [] system_call_fastpath+0x16/0x1b + ... + + It's because the net device is not a dlci device. + + Reported-by: Li Jinyue + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 4d4464407611527ef6b6b5475cfcab6121b3da66 +Merge: 59571a9 963af7f +Author: Brad Spengler +Date: Thu Jun 27 18:54:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 963af7f7f591759b731ce6325ceb583a72fcf423 +Merge: c51e25a 55db48a +Author: Brad Spengler +Date: Thu Jun 27 18:54:42 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 59571a9db7485f530a1e865a13cacc4c991ec41f +Author: Brad Spengler +Date: Wed Jun 26 18:39:08 2013 -0400 + + From: Mathias Krause + To: Steffen Klassert , + "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org, + Herbert Xu + Subject: [PATCH] af_key: fix info leaks in notify messages + + key_notify_sa_flush() and key_notify_policy_flush() miss to initialize + the sadb_msg_reserved member of the broadcasted message and thereby + leak 2 bytes of heap memory to listeners. Fix that. + + Signed-off-by: Mathias Krause + Cc: Steffen Klassert + Cc: "David S. Miller" + Cc: Herbert Xu + + net/key/af_key.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 +Author: Brad Spengler +Date: Wed Jun 26 18:33:06 2013 -0400 + + update rand_threadstack code to continue the search for a gap if the first + choice doesn't have enough space, instead of returning ENOMEM + + mm/mmap.c | 17 ++++++++++------- + 1 files changed, 10 insertions(+), 7 deletions(-) + +commit 87020d4a4d83038d65ff1fd519938840f6888b9e +Merge: 2682346 c51e25a +Author: Brad Spengler +Date: Wed Jun 26 18:25:32 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c51e25a23f30a1198076bd085f19b2073caf164d +Author: Brad Spengler +Date: Wed Jun 26 18:24:54 2013 -0400 + + Update to pax-linux-3.9.7-test12.patch: + - fixed a regression on PARAVIRT/amd64 kernels + - simplified the recent vm_unmapped_area_info based change + + arch/x86/kernel/entry_64.S | 8 ++++---- + mm/mmap.c | 22 ++++++++++++---------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +commit 26823469a08e59cb67bea18d448d9e8c65f82e08 +Author: Brad Spengler +Date: Tue Jun 25 21:26:51 2013 -0400 + + re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX + vm_unmapped_area code is complete + + arch/x86/kernel/sys_i386_32.c | 5 +++++ + grsecurity/Kconfig | 2 +- + mm/mmap.c | 11 ++++++++++- + 3 files changed, 16 insertions(+), 2 deletions(-) + +commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 +Merge: e58fe8c c4e0704 +Author: Brad Spengler +Date: Tue Jun 25 19:08:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/sys_i386_32.c + +commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 +Author: Brad Spengler +Date: Tue Jun 25 19:05:39 2013 -0400 + + Update to pax-linux-3.9.7-test11.patch: + - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) + - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure + - fixed the recent nested nmi related fixes some more + - fixed a regression in kernel memory initialization on relocatable i386 kernels + - empty_zero_page can be read-only on amd64 as well + + arch/arm/mm/mmap.c | 6 -- + arch/x86/kernel/entry_64.S | 8 +-- + arch/x86/kernel/head_64.S | 1 - + arch/x86/kernel/setup.c | 2 +- + arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- + drivers/lguest/core.c | 2 +- + include/linux/mm.h | 6 +- + include/linux/vmalloc.h | 2 +- + mm/mmap.c | 30 +++++++- + 9 files changed, 83 insertions(+), 134 deletions(-) + +commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d +Author: Brad Spengler +Date: Sun Jun 23 14:37:14 2013 -0400 + + second compile fix, reported by forsaken on forums + + include/linux/vmalloc.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f +Author: Brad Spengler +Date: Sun Jun 23 14:36:35 2013 -0400 + + compile fix, reported by KDE on forums + + kernel/printk.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 1fc9a5e2e267205d28302e1e86ca0da434561111 +Author: Ben Hutchings +Date: Sun Jun 16 21:27:12 2013 +0100 + + Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d + + x86/efi: Fix dummy variable buffer allocation + + 1. Check for allocation failure + 2. Clear the buffer contents, as they may actually be written to flash + 3. Don't leak the buffer + + Compile-tested only. + + [ Tested successfully on my buggy ASUS machine - Matt ] + + Signed-off-by: Ben Hutchings + Cc: stable@vger.kernel.org + Signed-off-by: Matt Fleming + + arch/x86/platform/efi/efi.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 +Author: Dave Kleikamp +Date: Tue Jun 18 09:05:36 2013 -0500 + + Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 + + sparc: tsb must be flushed before tlb + + This fixes a race where a cpu may re-load a tlb from a stale tsb right + after it has been flushed by a remote function call. + + I still see some instability when stressing the system with parallel + kernel builds while creating memory pressure by writing to + /proc/sys/vm/nr_hugepages, but this patch improves the stability + significantly. + + Signed-off-by: Dave Kleikamp + Acked-by: Bob Picco + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d93b62f6485db9aadda34322a6867868db07f56f +Merge: 4ef62f5 71d83e9 +Author: Brad Spengler +Date: Fri Jun 21 16:52:55 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 71d83e97c936563913bcfb5a25c45b2021a331eb +Author: Brad Spengler +Date: Fri Jun 21 16:48:42 2013 -0400 + + Update to pax-linux-3.9.7-test10.patch: + - fixed a few format string problems uncovered by -Wformat-nonliteral + - another attempt at fixing the nested nmi/cr0.wp problem + - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) + - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) + - fixed a locking issue with track_exec_limit reported by spender + - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) + + Documentation/dontdiff | 1 + + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ + arch/x86/kernel/vmlinux.lds.S | 2 +- + block/genhd.c | 11 +++-- + crypto/algapi.c | 2 +- + crypto/pcrypt.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/power/sysfs.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/devfreq/devfreq.c | 2 +- + drivers/gpu/drm/drm_encoder_slave.c | 6 +-- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/iommu/irq_remapping.c | 2 +- + drivers/video/output.c | 2 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 2 +- + fs/lockd/svc.c | 2 +- + fs/nfs/callback.c | 4 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfscache.c | 3 +- + init/initramfs.c | 2 +- + kernel/rcutree.c | 2 +- + lib/kobject.c | 2 +- + mm/backing-dev.c | 4 +- + mm/mmap.c | 4 +- + mm/slub.c | 2 +- + mm/vmalloc.c | 15 +++---- + net/bluetooth/hci_core.c | 8 ++-- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/sunrpc/svc.c | 2 +- + security/Kconfig | 15 +++--- + sound/core/sound.c | 2 +- + sound/sound_core.c | 2 +- + 40 files changed, 116 insertions(+), 111 deletions(-) + +commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c +Merge: 39efd8f 256eff7 +Author: Brad Spengler +Date: Fri Jun 21 16:45:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + kernel/printk.c + +commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 +Merge: e6e3059 485f25f +Author: Brad Spengler +Date: Thu Jun 20 22:14:24 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d +Author: Brad Spengler +Date: Tue Jun 18 17:20:18 2013 -0400 + + add apparmor compat patch + + security/apparmor/Kconfig | 9 ++ + security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 240 insertions(+), 0 deletions(-) + +commit 49bee3c5341687504669bf62becf4a419a226ba0 +Author: Brad Spengler +Date: Mon Jun 17 18:48:04 2013 -0400 + + Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" + + This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. + + kernel/sys.c | 29 +++-------------------------- + 1 files changed, 3 insertions(+), 26 deletions(-) + +commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 +Author: Al Viro +Date: Sun Jun 16 18:06:06 2013 +0100 + + Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 + + lseek(fd, n, SEEK_END) does *not* go to eof - n + + When you copy some code, you are supposed to read it. If nothing else, + there's a chance to spot and fix an obvious bug instead of sharing it... + + X-Song: "I Got It From Agnes", by Tom Lehrer + Signed-off-by: Al Viro + [ Tom Lehrer? You're dating yourself, Al ] + Signed-off-by: Linus Torvalds + + drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- + drivers/scsi/bfa/bfad_debugfs.c | 2 +- + drivers/scsi/fnic/fnic_debugfs.c | 2 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +commit 5a450f1c46f0c84379518aee878993d3f4a331b6 +Author: Theodore Ts'o +Date: Thu Jun 6 11:14:31 2013 -0400 + + Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 + + ext4: verify group number in verify_group_input() before using it + + Check the group number for sanity earilier, before calling routines + such as ext4_bg_has_super() or ext4_group_overhead_blocks(). + + Reported-by: Jonathan Salwan + Signed-off-by: "Theodore Ts'o" + + fs/ext4/resize.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 +Author: Neil Horman +Date: Wed Jun 12 14:26:44 2013 -0400 + + Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 + + sctp: fully initialize sctp_outq in sctp_outq_init + + In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 + (refactor sctp_outq_teardown to insure proper re-initalization) + we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the + outq structure. Steve West recently asked me why I removed the q->error = 0 + initalization from sctp_outq_teardown. I did so because I was operating under + the impression that sctp_outq_init would properly initalize that value for us, + but it doesn't. sctp_outq_init operates under the assumption that the outq + struct is all 0's (as it is when called from sctp_association_init), but using + it in __sctp_outq_teardown violates that assumption. We should do a memset in + sctp_outq_init to ensure that the entire structure is in a known state there + instead. + + Signed-off-by: Neil Horman + Reported-by: "West, Steve (NSN - US/Fort Worth)" + CC: Vlad Yasevich + CC: netdev@vger.kernel.org + CC: davem@davemloft.net + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + Conflicts: + + net/sctp/outqueue.c + + net/sctp/outqueue.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit e13515ad7a9c7634599a105b2527752e527a905d +Author: Saurabh Mohan +Date: Mon Jun 10 17:45:10 2013 -0700 + + Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 + + net/ipv4: ip_vti clear skb cb before tunneling. + + If users apply shaper to vti tunnel then it will cause a kernel crash. The + problem seems to be due to the vti_tunnel_xmit function not clearing + skb->opt field before passing the packet to xfrm tunneling code. + + Signed-off-by: Saurabh Mohan + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:36 2013 +0200 + + Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 + + l2tp: Fix sendmsg() return value + + PPPoL2TP sockets should comply with the standard send*() return values + (i.e. return number of bytes sent instead of 0 upon success). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit af361b412e816e894fb42ddff7a0545b7def64c0 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:23 2013 +0200 + + Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 + + l2tp: Fix PPP header erasure and memory leak + + Copy user data after PPP framing header. This prevents erasure of the + added PPP header and avoids leaking two bytes of uninitialised memory + at the end of skb's data buffer. + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1f43aca088c35dda35abf76e08544e534c71fed4 +Author: Daniel Borkmann +Date: Wed Jun 12 16:02:27 2013 +0200 + + Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe + + packet: packet_getname_spkt: make sure string is always 0-terminated + + uaddr->sa_data is exactly of size 14, which is hard-coded here and + passed as a size argument to strncpy(). A device name can be of size + IFNAMSIZ (== 16), meaning we might leave the destination string + unterminated. Thus, use strlcpy() and also sizeof() while we're + at it. We need to memset the data area beforehand, since strlcpy + does not padd the remaining buffer with zeroes for user space, so + that we do not possibly leak anything. + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/packet/af_packet.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f +Author: Andy Lutomirski +Date: Wed Jun 5 19:38:26 2013 +0000 + + Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab + + net: Unbreak compat_sys_{send,recv}msg + + I broke them in this commit: + + commit 1be374a0518a288147c6a7398792583200a67261 + Author: Andy Lutomirski + Date: Wed May 22 14:07:44 2013 -0700 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept + MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It + also reverts some unnecessary checks in sys_socketcall. + + Apparently I was suffering from underscore blindness the first time around. + + Signed-off-by: Andy Lutomirski + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/linux/socket.h | 3 ++ + net/compat.c | 13 +++++++- + net/socket.c | 72 ++++++++++++++++++++++-------------------------- + 3 files changed, 47 insertions(+), 41 deletions(-) + +commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f +Author: Andy Lutomirski +Date: Wed May 22 14:07:44 2013 -0700 + + Upstream commit: 1be374a0518a288147c6a7398792583200a67261 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + To: linux-kernel@vger.kernel.org + Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. + Miller" + Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- + it's a hack that steals a bit to indicate to other networking code + that a compat entry was used. So don't allow it from a non-compat + syscall. + + This prevents an oops when running this code: + + int main() + { + int s; + struct sockaddr_in addr; + struct msghdr *hdr; + + char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (highpage == MAP_FAILED) + err(1, "mmap"); + + s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) + err(1, "socket"); + + addr.sin_family = AF_INET; + addr.sin_port = htons(1); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) + err(1, "connect"); + + void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; + printf("Evil address is %p\n", evil); + + if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) + err(1, "sendmmsg"); + + return 0; + } + + Cc: David S. Miller + Signed-off-by: Andy Lutomirski + Signed-off-by: David S. Miller + + net/socket.c | 33 +++++++++++++++++++++++++++++++-- + 1 files changed, 31 insertions(+), 2 deletions(-) + +commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e +Author: Kees Cook +Date: Fri May 10 14:48:21 2013 -0700 + + Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c + + b43: stop format string leaking into error msgs + + The module parameter "fwpostfix" is userspace controllable, unfiltered, + and is used to define the firmware filename. b43_do_request_fw() populates + ctx->errors[] on error, containing the firmware filename. b43err() + parses its arguments as a format string. For systems with b43 hardware, + this could lead to a uid-0 to ring-0 escalation. + + CVE-2013-2852 + + Signed-off-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/b43/main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit dfb67a67049ace7b94ad7e2febfac69816d50d85 +Author: Mark A. Greer +Date: Wed May 29 12:25:34 2013 -0700 + + Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 + + mwifiex: debugfs: Fix out of bounds array access + + When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', + the following panic occurs: + + $ cat /sys/kernel/debug/mwifiex/p2p0/info + Unable to handle kernel paging request at virtual address 74706164 + pgd = de530000 + [74706164] *pgd=00000000 + Internal error: Oops: 5 [#1] SMP ARM + Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex + CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 + task: de16b6c0 ti: de048000 task.ti: de048000 + PC is at strnlen+0xc/0x4c + LR is at string+0x3c/0xf8 + pc : [] lr : [] psr: a0000013 + sp : de049e10 ip : c06efba0 fp : de6d2092 + r10: bf01a260 r9 : ffffffff r8 : 74706164 + r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 + r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user + Control: 10c5387d Table: 9e530019 DAC: 00000015 + Process cat (pid: 1635, stack limit = 0xde048240) + Stack: (0xde049e10 to 0xde04a000) + 9e00: de6d2092 00000002 bf01a25e de6d209c + 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 + 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 + 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 + 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 + 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 + 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 + 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 + 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 + 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 + 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 + 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 + 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 + 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd + [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) + [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) + [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) + [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) + [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) + [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) + [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) + Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) + ---[ end trace ca98273dc605a04f ]--- + + The panic is caused by the mwifiex_info_read() routine assuming that + there can only be four modes (0-3) which is an invalid assumption. + For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the + code accesses data beyond the bounds of the bss_modes[] array which + causes the panic. Fix this by updating bss_modes[] to support the + current list of modes and adding a check to prevent the out-of-bounds + access from occuring in the future when more modes are added. + + Signed-off-by: Mark A. Greer + Acked-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- + 1 files changed, 17 insertions(+), 5 deletions(-) + +commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 +Author: Johan Hedberg +Date: Tue May 28 13:46:30 2013 +0300 + + Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 + + Bluetooth: Fix missing length checks for L2CAP signalling PDUs + + There has been code in place to check that the L2CAP length header + matches the amount of data received, but many PDU handlers have not been + checking that the data received actually matches that expected by the + specific PDU. This patch adds passing the length header to the specific + handler functions and ensures that those functions fail cleanly in the + case of an incorrect amount of data. + + Signed-off-by: Johan Hedberg + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- + 1 files changed, 52 insertions(+), 18 deletions(-) + +commit 628be2427afb241b5a1aa24bc5907d05287e1f25 +Author: Dan Carpenter +Date: Mon Jun 3 12:00:49 2013 +0300 + + Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 + + ipvs: info leak in __ip_vs_get_dest_entries() + + The entry struct has a 2 byte hole after ->port and another 4 byte + hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your + namespace to hit this information leak. + + Signed-off-by: Dan Carpenter + Acked-by: Julian Anastasov + Signed-off-by: Simon Horman + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/ipvs/ip_vs_ctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 066d9226bc6c569d5f420c978b758e0bddd23444 +Author: Robin Holt +Date: Wed Jun 12 14:04:37 2013 -0700 + + Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db + + reboot: rigrate shutdown/reboot to boot cpu + + We recently noticed that reboot of a 1024 cpu machine takes approx 16 + minutes of just stopping the cpus. The slowdown was tracked to commit + f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in + kernel_restart()"). + + The current implementation does all the work of hot removing the cpus + before halting the system. We are switching to just migrating to the + boot cpu and then continuing with shutdown/reboot. + + This also has the effect of not breaking x86's command line parameter + for specifying the reboot cpu. Note, this code was shamelessly copied + from arch/x86/kernel/reboot.c with bits removed pertaining to the + reboot_cpu command line parameter. + + Signed-off-by: Robin Holt + Tested-by: Shawn Guo + Cc: "Srivatsa S. Bhat" + Cc: H. Peter Anvin + Cc: Thomas Gleixner + Cc: Ingo Molnar + Cc: Russ Anderson + Cc: Robin Holt + Cc: Russell King + Cc: Guan Xuetao + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sys.c | 29 ++++++++++++++++++++++++++--- + 1 files changed, 26 insertions(+), 3 deletions(-) + +commit 94e2a91600b07d39825e7059195f35eb611a39a2 +Merge: 20cc761 e6e3059 +Author: Brad Spengler +Date: Thu Jun 13 16:23:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a +Merge: c6aadb1 4b73feb +Author: Brad Spengler +Date: Thu Jun 13 16:23:39 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 20cc7613e38cde07adc73179a91d6c15292e8d43 +Author: Daniel Borkmann +Date: Thu Jun 6 15:53:47 2013 +0200 + + Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c + + net: sctp: fix NULL pointer dereference in socket destruction + + While stress testing sctp sockets, I hit the following panic: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] sctp_endpoint_free+0xe/0x40 [sctp] + PGD 7cead067 PUD 7ce76067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: sctp(F) libcrc32c(F) [...] + CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 + Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 + task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 + RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 + RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 + RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 + RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 + FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded + ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e + 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e + Call Trace: + [] sctp_destroy_sock+0x3d/0x80 [sctp] + [] sk_common_release+0x1e/0xf0 + [] inet_create+0x2ae/0x350 + [] __sock_create+0x11f/0x240 + [] sock_create+0x30/0x40 + [] SyS_socket+0x4c/0xc0 + [] ? do_page_fault+0xe/0x10 + [] ? page_fault+0x22/0x30 + [] system_call_fastpath+0x16/0x1b + Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f + 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> + 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 + RIP [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP + CR2: 0000000000000020 + ---[ end trace e0d71ec1108c1dd9 ]--- + + I did not hit this with the lksctp-tools functional tests, but with a + small, multi-threaded test program, that heavily allocates, binds, + listens and waits in accept on sctp sockets, and then randomly kills + some of them (no need for an actual client in this case to hit this). + Then, again, allocating, binding, etc, and then killing child processes. + + This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' + is set. The cause for that is actually very simple: in sctp_endpoint_init() + we enter the path of sctp_auth_init_hmacs(). There, we try to allocate + our crypto transforms through crypto_alloc_hash(). In our scenario, + it then can happen that crypto_alloc_hash() fails with -EINTR from + crypto_larval_wait(), thus we bail out and release the socket via + sk_common_release(), sctp_destroy_sock() and hit the NULL pointer + dereference as soon as we try to access members in the endpoint during + sctp_endpoint_free(), since endpoint at that time is still NULL. Now, + if we have that case, we do not need to do any cleanup work and just + leave the destruction handler. + + Signed-off-by: Daniel Borkmann + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 386ba837978cc8a1111440bdcd8600f2df4634a4 +Author: Brad Spengler +Date: Wed Jun 12 20:37:48 2013 -0400 + + fix deadlock when booting i386 kernel without NX + + mm/mmap.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 +Author: Brad Spengler +Date: Tue Jun 11 22:18:07 2013 -0400 + + fix elif / elif defined() typo in recent change + + kernel/events/core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit bc43377e1e757cd37a06be0187884a42af718aab +Merge: 3cdea63 c6aadb1 +Author: Brad Spengler +Date: Tue Jun 11 18:50:39 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 +Author: Brad Spengler +Date: Tue Jun 11 18:49:36 2013 -0400 + + Update to pax-linux-3.9.4-test9.patch: + - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) + - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort + + arch/x86/kernel/setup.c | 2 +- + mm/mlock.c | 1 - + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 3cdea63e90607d8d55820b101854091623feedb8 +Author: Brad Spengler +Date: Mon Jun 10 21:21:44 2013 -0400 + + Fix fanotify infoleak reported by Dan Carpenter at: + https://lkml.org/lkml/2013/6/3/128 + + Requires CAP_SYS_ADMIN, so this is about as low priority as it gets + + fs/notify/fanotify/fanotify_user.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 373a2b5df78f82b9d3db72bd6577e29a71591323 +Author: Brad Spengler +Date: Mon Jun 10 21:16:46 2013 -0400 + + Backport infoleak fix by Dan Carpenter in cpqarray: + https://lkml.org/lkml/2013/6/3/131 + + drivers/block/cpqarray.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 251e84b9b05e063981b20be154c9389862f94759 +Author: Brad Spengler +Date: Mon Jun 10 21:04:17 2013 -0400 + + Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 + + drivers/cdrom/cdrom.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 383d89bf95818b05a485a6e8b118963b5bcbc83e +Author: Brad Spengler +Date: Mon Jun 10 18:34:32 2013 -0400 + + change const to __read_only + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 +Author: Brad Spengler +Date: Mon Jun 10 17:34:13 2013 -0400 + + compile fix, make const values const + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d +Author: Brad Spengler +Date: Mon Jun 10 17:37:13 2013 -0400 + + Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a + + drivers/char/mwave/tp3780i.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1c590aa70c95ebd76ba9672aa23d800b81780615 +Author: Brad Spengler +Date: Sun Jun 9 19:50:35 2013 -0400 + + allow -1 perf_event_paranoid + + kernel/sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 +Merge: 4e85539 117c3fa +Author: Brad Spengler +Date: Sun Jun 9 17:30:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 117c3fa8d26c3806103123560f807d99071b60b6 +Merge: ed9b427 5dd2e98 +Author: Brad Spengler +Date: Sun Jun 9 17:30:00 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 +Author: Eric Dumazet +Date: Mon May 13 21:25:52 2013 +0000 + + Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e + + tcp: fix tcp_md5_hash_skb_data() + + TCP md5 communications fail [1] for some devices, because sg/crypto code + assume page offsets are below PAGE_SIZE. + + This was discovered using mlx4 driver [2], but I suspect loopback + might trigger the same bug now we use order-3 pages in tcp_sendmsg() + + [1] Failure is giving following messages. + + huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, + exited with 00000101? + + [2] mlx4 driver uses order-2 pages to allocate RX frags + + Reported-by: Matt Schnall + Signed-off-by: Eric Dumazet + Cc: Bernhard Beck + Signed-off-by: David S. Miller + + net/ipv4/tcp.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb +Author: Eric Dumazet +Date: Fri May 17 04:53:13 2013 +0000 + + Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a + + ipv6: fix possible crashes in ip6_cork_release() + + commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") + added some code duplication and bad error recovery, leading to potential + crash in ip6_cork_release() as kfree() could be called with garbage. + + use kzalloc() to make sure this wont happen. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + Cc: Herbert Xu + Cc: Hideaki YOSHIFUJI + Cc: Neal Cardwell + + net/ipv6/ip6_output.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5771263fe368cd384127dd17d7596a7e1a4e2eec +Author: Chen Gang +Date: Thu May 16 23:13:04 2013 +0000 + + Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 + + net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. + + 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the + strncpy() will always left the last byte of 'discovery->data.info' + uninitialized. + + When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left + the last byte of 'discovery->data.info' uninitialized, the next + strlen() will cause issue. + + Also 'discovery->data' is 'struct irda_device_info' which defined in + "include/uapi/...", it may copy to user mode, so need whole initialized. + + All together, need use kzalloc() instead of kmalloc() to initialize all + members firstly. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + net/irda/irlap_frame.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c01c9af268cb066f240aec53454b8b74d8d01688 +Author: Dan Carpenter +Date: Sun May 19 08:36:36 2013 +0000 + + Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 + + isdn/kcapi: fix a small underflow + + In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes + from skb->data. The current code can underflow to one space before the + start of the array. + + The sanity check isn't needed in __get_capi_appl_by_nr() but I changed + it to match the others. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/capi/kcapi.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 +Author: Timo Teräs +Date: Wed May 22 01:40:47 2013 +0000 + + Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 + + xfrm: properly handle invalid states as an error + + The error exit path needs err explicitly set. Otherwise it + returns success and the only caller, xfrm_output_resume(), + would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is + NULL. + + Bug introduced in commit bb65a9cb (xfrm: removes a superfluous + check and add a statistic). + + Signed-off-by: Timo Teräs + Cc: Li RongQing + Cc: Steffen Klassert + Signed-off-by: David S. Miller + + net/xfrm/xfrm_output.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd +Author: Jeff Mahoney +Date: Fri May 31 15:07:52 2013 -0400 + + Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab + + reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + + After sleeping for filldir(), we check to see if the file system has + changed and research. The next_pos pointer is updated but its value + isn't pushed into the key used for the search itself. As a result, + the search returns the same item that the last cycle of the loop did + and filldir() is called multiple times with the same data. + + The end result is that the buffer can contain the same name multiple + times. This can be returned to userspace or used internally in the + xattr code where it can manifest with the following warning: + + jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) + + reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over + the xattr names and ends up trying to unlink the same name twice. The + second attempt fails with -ENOENT and the error is returned. At some + point I'll need to add support into reiserfsck to remove the orphaned + directories left behind when this occurs. + + The fix is to push the value into the key before researching. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/dir.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 +Author: Jeff Mahoney +Date: Fri May 31 15:51:17 2013 -0400 + + Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc + + reiserfs: fix deadlock with nfs racing on create/lookup + + Reiserfs is currently able to be deadlocked by having two NFS clients + where one has removed and recreated a file and another is accessing the + file with an open file handle. + + If one client deletes and recreates a file with timing such that the + recreated file obtains the same [dirid, objectid] pair as the original + file while another client accesses the file via file handle, the create + and lookup can race and deadlock if the lookup manages to create the + in-memory inode first. + + The create thread, in insert_inode_locked4, will hold the write lock + while waiting on the other inode to be unlocked. The lookup thread, + anywhere in the iget path, will release and reacquire the write lock while + it schedules. If it needs to reacquire the lock while the create thread + has it, it will never be able to make forward progress because it needs + to reacquire the lock before ultimately unlocking the inode. + + This patch drops the write lock across the insert_inode_locked4 call so + that the ordering of inode_wait -> write lock is retained. Since this + would have been the case before the BKL push-down, this is safe. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/inode.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 +Author: Jeff Mahoney +Date: Fri May 31 15:54:17 2013 -0400 + + Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b + + reiserfs: fix problems with chowning setuid file w/ xattrs + + reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr + and uses it to iterate over all the attrs associated with a file to change + ownership of xattrs (and transfer quota associated with the xattr files). + + When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode + are passed to all the xattrs as well. This means that the xattr directory + will have S_IFREG added to its mode bits. + + This has been prevented in practice by a missing IS_PRIVATE check + in reiserfs_acl_chmod, which caused a double-lock to occur while holding + the write lock. Since the file system was completely locked up, the + writeout of the corrupted mode never happened. + + This patch temporarily clears everything but ATTR_UID|ATTR_GID for the + calls to reiserfs_setattr and adds the missing IS_PRIVATE check. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 14 +++++++++++++- + fs/reiserfs/xattr_acl.c | 3 +++ + 2 files changed, 16 insertions(+), 1 deletions(-) + +commit c18cef940310c06bdf86d64d8cb227e56e165300 +Author: Dave Chinner +Date: Mon May 27 16:38:25 2013 +1000 + + Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b + + xfs: kill suid/sgid through the truncate path. + + XFS has failed to kill suid/sgid bits correctly when truncating + files of non-zero size since commit c4ed4243 ("xfs: split + xfs_setattr") introduced in the 3.1 kernel. Fix it. + + Fix it. + + cc: stable kernel + Signed-off-by: Dave Chinner + Reviewed-by: Brian Foster + Signed-off-by: Ben Myers + + (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) + + fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 files changed, 32 insertions(+), 15 deletions(-) + +commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc +Author: Trond Myklebust +Date: Wed May 29 15:36:40 2013 -0400 + + Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 + + NFSv4: Fix a thinko in nfs4_try_open_cached + + We need to pass the full open mode flags to nfs_may_open() when doing + a delegated open. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + fs/nfs/nfs4proc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c47de62893a9f269be0a272c2840aac1e2a35c68 +Author: Chen Gang +Date: Thu May 30 01:18:43 2013 +0000 + + Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 + + parisc: kernel: using strlcpy() instead of strcpy() + + 'boot_args' is an input args, and 'boot_command_line' has a fix length. + So use strlcpy() instead of strcpy() to avoid memory overflow. + + Signed-off-by: Chen Gang + Acked-by: Kyle McMartin + Signed-off-by: Helge Deller + + arch/parisc/kernel/setup.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce869e6f799f95fcac340420ba3612503df80dbf +Author: Chen Gang +Date: Mon May 27 04:57:09 2013 +0000 + + Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 + + parisc: memory overflow, 'name' length is too short for using + + 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 + * "%u:" + "%u" + '\0') may be 21. + + Since 'name' length is 20, it may be memory overflow. + + And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the + max length of 'name' must be less than 28. + + So simplify thinking, we can use 28 instead of 20 directly, and do not + think of whether 'patchc.bc[i]' can '> 100'. + + Signed-off-by: Chen Gang + Signed-off-by: Helge Deller + + arch/parisc/kernel/drivers.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5dc65cd34d442783118a17c518e2daedb90a31d0 +Author: Brad Spengler +Date: Tue Jun 4 17:52:23 2013 -0400 + + add PERF_HARDEN recommendation + + grsecurity/Kconfig | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c +Author: Brad Spengler +Date: Tue Jun 4 17:22:44 2013 -0400 + + Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN + + grsecurity/Kconfig | 19 +++++++++++++++++++ + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 10 +++++++++- + kernel/sysctl.c | 9 ++++++++- + 4 files changed, 41 insertions(+), 2 deletions(-) + +commit 84619a3501fd38285a72d9e963f58d1827beedd6 +Author: Brad Spengler +Date: Sat Jun 1 14:23:31 2013 -0400 + + remove user-triggerable BUG_ON in do_munlockall() + + mm/mlock.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 +Author: Brad Spengler +Date: Sat Jun 1 13:44:05 2013 -0400 + + Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 + + From: Kees Cook + Date: Thu, 23 May 2013 17:32:17 +0000 + Subject: iscsi-target: fix heap buffer overflow on error + + If a key was larger than 64 bytes, as checked by iscsi_check_key(), the + error response packet, generated by iscsi_add_notunderstood_response(), + would still attempt to copy the entire key into the packet, overflowing + the structure on the heap. + + Remote preauthentication kernel memory corruption was possible if a + target was configured and listening on the network. + + CVE-2013-2850 + + Embargo-screwup-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: Nicholas Bellinger + + drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- + drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e +Author: Brad Spengler +Date: Sat Jun 1 13:43:26 2013 -0400 + + Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" + Applying upstream fix instead + + This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. + + drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 +Author: Dan Carpenter +Date: Sun May 19 21:52:20 2013 +0300 + + Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 + + USB: cxacru: potential underflow in cxacru_cm_get_array() + + commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. + + The value of "offd" comes off the instance->rcv_buf[] and we used it as + the offset into an array. The problem is that we check the upper bound + but not for negative values. + + Signed-off-by: Dan Carpenter + Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Ben Hutchings + + drivers/usb/atm/cxacru.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 +Author: Brad Spengler +Date: Sat Jun 1 11:30:17 2013 -0400 + + Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters + + drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 8578566969d91678a3d7d5251b4eafc6d7775314 +Author: Brad Spengler +Date: Thu May 30 17:44:15 2013 -0400 + + Apply compatibility fix to previous RLIMIT_NPROC change + don't enforce the rlimit check at exec time if the user is root + Prevents problems with sudo if root is listed as part of a group + in limits.conf with process limits enforced + + kernel/sys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 +Merge: 643b294 ed9b427 +Author: Brad Spengler +Date: Wed May 29 19:19:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ed9b4276488528d0c3803df1dc0df804238241e0 +Author: Brad Spengler +Date: Wed May 29 19:18:45 2013 -0400 + + Updated to pax-linux-3.9.4-test8.patch: + - fixed some fallout detected by the checker plugin + + arch/x86/kernel/crash_dump_64.c | 2 +- + drivers/base/devtmpfs.c | 6 +++--- + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- + drivers/i2c/i2c-dev.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- + drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- + fs/9p/vfs_addr.c | 2 +- + fs/binfmt_elf.c | 4 ++-- + fs/compat_ioctl.c | 4 ++-- + fs/exec.c | 2 +- + fs/namespace.c | 8 ++++---- + fs/proc/vmcore.c | 12 ++++++++---- + fs/read_write.c | 2 +- + include/linux/syscalls.h | 8 ++++---- + init/do_mounts_initrd.c | 8 ++++---- + init/main.c | 4 ++-- + kernel/events/core.c | 2 +- + kernel/events/internal.h | 10 +++++----- + mm/page_io.c | 2 +- + security/keys/internal.h | 2 +- + tools/gcc/checker_plugin.c | 1 + + 24 files changed, 63 insertions(+), 54 deletions(-) + +commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 +Author: Brad Spengler +Date: Wed May 29 18:51:31 2013 -0400 + + eliminate gcc warning + + fs/exec.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 +Author: Brad Spengler +Date: Wed May 29 18:30:20 2013 -0400 + + use BUILD_BUG() instead of BUILD_BUG_ON(1) + + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 5343410354267368e5809f3ad8d9a264f141be18 +Author: Brad Spengler +Date: Wed May 29 17:57:41 2013 -0400 + + defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON + for unknown opcodes + + arch/x86/net/bpf_jit_comp.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d +Author: Xiao Guangrong +Date: Fri May 24 15:55:11 2013 -0700 + + Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 + + mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + + Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and + multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: + fix freed page still mapped in secondary MMU"). + + Since hlist_for_each_entry_rcu() is changed now, we can not revert that + patch directly, so this patch reverts the commit and simply fix the bug + spotted by that patch + + This bug spotted by commit 751efd8610d3 is: + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result + of a filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. + + The another issue spotted in the commit is "multiple ->release() + callouts", we needn't care it too much because it is really rare (e.g, + can not happen on kvm since mmu-notify is unregistered after + exit_mmap()) and the later call of multiple ->release should be fast + since all the pages have already been released by the first call. + Anyway, this issue should be fixed in a separate patch. + + -stable suggestions: Any version that has commit 751efd8610d3 need to be + backported. I find the oldest version has this commit is 3.0-stable. + + [akpm@linux-foundation.org: tweak comments] + Signed-off-by: Xiao Guangrong + Tested-by: Robin Holt + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- + 1 files changed, 39 insertions(+), 40 deletions(-) + +commit 163a5539b36247865d39b2bcfa8efc03a62124a6 +Author: Aneesh Kumar K.V +Date: Fri May 24 15:55:21 2013 -0700 + + Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 + + mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + + We should not use set_pmd_at to update pmd_t with pgtable_t pointer. + set_pmd_at is used to set pmd with huge pte entries and architectures + like ppc64, clear few flags from the pte when saving a new entry. + Without this change we observe bad pte errors like below on ppc64 with + THP enabled. + + BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 + + Signed-off-by: Aneesh Kumar K.V + Cc: Hugh Dickins + Cc: Benjamin Herrenschmidt + Reviewed-by: Andrea Arcangeli + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/huge_memory.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 3e54faf888d324d5f362dcba16173ea7bba61e8a +Author: OGAWA Hirofumi +Date: Fri May 24 15:55:08 2013 -0700 + + Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 + + fat: fix possible overflow for fat_clusters + + Intermediate value of fat_clusters can be overflowed on 32bits arch. + + Reported-by: Krzysztof Strasburger + Signed-off-by: OGAWA Hirofumi + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/fat/inode.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d +Author: Jarod Wilson +Date: Fri May 24 15:55:31 2013 -0700 + + Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 + + drivers/char/random.c: fix priming of last_data + + Commit ec8f02da9ea5 ("random: prime last_data value per fips + requirements") added priming of last_data per fips requirements. + + Unfortuantely, it did so in a way that can lead to multiple threads all + incrementing nbytes, but only one actually doing anything with the extra + data, which leads to some fun random corruption and panics. + + The fix is to simply do everything needed to prime last_data in a single + shot, so there's no window for multiple cpus to increment nbytes -- in + fact, we won't even increment or decrement nbytes anymore, we'll just + extract the needed EXTRACT_SIZE one time per pool and then carry on with + the normal routine. + + All these changes have been tested across multiple hosts and + architectures where panics were previously encoutered. The code changes + are are strictly limited to areas only touched when when booted in fips + mode. + + This change should also go into 3.8-stable, to make the myriads of fips + users on 3.8.x happy. + + Signed-off-by: Jarod Wilson + Tested-by: Jan Stancek + Tested-by: Jan Stodola + Cc: Herbert Xu + Acked-by: Neil Horman + Cc: "David S. Miller" + Cc: Matt Mackall + Cc: "Theodore Ts'o" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 30 +++++++++++++++--------------- + 1 files changed, 15 insertions(+), 15 deletions(-) + +commit 2d74639040ba6ce47f57ec010714ec06529c4b42 +Author: Jiri Kosina +Date: Fri May 24 15:55:33 2013 -0700 + + Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 + + random: fix accounting race condition with lockless irq entropy_count update + + Commit 902c098a3663 ("random: use lockless techniques in the interrupt + path") turned IRQ path from being spinlock protected into lockless + cmpxchg-retry update. + + That commit removed r->lock serialization between crediting entropy bits + from IRQ context and accounting when extracting entropy on userspace + read path, but didn't turn the r->entropy_count reads/updates in + account() to use cmpxchg as well. + + It has been observed, that under certain circumstances this leads to + read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets + corrupted and becomes negative, which in turn results in propagating 0 + all the way from account() to the actual read() call. + + Convert the accounting code to be the proper lockless counterpart of + what has been partially done by 902c098a3663. + + Signed-off-by: Jiri Kosina + Cc: Theodore Ts'o + Cc: Greg KH + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 26 +++++++++++++++++--------- + 1 files changed, 17 insertions(+), 9 deletions(-) + +commit 65d05c7ea468c23c175105526dd4f163302a92cf +Merge: 1a98d0a 6ce3a135 +Author: Brad Spengler +Date: Sat May 25 07:48:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/vm86_32.c + +commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 +Merge: 79bdd65 0bfd8ff +Author: Brad Spengler +Date: Sat May 25 07:46:55 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 +Author: Brad Spengler +Date: Thu May 23 18:42:23 2013 -0400 + + use existing local variable + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b2b80ef8586061e32e986b31608717c25d1e7c54 +Merge: cb45fbd 79bdd65 +Author: Brad Spengler +Date: Thu May 23 17:58:53 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 79bdd65dac68267bc1b201c6b4a99966a373c305 +Author: Brad Spengler +Date: Thu May 23 17:57:46 2013 -0400 + + Update to pax-linux-3.9.3-test7.patch: + - fixed some size overflow related warnings (hash table, attributes) + - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html + + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/kernel/head64.c | 2 +- + tools/gcc/constify_plugin.c | 48 ++- + tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ + 4 files changed, 651 insertions(+), 592 deletions(-) + +commit cb45fbda4967b1b544a754fbdc92d73283379522 +Merge: 62588fa 57c11b8 +Author: Brad Spengler +Date: Mon May 20 17:32:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 57c11b85acd841a088aa4df8e60be337880df8cd +Merge: 0598b37 4bb0869 +Author: Brad Spengler +Date: Mon May 20 17:32:08 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 +Merge: e261c7b 0598b37 +Author: Brad Spengler +Date: Fri May 17 22:57:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 +Author: Brad Spengler +Date: Fri May 17 22:57:07 2013 -0400 + + Update to pax-linux-3.9.2-test6.patch: + - fixed a gcc assert in the structleak plugin, reported by Emese Revfy + - fixed pfn extraction from pud/pgd entries, reported by ousado + + arch/x86/include/asm/pgtable.h | 9 +++++++-- + tools/gcc/structleak_plugin.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +commit e261c7bc611e9127bbb7bd95cddd51524bf255ae +Author: Brad Spengler +Date: Thu May 16 22:54:12 2013 -0400 + + add offset to topdown check, fixes compilation + + arch/x86/kernel/sys_x86_64.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 +Author: Brad Spengler +Date: Thu May 16 20:57:41 2013 -0400 + + CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, + reported by lulzh3ad on irc + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0d4593e84707cdf6deb6b925c18c676a476b1613 +Merge: 43cd0c0 39a877f +Author: Brad Spengler +Date: Thu May 16 20:39:11 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 39a877f192ed305d88edac10a14a9e8e1e161f3f +Author: Brad Spengler +Date: Thu May 16 20:37:35 2013 -0400 + + Update to pax-linux-3.9.2-test105.patch: + - fixed !EFI boot problem, reported by spender + - fixed a few compile warnings + - fixed some more compile errors due to constification + - fixed some arm fallout, reported by Michael Tremer + + arch/arm/include/asm/psci.h | 2 +- + arch/arm/kernel/psci.c | 2 +- + arch/x86/kernel/sys_x86_64.c | 3 +-- + arch/x86/realmode/init.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- + drivers/irqchip/irq-gic.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- + drivers/platform/x86/chromeos_laptop.c | 2 +- + fs/jfs/super.c | 4 ++-- + include/linux/irqchip/arm-gic.h | 2 ++ + include/sound/compress_driver.h | 2 +- + net/mac80211/cfg.c | 4 ++-- + sound/soc/fsl/fsl_ssi.c | 2 +- + 14 files changed, 31 insertions(+), 22 deletions(-) + +commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 +Author: Brad Spengler +Date: Thu May 16 20:35:22 2013 -0400 + + Fix usercopy false positive under gcc 4.1 + + arch/x86/kernel/signal.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 56a166129d817f6634c8c230e6ec497669bdfaca +Author: Amerigo Wang +Date: Thu May 9 21:56:37 2013 +0000 + + Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f + + ipv6,gre: do not leak info to user-space + + There is a hole in struct ip6_tnl_parm2, so we have to + zero the struct on stack before copying it to user-space. + + Cc: David S. Miller + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv6/ip6_gre.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit d6f50dae2653ad912952da40417a8ccbd59c7699 +Author: Brad Spengler +Date: Tue May 14 16:52:35 2013 -0400 + + disable unprivileged kernel profiling under HIDESYM, rename + the variable to something more appropriate + + include/linux/perf_event.h | 8 ++++---- + kernel/events/core.c | 6 +++++- + kernel/sysctl.c | 4 ++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +commit 01322c6951bed4eedefbd2178dbd99292b365d99 +Author: Brad Spengler +Date: Mon May 13 17:19:57 2013 -0400 + + mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its + existing stack-heap gap code for the new unified vm_unmapped_area + + grsecurity/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 +Author: Brad Spengler +Date: Mon May 13 15:40:32 2013 -0400 + + fix NX fault on early boot + + arch/x86/realmode/init.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 +Author: Brad Spengler +Date: Mon May 13 10:48:13 2013 -0400 + + compile fix, we weren't using %pa anyway and it's now being used + by upstream for physical address printing + + lib/vsprintf.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d +Author: Brad Spengler +Date: Mon May 13 10:39:52 2013 -0400 + + compile fix + + grsecurity/grsec_chroot.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b +Author: Brad Spengler +Date: Mon May 13 10:35:36 2013 -0400 + + compile fixes + + grsecurity/grsec_chroot.c | 2 +- + include/linux/grinternal.h | 8 ++++---- + include/linux/grsecurity.h | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 +Author: Brad Spengler +Date: Mon May 13 10:27:18 2013 -0400 + + compile fix + + fs/exec.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 +Author: Brad Spengler +Date: Mon May 13 10:23:17 2013 -0400 + + Initial port of grsecurity for 3.9.2 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 6 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/usb/storage/realtek_cr.c | 2 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 181 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 241 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1031 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 387 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 187 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 + + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 242 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 68 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/net/secure_seq.h | 1 + + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 13 +- + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 64 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/8021q/vlan.c | 7 + + net/core/dev_ioctl.c | 4 + + net/core/net-procfs.c | 5 + + net/core/secure_seq.c | 4 +- + net/core/sock_diag.c | 7 + + net/ipv4/af_inet.c | 5 +- + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 2 +- + net/sctp/probe.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/tipc/link.c | 11 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 342 ++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 291 files changed, 15221 insertions(+), 2052 deletions(-) + +commit 88854c350c899bceca4a94598c42bed44d0dc91b +Author: Brad Spengler +Date: Mon May 13 07:37:47 2013 -0400 + + Initial import of pax-linux-3.9.2-test2.patch + + Documentation/dontdiff | 45 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 6 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 15 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/kernel/us3_cpufreq.c | 69 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 21 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 6 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 113 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 530 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 1 - + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 120 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 19 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 248 + + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 57 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 +- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 90 +- + arch/x86/mm/init_32.c | 119 +- + arch/x86/mm/init_64.c | 44 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 4 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 10 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 605 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/super.c | 2 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 6 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 8 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compat.h | 6 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 110 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_fs.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 2 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 77 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 68 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 8 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 6 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 576 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 105 +- + mm/slab.h | 5 +- + mm/slab_common.c | 11 +- + mm/slob.c | 201 +- + mm/slub.c | 99 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 14 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 6 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.pl | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 675 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 518 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 ++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 276 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1555 files changed, 30474 insertions(+), 7126 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 +Merge: 814820a 3a59a59 +Author: Brad Spengler +Date: Sun May 12 21:51:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f +Author: Brad Spengler +Date: Sun May 12 21:50:07 2013 -0400 + + Update to pax-linux-3.8.13-test24.patch: + - fixed sparc/constification compile error, reported by blake + - UDEREF/amd64 should be a bit more efficient when disabled at boot time + - fixed some unnecessary integer truncations that could trip up the size overflow plugin + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + arch/sparc/kernel/us3_cpufreq.c | 4 ++-- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/pgtable.h | 6 ++++-- + arch/x86/include/asm/uaccess.h | 6 +++--- + arch/x86/kernel/kprobes-opt.c | 4 ++++ + arch/x86/lib/copy_user_nocache_64.S | 2 +- + arch/x86/lib/getuser.S | 8 ++++---- + arch/x86/lib/putuser.S | 8 ++++---- + arch/x86/mm/fault.c | 6 +++--- + drivers/net/slip/slhc.c | 2 +- + drivers/staging/iio/ring_sw.c | 2 +- + fs/binfmt_elf.c | 6 +++--- + fs/nfsd/nfscache.c | 2 +- + fs/xattr.c | 21 +++++++++++++++++++++ + include/linux/syscalls.h | 2 +- + include/linux/xattr.h | 3 +++ + init/main.c | 3 +++ + kernel/futex_compat.c | 2 +- + kernel/trace/trace.h | 2 +- + net/socket.c | 2 +- + security/Kconfig | 2 +- + 22 files changed, 67 insertions(+), 34 deletions(-) + +commit 814820abfe5b9a34401d838b2510431a4cd92be9 +Author: Dan Carpenter +Date: Mon May 6 09:31:17 2013 +0000 + + Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa + + tipc: potential divide by zero in tipc_link_recv_fragment() + + The worry here is that fragm_sz could be zero since it comes from + skb->data. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 +Author: Dan Carpenter +Date: Mon May 6 08:28:41 2013 +0000 + + Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc + + tipc: add a bounds check in link_recv_changeover_msg() + + The bearer_id here comes from skb->data and it can be a number from 0 to + 7. The problem is that the ->links[] array has only 2 elements so I + have added a range check. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit ed0428c4ef6c5498870772f212ac651216eb8d0c +Merge: 2452d8d dbf932a +Author: Brad Spengler +Date: Sun May 12 21:18:25 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/cpu/perf_event_intel_uncore.c + arch/x86/mm/init.c + +commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 +Author: Brad Spengler +Date: Sun May 12 20:24:01 2013 -0400 + + compile fix + + grsecurity/gracl.c | 1 + + grsecurity/gracl_segv.c | 1 + + 2 files changed, 2 insertions(+), 0 deletions(-) + +commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 +Author: Brad Spengler +Date: Sun May 12 18:25:26 2013 -0400 + + fix btrfs support here as well + + grsecurity/gracl_segv.c | 17 +++++++++-------- + 1 files changed, 9 insertions(+), 8 deletions(-) + +commit c75e4664fe4d20da1639f70d9def097c4f20856b +Author: Brad Spengler +Date: Sun May 12 18:12:57 2013 -0400 + + Fix RBAC compatibility with btrfs compiled as a module, as + reported on the forums by YuHg at: + http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 + + fs/btrfs/inode.c | 11 +---------- + grsecurity/gracl.c | 19 ++++++++++--------- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_disabled.c | 2 +- + 4 files changed, 13 insertions(+), 21 deletions(-) + +commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 +Author: Brad Spengler +Date: Sat May 11 12:12:00 2013 -0400 + + allow copies just up to the start of kernel code + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 04638852588cf243f865f5a73aa9dab94fab53b7 +Author: Brad Spengler +Date: Fri May 10 16:53:07 2013 -0400 + + MODULES_EXEC_VADDR is a virtual address + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 +Author: Brad Spengler +Date: Fri May 10 16:51:03 2013 -0400 + + exempt module rx areas from usercopy protection under i386 kernexec + their .rodata will be placed between stext/etext causing copies of + constant strings to trigger usercopy reports/terminations + + fs/exec.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da +Author: Brad Spengler +Date: Wed May 8 20:25:52 2013 -0400 + + User jorgus on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 + discovered that the upstreamed version of enforcing RLIMIT_NPROC + at setuid/exec time missed an important corner case: + If RLIMIT_NPROC is set after a setuid occurs and the user's process + limit is reached elsewhere, no enforcement of RLIMIT_NPROC will + happen at exec time for the task with a modified RLIMIT_NPROC. + + This patch fixes that. + + kernel/sys.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff +Merge: 539fff0 2452d8d +Author: Brad Spengler +Date: Wed May 8 18:13:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a +Merge: 6c850d8 9c9ab76 +Author: Brad Spengler +Date: Wed May 8 18:13:31 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/irq.c + kernel/trace/trace_stack.c + +commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a +Author: Brad Spengler +Date: Tue May 7 21:43:00 2013 -0400 + + turn counter into a flag + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 +Author: Brad Spengler +Date: Tue May 7 21:02:39 2013 -0400 + + add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity + useful for Fedora/RHEL users + + grsecurity/Kconfig | 10 ++++++++++ + grsecurity/grsec_chroot.c | 17 +++++++++++++++-- + 2 files changed, 25 insertions(+), 2 deletions(-) + +commit 418102925c0cfb0de51b0a021abaa575e28fafa6 +Author: Peter Zijlstra +Date: Fri May 3 14:11:25 2013 +0200 + + Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 + + perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL + + We should always have proper privileges when requesting kernel + data. + + Signed-off-by: Peter Zijlstra + Cc: + Cc: Andi Kleen + Cc: eranian@google.com + Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl + [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] + Signed-off-by: Ingo Molnar + Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org + + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- + 1 files changed, 10 insertions(+), 3 deletions(-) + +commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 +Author: Eric Dumazet +Date: Mon Apr 29 05:58:52 2013 +0000 + + Upstream commit: aebda156a570782a86fc4426842152237a19427d + + net: defer net_secret[] initialization + + Instead of feeding net_secret[] at boot time, defer the init + at the point first socket is created. + + This permits some platforms to use better entropy sources than + the ones available at boot time. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/net/secure_seq.h | 1 + + net/core/secure_seq.c | 4 +--- + net/ipv4/af_inet.c | 5 ++++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac +Author: Daniel Borkmann +Date: Wed May 1 02:59:23 2013 +0000 + + Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 + + net: sctp: attribute printl with __printf for gcc fmt checks + + Let GCC check for format string errors in sctp's probe printl + function. This patch fixes the warning when compiled with W=1: + + net/sctp/probe.c:73:2: warning: function might be possible candidate + for 'gnu_printf' format attribute [-Wmissing-format-attribute] + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/sctp/probe.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 +Author: Brad Spengler +Date: Thu May 2 19:58:54 2013 -0400 + + remove no-longer-needed vmware 8 compat fix + + mm/page_alloc.c | 6 ------ + 1 files changed, 0 insertions(+), 6 deletions(-) + +commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 +Author: Brad Spengler +Date: Thu May 2 19:55:23 2013 -0400 + + remove unnecessary < 0 check + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f +Author: Brad Spengler +Date: Wed May 1 18:30:48 2013 -0400 + + remove references to CONFIG_X86_WP_WORKS_OK + + arch/um/defconfig | 1 - + security/Kconfig | 2 +- + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 408da6791f93ffe00d26bfe919f1b2218fe0804d +Merge: a8dbe8e 6c850d8 +Author: Brad Spengler +Date: Wed May 1 18:28:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/mm/ultra.S + drivers/tty/tty_io.c + +commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf +Merge: cdbcbef 9fa1d01 +Author: Brad Spengler +Date: Wed May 1 18:25:18 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 +Author: Brad Spengler +Date: Mon Apr 29 18:44:23 2013 -0400 + + add module.h to silence compiler warning, thanks to + Sergei Trofimovich + + fs/btrfs/inode.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 55eba82aca97aa56378e000840c48965557721e8 +Author: Brad Spengler +Date: Mon Apr 29 18:43:03 2013 -0400 + + compilation fix + + kernel/trace/trace.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e3bf912b54af6df7fbebc68b5999554562056c5c +Merge: 5b72e37 cdbcbef +Author: Brad Spengler +Date: Mon Apr 29 18:34:42 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cdbcbef45c4f003cbee11e10668a35d424c17c60 +Author: Brad Spengler +Date: Mon Apr 29 18:33:35 2013 -0400 + + Update to pax-linux-3.8.10-test21.patch: + - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 + note that the false positive is not fixed yet + - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin + - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) + - reverted the nested NMI fix in search for a real one + - simplified the arm_delay_ops constification + + arch/arm/include/asm/delay.h | 8 ++++---- + arch/arm/lib/delay.c | 17 +++++------------ + arch/x86/kernel/entry_64.S | 11 ++++++++++- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kvm/vmx.c | 4 ++-- + drivers/block/pktcdvd.c | 2 +- + fs/btrfs/extent-tree.c | 2 +- + fs/nfsd/nfscache.c | 6 ++++-- + kernel/trace/trace.c | 2 +- + tools/gcc/structleak_plugin.c | 4 ++++ + 11 files changed, 34 insertions(+), 26 deletions(-) + +commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 +Author: Brad Spengler +Date: Fri Apr 26 20:53:06 2013 -0400 + + don't use file_inode() + + drivers/tty/tty_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 +Author: Jiri Slaby +Date: Fri Apr 26 13:48:53 2013 +0200 + + Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee + + TTY: fix atime/mtime regression + + In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") + we removed timestamps from tty inodes to fix a security issue and waited + if something breaks. Well, 'w', the utility to find out logged users + and their inactivity time broke. It shows that users are inactive since + the time they logged in. + + To revert to the old behaviour while still preventing attackers to + guess the password length, we update the timestamps in one-minute + intervals by this patch. + + Signed-off-by: Jiri Slaby + Cc: Greg Kroah-Hartman + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/tty/tty_io.c + + drivers/tty/tty_io.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec +Author: Jiri Slaby +Date: Fri Feb 15 15:25:05 2013 +0100 + + Upstream commit: b0de59b5733d + + TTY: do not update atime/mtime on read/write + + On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find + out length of a password using timestamps of /dev/ptmx. It is + documented in "Timing Analysis of Keystrokes and Timing Attacks on + SSH". To avoid that problem, do not update time when reading + from/writing to a TTY. + + I am afraid of regressions as this is a behavior we have since 0.97 + and apps may expect the time to be current, e.g. for monitoring + whether there was a change on the TTY. Now, there is no change. So + this would better have a lot of testing before it goes upstream. + + References: CVE-2013-0160 + + Signed-off-by: Jiri Slaby + Cc: stable # after 3.9 is out + Signed-off-by: Greg Kroah-Hartman + + drivers/tty/tty_io.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit 5344a24e2320d61dbdb88aae04922f0799deefd0 +Author: Zhao Hongjiang +Date: Fri Apr 26 11:03:53 2013 +0800 + + Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad + + aio: fix possible invalid memory access when DEBUG is enabled + + dprintk() shouldn't access @ring after it's unmapped. + + Signed-off-by: Zhao Hongjiang + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + fs/aio.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 +Author: John David Anglin +Date: Tue Apr 23 22:42:07 2013 +0200 + + Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 + + parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates + + User applications running on SMP kernels have long suffered from instability + and random segmentation faults. This patch improves the situation although + there is more work to be done. + + One of the problems is the various routines in pgtable.h that update page table + entries use different locking mechanisms, or no lock at all (set_pte_at). This + change modifies the routines to all use the same lock pa_dbit_lock. This lock + is used for dirty bit updates in the interruption code. The patch also purges + the TLB entries associated with the PTE to ensure that inconsistent values are + not used after the page table entry is updated. The UP and SMP code are now + identical. + + The change also includes a minor update to the purge_tlb_entries function in + cache.c to improve its efficiency. + + Signed-off-by: John David Anglin + Cc: Helge Deller + Signed-off-by: Helge Deller + + arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- + arch/parisc/kernel/cache.c | 5 +--- + 2 files changed, 26 insertions(+), 26 deletions(-) + +commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 +Merge: ba54c97 4d05084 +Author: Brad Spengler +Date: Fri Apr 26 18:17:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kvm/x86.c + include/linux/capability.h + +commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 +Merge: c664779 bb8dd67 +Author: Brad Spengler +Date: Fri Apr 26 18:15:45 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 +Author: David S. Miller +Date: Wed Apr 24 16:52:18 2013 -0700 + + Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee + + sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. + + Reported-by: Meelis Roos + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 +Author: David S. Miller +Date: Fri Apr 19 17:26:26 2013 -0400 + + Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 + + sparc64: Fix race in TLB batch processing. + + As reported by Dave Kleikamp, when we emit cross calls to do batched + TLB flush processing we have a race because we do not synchronize on + the sibling cpus completing the cross call. + + So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) + and either flushes are missed or flushes will flush the wrong + addresses. + + Fix this by using generic infrastructure to synchonize on the + completion of the cross call. + + This first required getting the flush_tlb_pending() call out from + switch_to() which operates with locks held and interrupts disabled. + The problem is that smp_call_function_many() cannot be invoked with + IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). + + We get the batch processing outside of locked IRQ disabled sections by + using some ideas from the powerpc port. Namely, we only batch inside + of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a + region, we flush TLBs synchronously. + + 1) Get rid of xcall_flush_tlb_pending and per-cpu type + implementations. + + 2) Do TLB batch cross calls instead via: + + smp_call_function_many() + tlb_pending_func() + __flush_tlb_pending() + + 3) Batch only in lazy mmu sequences: + + a) Add 'active' member to struct tlb_batch + b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE + c) Set 'active' in arch_enter_lazy_mmu_mode() + d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() + e) Check 'active' in tlb_batch_add_one() and do a synchronous + flush if it's clear. + + 4) Add infrastructure for synchronous TLB page flushes. + + a) Implement __flush_tlb_page and per-cpu variants, patch + as needed. + b) Likewise for xcall_flush_tlb_page. + c) Implement smp_flush_tlb_page() to invoke the cross-call. + d) Wire up global_flush_tlb_page() to the right routine based + upon CONFIG_SMP + + 5) It turns out that singleton batches are very common, 2 out of every + 3 batch flushes have only a single entry in them. + + The batch flush waiting is very expensive, both because of the poll + on sibling cpu completeion, as well as because passing the tlb batch + pointer to the sibling cpus invokes a shared memory dereference. + + Therefore, in flush_tlb_pending(), if there is only one entry in + the batch perform a completely asynchronous global_flush_tlb_page() + instead. + + Reported-by: Dave Kleikamp + Signed-off-by: David S. Miller + Acked-by: Dave Kleikamp + + arch/sparc/include/asm/pgtable_64.h | 1 + + arch/sparc/include/asm/switch_to_64.h | 3 +- + arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- + arch/sparc/kernel/smp_64.c | 41 ++++++++++- + arch/sparc/mm/tlb.c | 38 +++++++++- + arch/sparc/mm/tsb.c | 57 ++++++++++++---- + arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- + 7 files changed, 241 insertions(+), 55 deletions(-) + +commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 +Author: Linus Torvalds +Date: Fri Apr 19 15:32:32 2013 +0000 + + Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 + + net: fix incorrect credentials passing + + Commit 257b5358b32f ("scm: Capture the full credentials of the scm + sender") changed the credentials passing code to pass in the effective + uid/gid instead of the real uid/gid. + + Obviously this doesn't matter most of the time (since normally they are + the same), but it results in differences for suid binaries when the wrong + uid/gid ends up being used. + + This just undoes that (presumably unintentional) part of the commit. + + Reported-by: Andy Lutomirski + Cc: Eric W. Biederman + Cc: Serge E. Hallyn + Cc: David S. Miller + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + Acked-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + include/net/scm.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 +Author: Brad Spengler +Date: Thu Apr 18 19:22:40 2013 -0400 + + move _etext to only cover kernel code, not read-only data, as reported by Gu1 + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 98ad6adbc48759e4f9eae435d3e51ba487155685 +Author: Brad Spengler +Date: Thu Apr 18 19:17:24 2013 -0400 + + add asm/sections.h for USERCOPY change + + fs/exec.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 +Author: Dmitry Popov +Date: Thu Apr 11 08:55:07 2013 +0000 + + Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 + + tcp: incoming connections might use wrong route under synflood + + There is a bug in cookie_v4_check (net/ipv4/syncookies.c): + flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), + RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); + + Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be + taken. This dst_entry is used by new socket (get_cookie_sock -> + tcp_v4_syn_recv_sock), so its packets may take the wrong path. + + Signed-off-by: Dmitry Popov + Signed-off-by: David S. Miller + + net/ipv4/syncookies.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3600395e8fef3ae712e72f9b68c3609639616df8 +Author: Thomas Graf +Date: Thu Apr 11 10:57:18 2013 +0000 + + Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 + + tcp: Reallocate headroom if it would overflow csum_start + + If a TCP retransmission gets partially ACKed and collapsed multiple + times it is possible for the headroom to grow beyond 64K which will + overflow the 16bit skb->csum_start which is based on the start of + the headroom. It has been observed rarely in the wild with IPoIB due + to the 64K MTU. + + Verify if the acking and collapsing resulted in a headroom exceeding + what csum_start can cover and reallocate the headroom if so. + + A big thank you to Jim Foraker and the team at + LLNL for helping out with the investigation and testing. + + Reported-by: Jim Foraker + Signed-off-by: Thomas Graf + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 +Author: Ivan Vecera +Date: Fri Apr 12 16:49:24 2013 +0200 + + Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f + + be2net: take care of __vlan_put_tag return value + + The driver should use return value of __vlan_put_tag with appropriate + NULL-check instead of old skb pointer. + + Signed-off-by: Ivan Vecera + Signed-off-by: David S. Miller + + drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 +Author: Wei Yongjun +Date: Fri Apr 12 03:17:12 2013 +0000 + + Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 + + tuntap: fix error return code in tun_set_iff() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + [ Bug added in linux-3.8 , commit 4008e97f866db665 + ("tuntap: fix ambigious multiqueue API") ] + + Signed-off-by: Wei Yongjun + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + drivers/net/tun.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c +Author: Wei Yongjun +Date: Sat Apr 13 15:49:03 2013 +0000 + + Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 + + esp4: fix error return code in esp_output() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Acked-by: Steffen Klassert + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 2b45b5f52c2a8930f80c62de392a62516c83e225 +Author: Bjørn Mork +Date: Tue Apr 16 00:17:07 2013 +0000 + + Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 + + net: cdc_mbim: remove bogus sizeof() + + The intention was to test against the constant, not the size of + the constant. + + Signed-off-by: Bjørn Mork + Signed-off-by: David S. Miller + + drivers/net/usb/cdc_mbim.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 17d7408795519037a5a1272c7888238e20830bfe +Author: Vyacheslav Dubeyko +Date: Wed Apr 17 15:58:33 2013 -0700 + + Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 + + hfsplus: fix potential overflow in hfsplus_file_truncate() + + Change a u32 to loff_t hfsplus_file_truncate(). + + Signed-off-by: Vyacheslav Dubeyko + Cc: Christoph Hellwig + Cc: Al Viro + Cc: Hin-Tak Leung + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/hfsplus/extents.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b +Author: Emese Revfy +Date: Wed Apr 17 15:58:36 2013 -0700 + + Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f + + kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + + This fixes a kernel memory contents leak via the tkill and tgkill syscalls + for compat processes. + + This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field + when handling signals delivered from tkill. + + The place of the infoleak: + + int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) + { + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... + } + + Signed-off-by: Emese Revfy + Reviewed-by: PaX Team + Signed-off-by: Kees Cook + Cc: Al Viro + Cc: Oleg Nesterov + Cc: "Eric W. Biederman" + Cc: Serge Hallyn + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/signal.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 +Author: Brad Spengler +Date: Wed Apr 17 20:17:00 2013 -0400 + + Improve PAX_USERCOPY to reject direct copies to/from main kernel text + + fs/exec.c | 29 +++++++++++++++++++++++++++-- + 1 files changed, 27 insertions(+), 2 deletions(-) + +commit 3cb37d0c0c77dc3928ff8417f982139f95366eba +Merge: e87c19f c664779 +Author: Brad Spengler +Date: Wed Apr 17 20:06:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c664779987cb0c27a242029f0e0db812e3236203 +Author: Brad Spengler +Date: Wed Apr 17 19:54:09 2013 -0400 + + add intentional_overflow marking for resource_size() as reasoned by: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + + include/linux/ioport.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e87c19f8312355b8658e5138c16bfa6043a379c8 +Merge: 802d119 d0c636c +Author: Brad Spengler +Date: Wed Apr 17 16:57:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d0c636ceaaf406e606898ce3e770e32fb043ea8a +Merge: bc88628 2396403 +Author: Brad Spengler +Date: Wed Apr 17 16:57:01 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/paravirt.c + +commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b +Author: Brad Spengler +Date: Sun Apr 14 21:39:51 2013 -0400 + + move location of RBAC user check on setfsuid until after capability checks + for consistency with other checks + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1a860d7d67051559ab2e6d10f9888649c92904e6 +Author: Brad Spengler +Date: Sun Apr 14 21:34:46 2013 -0400 + + A denied setfsuid by the RBAC system would result in an abort_creds() being called + with an uninitalized pointer, introduced by a bad forward-port + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 +Merge: c38d142 bc88628 +Author: Brad Spengler +Date: Sun Apr 14 21:28:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit bc88628a6a8fcccaabb90908640809b0540df225 +Author: Brad Spengler +Date: Sun Apr 14 21:26:41 2013 -0400 + + Update to pax-linux-3.8.7-test20.patch: + - fixed KERNEXEC and NMI nesting problem reported by stef&hunger + - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 + - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) + - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) + + arch/powerpc/include/asm/smp.h | 2 +- + arch/x86/Kconfig | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + security/Kconfig | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +commit c38d142744489fc4d9be80188b6435a278438fd9 +Author: Suleiman Souhlal +Date: Sat Apr 13 16:03:06 2013 -0700 + + Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 + + vfs: Revert spurious fix to spinning prevention in prune_icache_sb + + Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). + + This commit doesn't look right: since we are looking at the tail of the + list (sb->s_inode_lru.prev) if we want to skip an inode, we should put + it back at the head of the list instead of the tail, otherwise we will + keep spinning on it. + + Discovered when investigating why prune_icache_sb came top in perf + reports of a swapping load. + + Signed-off-by: Suleiman Souhlal + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org # v3.2+ + Signed-off-by: Linus Torvalds + + fs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93019624b80ba59798393942798d7f6ed0c1dbc6 +Author: Linus Torvalds +Date: Sat Apr 13 15:15:30 2013 -0700 + + Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 + + kobject: fix kset_find_obj() race with concurrent last kobject_put() + + Anatol Pomozov identified a race condition that hits module unloading + and re-loading. To quote Anatol: + + "This is a race codition that exists between kset_find_obj() and + kobject_put(). kset_find_obj() might return kobject that has refcount + equal to 0 if this kobject is freeing by kobject_put() in other + thread. + + Here is timeline for the crash in case if kset_find_obj() searches for + an object tht nobody holds and other thread is doing kobject_put() on + the same kobject: + + THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) + splin_lock() + atomic_dec_return(kobj->kref), counter gets zero here + ... starts kobject cleanup .... + spin_lock() // WAIT thread A in kobj_kset_leave() + iterate over kset->list + atomic_inc(kobj->kref) (counter becomes 1) + spin_unlock() + spin_lock() // taken + // it does not know that thread A increased counter so it + remove obj from list + spin_unlock() + vfree(module) // frees module object with containing kobj + + // kobj points to freed memory area!! + kobject_put(kobj) // OOPS!!!! + + The race above happens because module.c tries to use kset_find_obj() + when somebody unloads module. The module.c code was introduced in + commit 6494a93d55fa" + + Anatol supplied a patch specific for module.c that worked around the + problem by simply not using kset_find_obj() at all, but rather than make + a local band-aid, this just fixes kset_find_obj() to be thread-safe + using the proper model of refusing the get a new reference if the + refcount has already dropped to zero. + + See examples of this proper refcount handling not only in the kref + documentation, but in various other equivalent uses of this pattern by + grepping for atomic_inc_not_zero(). + + [ Side note: the module race does indicate that module loading and + unloading is not properly serialized wrt sysfs information using the + module mutex. That may require further thought, but this is the + correct fix at the kobject layer regardless. ] + + Reported-analyzed-and-tested-by: Anatol Pomozov + Cc: Greg Kroah-Hartman + Cc: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + lib/kobject.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 5277b052b5fab36729e1255fb3b12f47a4b12867 +Author: Dave Hansen +Date: Fri Apr 12 16:23:54 2013 -0700 + + Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 + + x86-32: Fix possible incomplete TLB invalidate with PAE pagetables + + This patch attempts to fix: + + https://bugzilla.kernel.org/show_bug.cgi?id=56461 + + The symptom is a crash and messages like this: + + chrome: Corrupted page table at address 34a03000 + *pdpt = 0000000000000000 *pde = 0000000000000000 + Bad pagetable: 000f [#1] PREEMPT SMP + + Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: + enable tlb flush range support for x86") since that code started to free + unused pagetables. + + On x86-32 PAE kernels, that new code has the potential to free an entire + PMD page and will clear one of the four page-directory-pointer-table + (aka pgd_t entries). + + The hardware aggressively "caches" these top-level entries and invlpg + does not actually affect the CPU's copy. If we clear one we *HAVE* to + do a full TLB flush, otherwise we might continue using a freed pmd page. + (note, we do this properly on the population side in pud_populate()). + + This patch tracks whenever we clear one of these entries in the 'struct + mmu_gather', and ensures that we follow up with a full tlb flush. + + BTW, I disassembled and checked that: + + if (tlb->fullmm == 0) + and + if (!tlb->fullmm && !tlb->need_flush_all) + + generate essentially the same code, so there should be zero impact there + to the !PAE case. + + Signed-off-by: Dave Hansen + Cc: Peter Anvin + Cc: Ingo Molnar + Cc: Artem S Tashkinov + Signed-off-by: Linus Torvalds + + arch/x86/include/asm/tlb.h | 2 +- + arch/x86/mm/pgtable.c | 7 +++++++ + include/asm-generic/tlb.h | 7 ++++++- + mm/memory.c | 1 + + 4 files changed, 15 insertions(+), 2 deletions(-) + +commit 521e573fc77d1783c1d4636dfbb4617a922f043d +Merge: 032f626 f807619 +Author: Brad Spengler +Date: Fri Apr 12 19:29:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f80761993b85df96fc142dfc3a317cadc0f8eae5 +Author: Brad Spengler +Date: Fri Apr 12 19:28:21 2013 -0400 + + Update to pax-linux-3.8.7-test19.patch: + - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld + - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) + - fixed the structleak plugin to compile for gcc 4.5-4.6 as well + + Makefile | 2 +- + arch/x86/xen/enlighten.c | 6 +++--- + tools/gcc/structleak_plugin.c | 5 +++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 +Merge: a3a770e 89886f5 +Author: Brad Spengler +Date: Fri Apr 12 18:38:40 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89886f561cc0d1c42a99624ec8c3704711088155 +Merge: 9123489 531ec28 +Author: Brad Spengler +Date: Fri Apr 12 18:38:30 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a3a770e18578841e4fbe2aa0831a22811b4812cf +Author: Brad Spengler +Date: Thu Apr 11 20:46:20 2013 -0400 + + Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" + Will be fixed with the next PaX patch + + This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 +Author: Konrad Rzeszutek Wilk +Date: Fri Mar 29 10:20:56 2013 -0400 + + Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 + + xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. + + Occassionaly on a DL380 G4 the guest would crash quite early with this: + + (XEN) d244:v0: unhandled page fault (ec=0003) + (XEN) Pagetable walk from ffffffff84dc7000: + (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 + (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d + (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def + (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 + (XEN) domain_crash_sync called from entry.S + (XEN) Domain 244 (vcpu#0) crashed on cpu#3: + (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- + (XEN) CPU: 3 + (XEN) RIP: e033:[] + (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest + (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f + (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 + + The offending code shows it to be a loop writting the value zero + (%rax) in the %rdi (the L4 provided by Xen) register: + + 0: 44 00 00 add %r8b,(%rax) + 3: 31 c0 xor %eax,%eax + 5: b9 40 00 00 00 mov $0x40,%ecx + a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) + 11: 00 00 + 13: ff c9 dec %ecx + 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction + 18: 48 89 47 08 mov %rax,0x8(%rdi) + 1c: 48 89 47 10 mov %rax,0x10(%rdi) + + which fails. xen_setup_kernel_pagetable recycles some of the Xen's + page-table entries when it has switched over to its Linux page-tables. + + Right before try to clear the page, we make a hypercall to change + it from _RO to _RW and that works (otherwise we would hit an BUG()). + And the _RW flag is set for that page: + (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 + + The error code is 3, so PFEC_page_present and PFEC_write_access, so page is + present (correct), and we tried to write to the page, but a violation + occurred. The one theory is that the the page entries in hardware + (which are cached) are not up to date with what we just set. Especially + as we have just done an CR3 write and flushed the multicalls. + + This patch does solve the problem by flusing out the TLB page + entry after changing it from _RO to _RW and we don't hit this + issue anymore. + + Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO + 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] + Reported-and-Tested-by: Saar Maoz + Signed-off-by: Konrad Rzeszutek Wilk + + arch/x86/xen/mmu.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 +Author: Namhyung Kim +Date: Mon Apr 1 21:46:23 2013 +0900 + + Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 + + tracing: Fix double free when function profile init failed + + On the failure path, stat->start and stat->pages will refer same page. + So it'll attempt to free the same page again and get kernel panic. + + Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org + + Cc: Frederic Weisbecker + Cc: Namhyung Kim + Cc: stable@vger.kernel.org + Signed-off-by: Namhyung Kim + Signed-off-by: Steven Rostedt + + kernel/trace/ftrace.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb +Author: Neil Horman +Date: Tue Apr 9 23:19:00 2013 +0000 + + Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 + + e100: Add dma mapping error check + + e100 uses pci_map_single, but fails to check for a dma mapping error after its + use, resulting in a stack trace: + + [ 46.656594] ------------[ cut here ]------------ + [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() + [ 46.657004] Hardware name: To Be Filled By O.E.M. + [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map + error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] + [ 46.657004] Modules linked in: + [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus + snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc + e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp + k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd + sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit + drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core + sata_promise crc_itu_t + [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 + [ 46.657004] Call Trace: + [ 46.657004] [] warn_slowpath_common+0x70/0xa0 + [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 + [ 46.657004] [] check_unmap+0x47b/0x950 + [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 + [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] + [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] + [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] + [ 46.657004] [] ? net_rx_action+0xa1/0x370 + [ 46.657004] [] net_rx_action+0x172/0x370 + [ 46.657004] [] __do_softirq+0xef/0x3d0 + [ 46.657004] [] call_softirq+0x1c/0x30 + [ 46.657004] [] do_softirq+0x85/0xc0 + [ 46.657004] [] irq_exit+0xd5/0xe0 + [ 46.657004] [] do_IRQ+0x56/0xc0 + [ 46.657004] [] common_interrupt+0x72/0x72 + [ 46.657004] [] ? + _raw_spin_unlock_irqrestore+0x3b/0x70 + [ 46.657004] [] __slab_free+0x58/0x38b + [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 + [ 46.657004] [] ? kmem_cache_free+0x97/0x320 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] kmem_cache_free+0x312/0x320 + [ 46.657004] [] sock_destroy_inode+0x34/0x40 + [ 46.657004] [] destroy_inode+0x38/0x60 + [ 46.657004] [] evict+0x10e/0x1a0 + [ 46.657004] [] iput+0xf5/0x180 + [ 46.657004] [] dput+0x248/0x310 + [ 46.657004] [] __fput+0x171/0x240 + [ 46.657004] [] ____fput+0xe/0x10 + [ 46.657004] [] task_work_run+0xac/0xe0 + [ 46.657004] [] do_exit+0x26d/0xc30 + [ 46.657004] [] ? finish_task_switch+0x7c/0x120 + [ 46.657004] [] ? retint_swapgs+0x13/0x1b + [ 46.657004] [] do_group_exit+0x49/0xc0 + [ 46.657004] [] sys_exit_group+0x14/0x20 + [ 46.657004] [] system_call_fastpath+0x16/0x1b + [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- + [ 46.657004] Mapped at: + [ 46.657004] [] debug_dma_map_page+0x91/0x140 + [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] + [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] + [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] + [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 + + Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the + dma_mapping_error check in the obvious place + + This was reported previously here: + http://article.gmane.org/gmane.linux.network/257893 + + But nobody stepped up and fixed it. + + CC: Josh Boyer + CC: e1000-devel@lists.sourceforge.net + Signed-off-by: Neil Horman + Reported-by: Michal Jaegermann + Tested-by: Aaron Brown + Signed-off-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- + 1 files changed, 25 insertions(+), 11 deletions(-) + +commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 +Author: Trond Myklebust +Date: Wed Apr 10 12:44:18 2013 -0400 + + Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 + + NFSv4: Doh! Typo in the fix to nfs41_walk_client_list + + Make sure that we set the status to 0 on success. Missed in testing + because it never appears when doing multiple mounts to _different_ + servers. + + Signed-off-by: Trond Myklebust + Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + fs/nfs/nfs4client.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea +Author: Yuval Mintz +Date: Wed Apr 10 13:34:39 2013 +0300 + + Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b + + bnx2x: Prevent null pointer dereference in AFEX mode + + The cnic module is responsible for initializing various bnx2x structs + via callbacks provided by the bnx2x module. + One such struct is the queue object for the FCoE queue. + + If a device is working in AFEX mode and its configuration allows FCoE yet + the cnic module is not loaded, it's very likely a null pointer dereference + will occur, as the bnx2x will erroneously access the FCoE's queue object. + + Prevent said access until cnic properly registers itself. + + Signed-off-by: Yuval Mintz + Signed-off-by: Ariel Elior + Signed-off-by: Eilon Greenstein + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 2908830232725db624aaa052f7ad38d1f98bf541 +Author: Wei Yongjun +Date: Tue Apr 9 14:16:04 2013 +0800 + + Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc + + can: gw: use kmem_cache_free() instead of kfree() + + Memory allocated by kmem_cache_alloc() should be freed using + kmem_cache_free(), not kfree(). + + Cc: linux-stable # >= v3.2 + Signed-off-by: Wei Yongjun + Acked-by: Oliver Hartkopp + Signed-off-by: Marc Kleine-Budde + + net/can/gw.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit d40b572e845a5fb561e3c4a80cc306cd38888a4e +Author: Christoph Paasch +Date: Sun Apr 7 04:53:15 2013 +0000 + + Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd + + ipv6/tcp: Stop processing ICMPv6 redirect messages + + Tetja Rediske found that if the host receives an ICMPv6 redirect message + after sending a SYN+ACK, the connection will be reset. + + He bisected it down to 093d04d (ipv6: Change skb->data before using + icmpv6_notify() to propagate redirect), but the origin of the bug comes + from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error + handlers.). The bug simply did not trigger prior to 093d04d, because + skb->data did not point to the inner IP header and thus icmpv6_notify + did not call the correct err_handler. + + This patch adds the missing "goto out;" in tcp_v6_err. After receiving + an ICMPv6 Redirect, we should not continue processing the ICMP in + tcp_v6_err, as this may trigger the removal of request-socks or setting + sk_err(_soft). + + Reported-by: Tetja Rediske + Signed-off-by: Christoph Paasch + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c7d5c2524456ef3ea9194840e7a9a75069a46824 +Author: Brad Spengler +Date: Wed Apr 10 20:32:54 2013 -0400 + + - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit acac2380fd97acee4367d2aa24c74322dcf1d22b +Author: Trond Myklebust +Date: Fri Apr 5 16:11:11 2013 -0400 + + Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc + + NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + It is unsafe to use list_for_each_entry_safe() here, because + when we drop the nn->nfs_client_lock, we pin the _current_ list + entry and ensure that it stays in the list, but we don't do the + same for the _next_ list entry. Use of list_for_each_entry() is + therefore the correct thing to do. + + Also fix the refcounting in nfs41_walk_client_list(). + + Finally, ensure that the nfs_client has finished being initialised + and, in the case of NFSv4.1, that the session is set up. + + Signed-off-by: Trond Myklebust + Cc: Chuck Lever + Cc: Bryan Schumaker + Cc: stable@vger.kernel.org [>= 3.7] + + fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- + 1 files changed, 28 insertions(+), 16 deletions(-) + +commit a6cf5f387b882ac0ce655b75f623f86c075517be +Author: Chuck Lever +Date: Fri Mar 22 12:52:59 2013 -0400 + + Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e + + SUNRPC: Remove extra xprt_put() + + While testing error cases where rpc_new_client() fails, I saw + some oopses. + + If rpc_new_client() fails, it already invokes xprt_put(). Thus + __rpc_clone_client() does not need to invoke it again. + + Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" + Fri Sep 14, 2012. + + Signed-off-by: Chuck Lever + Cc: stable@vger.kernel.org [>=3.7] + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 +Author: Trond Myklebust +Date: Fri Apr 5 14:13:21 2013 -0400 + + Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 + + SUNRPC: Fix a potential memory leak in rpc_new_client + + If the call to rpciod_up() fails, we currently leak a reference to the + struct rpc_xprt. + As part of the fix, we also remove the redundant check for xprt!=NULL. + This is already taken care of by the callers. + + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 7 ++----- + 1 files changed, 2 insertions(+), 5 deletions(-) + +commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac +Author: Brad Spengler +Date: Wed Apr 10 19:16:05 2013 -0400 + + From https://lkml.org/lkml/2013/4/8/469: + [PATCH] rtnetlink: call nlmsg_parse() with correct header length + + net/core/rtnetlink.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9529169b8c405874fd543b785f53c74fa0501c2a +Author: Christopher Harvey +Date: Fri Apr 5 10:51:15 2013 -0400 + + Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 + + drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. + + This change properly enables the "requester" in G200ER cards that is + responsible for getting pixels out of memory and clocking them out to + the screen. + + Signed-off-by: Christopher Harvey + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- + 1 files changed, 3 insertions(+), 10 deletions(-) + +commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a +Author: Al Viro +Date: Thu Mar 28 13:30:23 2013 -0400 + + Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee + + ecryptfs: close rmmod race + + Signed-off-by: Al Viro + + fs/ecryptfs/miscdev.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b +Author: Brad Spengler +Date: Wed Apr 10 19:03:45 2013 -0400 + + Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 + + arch/ia64/kernel/palinfo.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 83280e384ae3ceadad30369ced111dc7d4b46085 +Author: Andrey Vagin +Date: Tue Apr 9 17:33:29 2013 +0400 + + Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 + + mnt: release locks on error path in do_loopback + + do_loopback calls lock_mount(path) and forget to unlock_mount + if clone_mnt or copy_mnt fails. + + [ 77.661566] ================================================ + [ 77.662939] [ BUG: lock held when returning to user space! ] + [ 77.664104] 3.9.0-rc5+ #17 Not tainted + [ 77.664982] ------------------------------------------------ + [ 77.666488] mount/514 is leaving the kernel with locks still held! + [ 77.668027] 2 locks held by mount/514: + [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 + [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 + + Signed-off-by: Andrey Vagin + Signed-off-by: Al Viro + + fs/namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 679e536b9d9536d804f049fe942367a596253e6d +Author: Alex Williamson +Date: Tue Mar 26 11:33:16 2013 -0600 + + Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c + + vfio-pci: Fix possible integer overflow + + The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both + of which are unsigned. We attempt to bounds check these, but fail to + account for the case where start is a very large number, allowing + start + count to wrap back into the valid range. Bounds check both + start and start + count. + + Reported-by: Dan Carpenter + Signed-off-by: Alex Williamson + + drivers/vfio/pci/vfio_pci.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 +Author: Brad Spengler +Date: Wed Apr 10 18:48:45 2013 -0400 + + Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b5261a6384ee42499b29495aaae40b271e77d394 +Author: Brad Spengler +Date: Tue Apr 9 17:30:45 2013 -0400 + + some undefined behavior fixups + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_ip.c | 10 +++++----- + grsecurity/gracl_segv.c | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 +Author: Brad Spengler +Date: Tue Apr 9 17:28:54 2013 -0400 + + don't whine about denied ipv6 when it's not enabled + + grsecurity/gracl_ip.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 +Merge: 97bca88 9123489 +Author: Brad Spengler +Date: Tue Apr 9 17:18:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9123489428c58668a89f316db6619739cbdd2c2a +Author: Brad Spengler +Date: Tue Apr 9 17:17:46 2013 -0400 + + Update to pax-linux-3.8.6-test18.patch: + - new size overflow plugin from Emese to work around a gcc optimization + resulting in an intentional overflow, reported by Carlos Carvalho + (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) + + tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- + 1 files changed, 66 insertions(+), 2 deletions(-) + +commit 97bca8889e0f1e853f16b7026c39c6729a8587ab +Merge: 675a41e e9d6073 +Author: Brad Spengler +Date: Mon Apr 8 21:32:59 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/us3_cpufreq.c + +commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef +Author: Brad Spengler +Date: Mon Apr 8 21:19:03 2013 -0400 + + Update to pax-linux-3.8.6-test17.patch: + - fixed ia64/ppc/sparc compilation by spender + - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) + + arch/ia64/include/asm/uaccess.h | 2 - + arch/powerpc/include/asm/uaccess.h | 2 - + arch/sparc/include/asm/uaccess.h | 7 ---- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- + tools/gcc/structleak_plugin.c | 15 ++++---- + 6 files changed, 28 insertions(+), 69 deletions(-) + +commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b +Author: Brad Spengler +Date: Sun Apr 7 12:00:50 2013 -0400 + + fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5a216624a06429488f24ce47db093da042f90e48 +Author: Brad Spengler +Date: Sat Apr 6 13:22:24 2013 -0400 + + fix typo + + arch/sparc/kernel/us3_cpufreq.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit e476ca18d21788898cd3acd1b57049971a2fb70f +Author: Brad Spengler +Date: Sat Apr 6 13:16:13 2013 -0400 + + properly fix cpufreq_driver for ultrasparc III with constification + + arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ + 1 files changed, 17 insertions(+), 18 deletions(-) + +commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae +Author: Brad Spengler +Date: Sat Apr 6 12:58:48 2013 -0400 + + mark prom_sparc_ops __initconst + + arch/sparc/kernel/prom_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 +Author: Brad Spengler +Date: Sat Apr 6 12:53:16 2013 -0400 + + fix ia64/powerpc/sparc compilation + + arch/ia64/include/asm/uaccess.h | 2 -- + arch/powerpc/include/asm/uaccess.h | 2 -- + arch/sparc/include/asm/uaccess.h | 7 ------- + 3 files changed, 0 insertions(+), 11 deletions(-) + +commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 +Author: Johannes Berg +Date: Tue Mar 19 20:26:57 2013 +0100 + + Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d + + cfg80211: fix wdev tracing crash + + Arend reported a crash in tracing if the driver returns an + ERR_PTR() value from the add_virtual_intf() callback. This + is due to the tracing then still attempting to dereference + the "pointer", fix this by using IS_ERR_OR_NULL(). + + Reported-by: Arend van Spriel + Tested-by: Arend van Spriel + Signed-off-by: Johannes Berg + + net/wireless/trace.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd +Author: Johannes Berg +Date: Mon Mar 25 11:51:14 2013 +0100 + + Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b + + mac80211: fix remain-on-channel cancel crash + + If a ROC item is canceled just as it expires, the work + struct may be scheduled while it is running (and waiting + for the mutex). This results in it being run after being + freed, which obviously crashes. + + To fix this don't free it when aborting is requested but + instead mark it as "to be freed", which makes the work a + no-op and allows freeing it outside. + + Cc: stable@vger.kernel.org [3.6+] + Reported-by: Jouni Malinen + Tested-by: Jouni Malinen + Signed-off-by: Johannes Berg + + net/mac80211/cfg.c | 6 ++++-- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/offchannel.c | 23 +++++++++++++++++------ + 3 files changed, 23 insertions(+), 9 deletions(-) + +commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 +Author: Stone Piao +Date: Fri Mar 29 19:21:21 2013 -0700 + + Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f + + mwifiex: limit channel number not to overflow memory + + Limit the channel number in scan request, or the driver scan + config structure memory will be overflowed. + + Cc: # 3.5+ + Signed-off-by: Stone Piao + Signed-off-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 207c411512bdaf0e4271f93ecac6ca26588da36f +Author: Gao feng +Date: Thu Mar 21 19:48:41 2013 +0000 + + Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe + + netfilter: reset nf_trace in nf_reset + + We forgot to clear the nf_trace of sk_buff in nf_reset, + When we use veth device, this nf_trace information will + be leaked from one net namespace to another net namespace. + + Signed-off-by: Gao feng + Signed-off-by: Pablo Neira Ayuso + + include/linux/skbuff.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f +Author: Wei Yongjun +Date: Fri Mar 22 01:28:18 2013 +0000 + + Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c + + netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_queue_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit a79feb7d3251eca577d83d7f69eee2b961ab2924 +Author: Pablo Neira Ayuso +Date: Sat Mar 23 16:57:59 2013 +0100 + + Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 + + netfilter: nfnetlink_acct: return -EINVAL if object name is empty + + If user-space tries to create accounting object with an empty + name, then return -EINVAL. + + Reported-by: Michael Zintakis + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_acct.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 +Author: Matthias Schiffer +Date: Sat Mar 30 10:23:12 2013 +0000 + + Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 + + netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths + + The bitmask used for the prefix mangling was being calculated + incorrectly, leading to the wrong part of the address being replaced + when the prefix length wasn't a multiple of 32. + + Signed-off-by: Matthias Schiffer + Signed-off-by: Pablo Neira Ayuso + + net/ipv6/netfilter/ip6t_NPT.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e +Author: Veaceslav Falico +Date: Wed Apr 3 05:46:33 2013 +0000 + + Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d + + bonding: remove sysfs before removing devices + + We have a race condition if we try to rmmod bonding and simultaneously add + a bond master through sysfs. In bonding_exit() we first remove the devices + (through rtnl_link_unregister() ) and only after that we remove the sysfs. + If we manage to add a device through sysfs after that the devices were + removed - we'll end up with that device/sysfs structure and with the module + unloaded. + + Fix this by first removing the sysfs and only after that calling + rtnl_link_unregister(). + + Signed-off-by: Veaceslav Falico + Signed-off-by: David S. Miller + + drivers/net/bonding/bond_main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d12cae44a9d12441d81c489178803237219d403d +Author: Eric W. Biederman +Date: Wed Apr 3 16:14:47 2013 +0000 + + Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 + + af_unix: If we don't care about credentials coallesce all messages + + It was reported that the following LSB test case failed + https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we + were not coallescing unix stream messages when the application was + expecting us to. + + The problem was that the first send was before the socket was accepted + and thus sock->sk_socket was NULL in maybe_add_creds, and the second + send after the socket was accepted had a non-NULL value for sk->socket + and thus we could tell the credentials were not needed so we did not + bother. + + The unnecessary credentials on the first message cause + unix_stream_recvmsg to start verifying that all messages had the same + credentials before coallescing and then the coallescing failed because + the second message had no credentials. + + Ignoring credentials when we don't care in unix_stream_recvmsg fixes a + long standing pessimization which would fail to coallesce messages when + reading from a unix stream socket if the senders were different even if + we did not care about their credentials. + + I have tested this and verified that the in the LSB test case mentioned + above that the messages do coallesce now, while the were failing to + coallesce without this change. + + Reported-by: Karel Srot + Reported-by: Ding Tianhong + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf +Author: Eric W. Biederman +Date: Wed Apr 3 16:13:35 2013 +0000 + + Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 + + Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" + + This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. + + The problem that the above patch was meant to address is that af_unix + messages are not being coallesced because we are sending unnecesarry + credentials. Not sending credentials in maybe_add_creds totally + breaks unconnected unix domain sockets that wish to send credentails + to other sockets. + + In practice this break some versions of udev because they receive a + message and the sending uid is bogus so they drop the message. + + Reported-by: Sven Joachim + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 +Author: Wei Yongjun +Date: Wed Mar 20 21:31:42 2013 +0000 + + Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e + + lantiq_etop: use free_netdev(netdev) instead of kfree() + + Freeing netdev without free_netdev() leads to net, tx leaks. + And it may lead to dereferencing freed pointer. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f +Author: Cong Wang +Date: Fri Mar 22 19:14:07 2013 +0000 + + Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb + + 8021q: fix a potential use-after-free + + vlan_vid_del() could possibly free ->vlan_info after a RCU grace + period, however, we may still refer to the freed memory area + by 'grp' pointer. Found by code inspection. + + This patch moves vlan_vid_del() as behind as possible. + + Cc: Patrick McHardy + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/8021q/vlan.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit fff29c277024a39845d4b535083c8dafc21b45d9 +Author: Hong zhi guo +Date: Sat Mar 23 02:27:50 2013 +0000 + + Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 + + bridge: fix crash when set mac address of br interface + + When I tried to set mac address of a bridge interface to a mac + address which already learned on this bridge, I got system hang. + + The cause is straight forward: function br_fdb_change_mac_address + calls fdb_insert with NULL source nbp. Then an fdb lookup is + performed. If an fdb entry is found and it's local, it's OK. But + if it's not local, source is dereferenced for printk without NULL + check. + + Signed-off-by: Hong Zhiguo + Signed-off-by: David S. Miller + + net/bridge/br_fdb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 +Author: Kumar Amit Mehta +Date: Sat Mar 23 20:10:25 2013 +0000 + + Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a + + bnx2x: fix assignment of signed expression to unsigned variable + + fix for incorrect assignment of signed expression to unsigned variable. + + Signed-off-by: Kumar Amit Mehta + Acked-by: Dmitry Kravkov + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e +Author: dingtianhong +Date: Mon Mar 25 17:02:04 2013 +0000 + + Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 + + af_unix: dont send SCM_CREDENTIAL when dest socket is NULL + + SCM_SCREDENTIALS should apply to write() syscalls only either source or destination + socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, + and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). + + Origionally-authored-by: Karel Srot + Signed-off-by: Ding Tianhong + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b964e1e61f0f0ccaa380be3342f956c604054bdc +Author: Eric W. Biederman +Date: Thu Mar 21 02:30:41 2013 -0700 + + Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 + + yama: Better permission check for ptraceme + + Change the permission check for yama_ptrace_ptracee to the standard + ptrace permission check, testing if the traceer has CAP_SYS_PTRACE + in the tracees user namespace. + + Reviewed-by: Kees Cook + Signed-off-by: "Eric W. Biederman" + + security/yama/yama_lsm.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit b94e71c7b6abe75989edff18aca2781233fa143b +Author: Stanislav Kinsbursky +Date: Mon Apr 1 11:40:51 2013 +0400 + + Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d + + ipc: set msg back to -EAGAIN if copy wasn't performed + + Make sure that msg pointer is set back to error value in case of + MSG_COPY flag is set and desired message to copy wasn't found. This + garantees that msg is either a error pointer or a copy address. + + Otherwise the last message in queue will be freed without unlinking from + the queue (which leads to memory corruption) and the dummy allocated + copy won't be released. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: Linus Torvalds + + ipc/msg.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 +Author: Jan Kara +Date: Fri Mar 29 15:39:16 2013 +0100 + + Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 + + reiserfs: Fix warning and inode leak when deleting inode with xattrs + + After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs + started failing to delete xattrs from inode. This was due to a buggy + test for '.' and '..' in fill_with_dentries() which resulted in passing + '.' and '..' entries to lookup_one_len() in some cases. That returned + error and so we failed to iterate over all xattrs of and inode. + + Fix the test in fill_with_dentries() along the lines of the one in + lookup_one_len(). + + Reported-by: Pawel Zawora + CC: stable@vger.kernel.org + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9f07957378e0f55abb81da8e23b124a608fbe1cc +Author: Paul Bolle +Date: Wed Apr 3 12:24:45 2013 +0100 + + Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 + + ARM: 7690/1: mm: fix CONFIG_LPAE typos + + CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix + up the two typos under arch/arm/. + + The fix to head.S is slightly scary, but this is just for setting up + an early io-mapping for the serial port when running on a big-endian, + LPAE system. Since these systems don't exist in the wild (at least, I + have no access to one outside of kvmtool, which doesn't provide a serial + port suitable for earlyprintk), then we can revisit the code later if it + causes any problems. + + Signed-off-by: Paul Bolle + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/setup.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 984ba346b2d8f158473e9723ba145031368431ed +Author: Catalin Marinas +Date: Tue Mar 26 23:35:04 2013 +0100 + + Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb + + ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) + + On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down + all use of the old entries. This patch implements the erratum workaround + which consists of: + + 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. + 2. Send IPI to the CPUs that are running the same mm (and ASID) as the + one being invalidated (or all the online CPUs for global pages). + 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception + return code already). + + Signed-off-by: Catalin Marinas + Signed-off-by: Russell King + + Conflicts: + + arch/arm/include/asm/tlbflush.h + arch/arm/kernel/smp_tlb.c + arch/arm/mm/context.c + + arch/arm/Kconfig | 10 +++++ + arch/arm/include/asm/highmem.h | 7 ++++ + arch/arm/include/asm/mmu_context.h | 2 + + arch/arm/include/asm/tlbflush.h | 15 ++++++++ + arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ + arch/arm/mm/context.c | 6 ++- + 6 files changed, 104 insertions(+), 2 deletions(-) + +commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 +Author: Jan Stancek +Date: Thu Apr 4 11:35:10 2013 -0700 + + Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c + + mm: prevent mmap_cache race in find_vma() + + find_vma() can be called by multiple threads with read lock + held on mm->mmap_sem and any of them can update mm->mmap_cache. + Prevent compiler from re-fetching mm->mmap_cache, because other + readers could update it in the meantime: + + thread 1 thread 2 + | + find_vma() | find_vma() + struct vm_area_struct *vma = NULL; | + vma = mm->mmap_cache; | + if (!(vma && vma->vm_end > addr | + && vma->vm_start <= addr)) { | + | mm->mmap_cache = vma; + return vma; | + ^^ compiler may optimize this | + local variable out and re-read | + mm->mmap_cache | + + This issue can be reproduced with gcc-4.8.0-1 on s390x by running + mallocstress testcase from LTP, which triggers: + + kernel BUG at mm/rmap.c:1088! + Call Trace: + ([<000003d100c57000>] 0x3d100c57000) + [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 + [<000000000023baae>] handle_pte_fault+0x41a/0xac8 + [<000000000023d832>] handle_mm_fault+0x17a/0x268 + [<000000000060507a>] do_protection_exception+0x1e2/0x394 + [<0000000000603a04>] pgm_check_handler+0x138/0x13c + [<000003fffcf1f07a>] 0x3fffcf1f07a + Last Breaking-Event-Address: + [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 + + Thanks to Jakub Jelinek for his insight on gcc and helping to + track this down. + + Signed-off-by: Jan Stancek + Acked-by: David Rientjes + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + mm/mmap.c | 2 +- + mm/nommu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 53f5096daa14967938bc154e6c41f9119863fb36 +Merge: e988d7c 0a45285 +Author: Brad Spengler +Date: Fri Apr 5 17:32:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/ethernet/broadcom/tg3.c + +commit 0a452855444d02502df6eb21ef3083cf303f71e1 +Merge: 0277fa1 00cfbb8 +Author: Brad Spengler +Date: Fri Apr 5 17:31:15 2013 -0400 + + Update to pax-linux-3.8.6-test16.patch: + - fixed some attribute leakage into userland headers, patch by Mathias Krause + - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/intel_display.c + +commit e988d7c8d946c816a2cb97f0d38048a1584966b8 +Merge: baec40e 0277fa1 +Author: Brad Spengler +Date: Wed Apr 3 22:05:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0277fa123b486cf11420967e4568d7653e225fd3 +Author: Brad Spengler +Date: Wed Apr 3 22:04:48 2013 -0400 + + Update to pax-linux-3.8.5-test15.patch: + - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) + - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) + + drivers/media/pci/cx88/cx88-video.c | 6 +++--- + include/net/net_namespace.h | 4 ++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +commit baec40e6708fd5ae2000cad6c70c5980c998b91c +Author: Brad Spengler +Date: Tue Apr 2 19:50:32 2013 -0400 + + fix compilation as reported on forums for gcc versions lacking plugin + support + + include/net/net_namespace.h | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 +Merge: 6b69c35 0db9d15 +Author: Brad Spengler +Date: Tue Apr 2 17:47:27 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0db9d156826bdd50510086fde837648a3dfd370e +Author: Brad Spengler +Date: Tue Apr 2 17:46:05 2013 -0400 + + Update to pax-linux-3.8.5-test14.patch: + - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table + + arch/x86/include/asm/uaccess_64.h | 6 +- + include/linux/moduleloader.h | 4 +- + tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- + 3 files changed, 61 insertions(+), 47 deletions(-) + +commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d +Author: Brad Spengler +Date: Tue Apr 2 17:35:06 2013 -0400 + + remove duplicate compiler.h + + include/linux/sysrq.h | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 01e1d503fd2220adaaec0b92ea19441bdff73555 +Author: Brad Spengler +Date: Fri Mar 29 19:53:50 2013 -0400 + + fix intentional_overflow marking on sys_sendto + + include/linux/syscalls.h | 2 +- + net/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit cd5ff114d958470f471c63775278e8c05e774630 +Author: Brad Spengler +Date: Fri Mar 29 18:46:16 2013 -0400 + + fix size_overflow false positive + + kernel/futex_compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 295ba16cc53df2375261accbedd6575ea327770a +Merge: 18340f1 278a989 +Author: Brad Spengler +Date: Fri Mar 29 17:36:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/exec.c + include/linux/thread_info.h + +commit 278a989c831d62193c7b3d119fe2302babd45d12 +Author: Brad Spengler +Date: Fri Mar 29 17:34:34 2013 -0400 + + Resync with pax-linux-3.8.5-test13.patch + + arch/arm/include/asm/pgtable.h | 3 ++- + arch/arm/lib/delay.c | 1 + + fs/exec.c | 8 ++++---- + include/linux/compiler.h | 1 + + include/linux/proc_fs.h | 2 +- + include/linux/thread_info.h | 6 +++--- + include/linux/zlib.h | 3 ++- + init/main.c | 4 ++-- + kernel/user_namespace.c | 2 +- + lib/list_debug.c | 4 ++-- + mm/slab.c | 1 + + mm/slob.c | 1 + + mm/slub.c | 1 + + net/core/sysctl_net_core.c | 3 +-- + tools/gcc/constify_plugin.c | 1 + + 15 files changed, 24 insertions(+), 17 deletions(-) + +commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 +Merge: 05f01ae e8cfeae +Author: Brad Spengler +Date: Fri Mar 29 17:30:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 +Merge: b461cb7 aa4cfde +Author: Brad Spengler +Date: Fri Mar 29 17:30:44 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/i915_gem_execbuffer.c + fs/nfsd/vfs.c + +commit 05f01ae4c3479541586a2387f916a6620889c479 +Author: Brad Spengler +Date: Fri Mar 29 17:05:39 2013 -0400 + + Another infoleak, up to 128 bytes on the stack in __sys_recvmsg + takes user-provided length, copies up to that amount in a sockaddr_storage + struct on the stack, then takes an upper-bounded-only user-provided length + and copies the sockaddr_storage struct back out to userland, complete with + uninitialized data + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eea6ade59490784e83e08ec67322288fcf14cb31 +Author: Brad Spengler +Date: Thu Mar 28 23:07:37 2013 -0400 + + return a proper error, otherwise we could be accessing uninitialized data + (previous define was a positive value) + + drivers/usb/storage/realtek_cr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e +Merge: c3dc9a6 b461cb7 +Author: Brad Spengler +Date: Thu Mar 28 20:54:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b461cb7b1d85490430ef7896c247794af72c3749 +Author: Brad Spengler +Date: Thu Mar 28 20:54:11 2013 -0400 + + Add structleak plugin + + tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 270 insertions(+), 0 deletions(-) + +commit c3dc9a6ef10782894bb11fd088fd712db44d8062 +Author: Brad Spengler +Date: Thu Mar 28 20:53:22 2013 -0400 + + Enable structleak by default for the security auto-config + + security/Kconfig | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e +Merge: d8503a3 74bec16 +Author: Brad Spengler +Date: Thu Mar 28 20:47:10 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 74bec16b657147a5575b1f14f4423a717ba317a6 +Author: Brad Spengler +Date: Thu Mar 28 20:46:13 2013 -0400 + + Update to pax-linux-3.8.4-test13.patch: + - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) + - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland + + Makefile | 5 +++- + arch/x86/include/asm/compat.h | 2 +- + arch/x86/mm/fault.c | 3 +- + fs/binfmt_elf.c | 2 +- + include/linux/compiler.h | 42 ++++++++++++++-------------------------- + security/Kconfig | 16 +++++++++++++++ + tools/gcc/Makefile | 2 + + tools/gcc/constify_plugin.c | 7 +++++- + 8 files changed, 47 insertions(+), 32 deletions(-) + +commit d8503a3a35d68b9ba1615d29335aef3f70d51465 +Author: Brad Spengler +Date: Thu Mar 28 20:02:40 2013 -0400 + + Fix 8-byte stack infoleak in ia32_rt_sigpending + User controls length, kernel only performs check on the upper bound, will + fill in any amount less than sizeof(sigset_t) via a copy_to_user under + KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t + regardless of whether the sigset_t content copied into it has been initialized + or not + + arch/x86/ia32/sys_ia32.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b +Author: Brad Spengler +Date: Tue Mar 26 21:05:05 2013 -0400 + + commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 + Author: J. Bruce Fields + Date: Tue Mar 26 14:11:13 2013 -0400 + + nfsd4: reject "negative" acl lengths + + Since we only enforce an upper bound, not a lower bound, a "negative" + length can get through here. + + The symptom seen was a warning when we attempt to a kmalloc with an + excessive size. + + Reported-by: Toralf Förster + Signed-off-by: J. Bruce Fields + + fs/nfsd/nfs4xdr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 +Author: Jeff Layton +Date: Mon Mar 11 09:52:19 2013 -0400 + + Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 + + cifs: ignore everything in SPNEGO blob after mechTypes + + We've had several reports of people attempting to mount Windows 8 shares + and getting failures with a return code of -EINVAL. The default sec= + mode changed recently to sec=ntlmssp. With that, we expect and parse a + SPNEGO blob from the server in the NEGOTIATE reply. + + The current decode_negTokenInit function first parses all of the + mechTypes and then tries to parse the rest of the negTokenInit reply. + The parser however currently expects a mechListMIC or nothing to follow the + mechTypes, but Windows 8 puts a mechToken field there instead to carry + some info for the new NegoEx stuff. + + In practice, we don't do anything with the fields after the mechTypes + anyway so I don't see any real benefit in continuing to parse them. + This patch just has the kernel ignore the fields after the mechTypes. + We'll probably need to reinstate some of this if we ever want to support + NegoEx. + + Reported-by: Jason Burgess + Reported-by: Yan Li + Signed-off-by: Jeff Layton + Cc: + Signed-off-by: Steve French + + fs/cifs/asn1.c | 53 +++++------------------------------------------------ + 1 files changed, 5 insertions(+), 48 deletions(-) + +commit 0b1c6223105a05d5a84e39a5e951868e37610e1c +Merge: 93ff726 0deb54c +Author: Brad Spengler +Date: Mon Mar 25 18:35:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 +Author: Brad Spengler +Date: Mon Mar 25 18:35:05 2013 -0400 + + fix typo + + arch/x86/mm/ioremap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 +Merge: be9f8b8 f95e53a +Author: Brad Spengler +Date: Mon Mar 25 18:30:06 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f95e53abadb6e4665866e4502ff9f518514193e1 +Author: Brad Spengler +Date: Mon Mar 25 18:29:25 2013 -0400 + + Update to pax-linux-3.8.4-test12.patch: + + - fixed perf compilation reported by Michael Tremer + - fixed USERCOPY reports triggered by SCTP, reported by mcp + - last fix for aslr gap accounting, promise (thanks to spender) + + arch/x86/mm/ioremap.c | 3 +++ + fs/binfmt_elf.c | 5 ++--- + mm/mmap.c | 2 +- + net/sctp/socket.c | 19 +++++++++++++++---- + tools/perf/util/include/linux/compiler.h | 8 ++++++++ + 5 files changed, 29 insertions(+), 8 deletions(-) + +commit be9f8b82b0d8a21d7515fb6e44a907623381c5df +Author: Brad Spengler +Date: Mon Mar 25 16:48:34 2013 -0400 + + From: Al Viro + To: Brad Spengler + Cc: Linus Torvalds + + Umm... I see what you are describing, and AFAICS you are correct; let me + see if I am misreading your analysis: + * vfsmount_lock may act fair; A holding it shared, with B spinning + on attempt to take it exclusive may lead to C spinning on attempt to take + it shared. + * path_is_under() tries get rename_lock while holding vfsmount_lock + shared. + * d_path() et.al. try to take vfsmount_lock shared, while holding + rename_lock. + + All true and yes, it's a bug (I'd probably classify it as a livelock, but + that doesn't make any real difference). There are three possible solutions, + AFAICS: + 1) two-liner in path_is_under() replacing the use of vfsmount_lock + with that of namespace_sem; trivial, but results in function unexpectedly + blocking. The current callers are fine with that, but it's a trouble + waiting to happen. + 2) replace write_seqlock() in prepend_path() callers with + read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike + is_subdir() we need more than just ->d_parent not pointing to something + freed - we also care about ->d_name.len being in sync with ->d_name.name. + It probably can be worked around, but... + + 3) declare that rename_lock nests inside vfsmount_lock and let + the callers of prepend_path() take vfsmount_lock(). I'd probably prefer + that one... + + Nest rename_lock inside vfsmount_lock + + ... lest we get livelocks between path_is_under() and d_path() and friends. + + [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing + the issue ] + + Spotted-by: Brad Spengler + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/dcache.c | 16 +++++++++++----- + grsecurity/gracl.c | 20 ++++++++++---------- + 2 files changed, 21 insertions(+), 15 deletions(-) + +commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee +Author: Linus Torvalds +Date: Fri Mar 22 11:44:04 2013 -0700 + + Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 + + vfs,proc: guarantee unique inodes in /proc + + Dave Jones found another /proc issue with his Trinity tool: thanks to + the namespace model, we can have multiple /proc dentries that point to + the same inode, aliasing directories in /proc//net/ for example. + + This ends up being a total disaster, because it acts like hardlinked + directories, and causes locking problems. We rely on the topological + sort of the inodes pointed to by dentries, and if we have aliased + directories, that odering becomes unreliable. + + In short: don't do this. Multiple dentries with the same (directory) + inode is just a bad idea, and the namespace code should never have + exposed things this way. But we're kind of stuck with it. + + This solves things by just always allocating a new inode during /proc + dentry lookup, instead of using "iget_locked()" to look up existing + inodes by superblock and number. That actually simplies the code a bit, + at the cost of potentially doing more inode [de]allocations. + + That said, the inode lookup wasn't free either (and did a lot of locking + of inodes), so it is probably not that noticeable. We could easily keep + the old lookup model for non-directory entries, but rather than try to + be excessively clever this just implements the minimal and simplest + workaround for the problem. + + Reported-and-tested-by: Dave Jones + Analyzed-by: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/inode.c + + fs/proc/inode.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb +Author: Vladimir Davydov +Date: Fri Mar 22 15:04:51 2013 -0700 + + Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 + + mqueue: sys_mq_open: do not call mnt_drop_write() if read-only + + mnt_drop_write() must be called only if mnt_want_write() succeeded, + otherwise the mnt_writers counter will diverge. + + mnt_writers counters are used to check if remounting FS as read-only is + OK, so after an extra mnt_drop_write() call, it would be impossible to + remount mqueue FS as read-only. Besides, on umount a warning would be + printed like this one: + + ===================================== + [ BUG: bad unlock balance detected! ] + 3.9.0-rc3 #5 Not tainted + ------------------------------------- + a.out/12486 is trying to release lock (sb_writers) at: + mnt_drop_write+0x1f/0x30 + but there are no more locks to release! + + Signed-off-by: Vladimir Davydov + Cc: Doug Ledford + Cc: KOSAKI Motohiro + Cc: "Eric W. Biederman" + Cc: Al Viro + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/mqueue.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e +Author: Brad Spengler +Date: Sat Mar 23 13:02:32 2013 -0400 + + Don't use constify plugin if not enabled in config, + reported by Alexey Vlasov + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afb82e020593249ac394e9859397c3e0ef5341c +Author: Brad Spengler +Date: Sat Mar 23 12:50:13 2013 -0400 + + oded 0day #2 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 20 + + drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 +Author: Brad Spengler +Date: Sat Mar 23 12:15:50 2013 -0400 + + oded 0day #1 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 18 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 +Author: Brad Spengler +Date: Sat Mar 23 12:13:12 2013 -0400 + + remove warning on accessing this /proc entry, HIDESYM already caught the infoleak + + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 44cb11a9470f72157601d0ad4d572d111f90f504 +Author: Brad Spengler +Date: Fri Mar 22 18:11:42 2013 -0400 + + use VM_DONTDUMP + + fs/binfmt_elf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb +Author: Brad Spengler +Date: Fri Mar 22 17:53:09 2013 -0400 + + fix recent RLIMIT_AS changes (due to vm_flags typo) + + Conflicts: + + fs/binfmt_elf.c + + fs/binfmt_elf.c | 2 +- + mm/mmap.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit fd5f0d92b0fbec02029dad124501a9c80e527a32 +Author: Brad Spengler +Date: Fri Mar 22 17:08:48 2013 -0400 + + complete_walk drops rcu-walk mode, no need for our own dropping + method outside of generic_permission + + fs/namei.c | 30 ------------------------------ + 1 files changed, 0 insertions(+), 30 deletions(-) + +commit b49ab1c73edb6442eec609b26bba4d850b3111b6 +Merge: 5e9a707 783ade9 +Author: Brad Spengler +Date: Thu Mar 21 21:56:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 +Author: Brad Spengler +Date: Thu Mar 21 21:55:31 2013 -0400 + + Update to pax-linux-3.8.3-test11.patch: + - rewrote the ASLR gap accounting code once again + - fixed ptrace compat bug found by the size overflow plugin + + fs/binfmt_elf.c | 25 ++++++++++++------------- + fs/exec.c | 7 ++----- + include/linux/compat.h | 2 +- + include/linux/mm.h | 5 +++++ + include/linux/mm_types.h | 2 +- + kernel/ptrace.c | 2 +- + mm/mmap.c | 15 ++++++++++----- + 7 files changed, 32 insertions(+), 26 deletions(-) + +commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a +Author: Brad Spengler +Date: Thu Mar 21 19:37:33 2013 -0400 + + Make the constify plugin usage actually depend on the introduced config option + (it was still forced on) + + tools/gcc/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1974b4f58d9d729c80ac1987785446115304a54c +Author: Brad Spengler +Date: Thu Mar 21 16:12:38 2013 -0400 + + fix failed merge + + arch/arm/mm/fault.c | 15 +++------------ + 1 files changed, 3 insertions(+), 12 deletions(-) + +commit 675a8ab4a8fe8315df348735a37a302a7535224c +Author: Brad Spengler +Date: Wed Mar 20 23:36:14 2013 -0400 + + From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 + From: Kees Cook + Date: Sun, 10 Mar 2013 20:09:31 +0000 + Subject: drm/i915: bounds check execbuffer relocation count + + It is possible to wrap the counter used to allocate the buffer for + relocation copies. This could lead to heap writing overflows. + + CVE-2013-0913 + + Signed-off-by: Kees Cook + Reported-by: Pinkie Pie + Cc: stable@vger.kernel.org + + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 +Author: Andy Honig +Date: Wed Feb 20 14:48:10 2013 -0800 + + Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 + + KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) + + There is a potential use after free issue with the handling of + MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable + memory such as frame buffers then KVM might continue to write to that + address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins + the page in memory so it's unlikely to cause an issue, but if the user + space component re-purposes the memory previously used for the guest, then + the guest will be able to corrupt that memory. + + Tested: Tested against kvmclock unit test + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/include/asm/kvm_host.h | 4 +- + arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +commit 0bcac31b57c381001feb69fd6ec8069e61e03432 +Author: Andy Honig +Date: Mon Mar 11 09:34:52 2013 -0700 + + Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 + + KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) + + If the guest sets the GPA of the time_page so that the request to update the + time straddles a page then KVM will write onto an incorrect page. The + write is done byusing kmap atomic to get a pointer to the page for the time + structure and then performing a memcpy to that page starting at an offset + that the guest controls. Well behaved guests always provide a 32-byte aligned + address, however a malicious guest could use this to corrupt host kernel + memory. + + Tested: Tested against kvmclock unit test. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/kvm/x86.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 695c59887e4ec10b0b695ab4f645d1226c433be0 +Author: Andy Honig +Date: Wed Feb 20 14:49:16 2013 -0800 + + Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 + + KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) + + If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows + that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate + that request. ioapic_read_indirect contains an + ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in + non-debug builds. In recent kernels this allows a guest to cause a kernel + oops by reading invalid memory. In older kernels (pre-3.3) this allows a + guest to read from large ranges of host memory. + + Tested: tested against apic unit tests. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + virt/kvm/ioapic.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e +Merge: aec3cd4 c522e3a +Author: Brad Spengler +Date: Wed Mar 20 19:38:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 +Merge: c57d855 405acc3 +Author: Brad Spengler +Date: Wed Mar 20 19:38:11 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 +Author: Brad Spengler +Date: Tue Mar 19 19:56:04 2013 -0400 + + include linux/compiler.h + + include/linux/zlib.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e +Author: Brad Spengler +Date: Tue Mar 19 18:42:20 2013 -0400 + + fix missing sock_release() + + net/irda/af_irda.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit dd65c05cd24faf8946d4941434a553ee285c35a3 +Author: Brad Spengler +Date: Tue Mar 19 18:36:17 2013 -0400 + + fix mpt fusion infoleak + + drivers/message/fusion/mptbase.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit e297b4f150b769efdc4c547d3caf1e3c0f24735f +Author: Brad Spengler +Date: Tue Mar 19 18:33:45 2013 -0400 + + Fix size_overflow false positive reported by slashbeast + + include/linux/zlib.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be +Author: Brad Spengler +Date: Tue Mar 19 17:35:36 2013 -0400 + + fix up failed merge + + arch/arm/mm/fault.c | 9 ++------- + 1 files changed, 2 insertions(+), 7 deletions(-) + +commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd +Author: Brad Spengler +Date: Tue Mar 19 17:34:36 2013 -0400 + + update documentation on consequences of building without gcc plugin support + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 +Author: Brad Spengler +Date: Tue Mar 19 17:18:13 2013 -0400 + + fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit f00195c633f91cfbd8c1f530d2c371b713026e20 +Author: Brad Spengler +Date: Mon Mar 18 22:27:33 2013 -0400 + + Fix compile error reported by KDE on the forums + + kernel/user_namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 +Merge: 0949569 c57d855 +Author: Brad Spengler +Date: Mon Mar 18 22:20:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + arch/x86/mm/fault.c + fs/exec.c + +commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 +Author: Brad Spengler +Date: Mon Mar 18 21:22:03 2013 -0400 + + Update to pax-linux-3.8.2-test9.patch: + arm changes from spender + - removed userland access to the vectors page + - removed obsolete sigreturn trampoline handling + - added emulation for __kuser_get_tls + - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) + - fixed recent sysfs/power_supply attr breakage reported by Steven Allen + - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) + - changed debian packager rules to include the compiler plugins, from Tyler Coumbes + - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) + - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values + and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. + + arch/arm/kernel/process.c | 5 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/traps.c | 7 - + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 23 +- + arch/arm/mm/mmu.c | 2 +- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/desc.h | 2 +- + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/io.h | 8 +- + arch/x86/include/asm/paravirt.h | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- + arch/x86/kernel/setup_percpu.c | 2 +- + arch/x86/mm/fault.c | 4 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/physaddr.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/lguest/page_tables.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/power/power_supply_core.c | 1 + + drivers/usb/core/message.c | 2 +- + fs/befs/endian.h | 4 +- + fs/binfmt_elf.c | 5 +- + fs/exec.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/ufs/swab.h | 4 +- + include/linux/compat.h | 4 +- + include/linux/completion.h | 6 +- + include/linux/cpumask.h | 12 +- + include/linux/ctype.h | 2 +- + include/linux/err.h | 4 +- + include/linux/math64.h | 6 +- + include/linux/sched.h | 2 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/uapi/linux/byteorder/little_endian.h | 4 +- + include/uapi/linux/swab.h | 6 +- + kernel/sched/core.c | 6 +- + kernel/signal.c | 3 + + kernel/time.c | 2 +- + kernel/timer.c | 2 +- + lib/div64.c | 4 +- + mm/page-writeback.c | 2 +- + net/socket.c | 2 + + scripts/package/builddeb | 1 + + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- + tools/gcc/size_overflow_plugin.c | 1072 ++-- + 53 files changed, 6227 insertions(+), 3951 deletions(-) + +commit 09495691bb31f11ec14d9127429f9a0f3f716f22 +Author: Brad Spengler +Date: Sun Mar 17 20:51:50 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit deb85b00d0f9f886e264e116313f298401ec5c59 +Author: Brad Spengler +Date: Sun Mar 17 20:03:33 2013 -0400 + + Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task + with a subject applied to it with RES_CPU. Otherwise, the limit will only + begin to be applied at fork time. + + Thanks to Bjornar Ness for the report. + + grsecurity/gracl.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 2126421f123513f604ceef2b23ba9ed516de7e58 +Author: Brad Spengler +Date: Sat Mar 16 22:07:43 2013 -0400 + + Move inode auditing prior to our refcnt dropping + + fs/namei.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 +Author: Brad Spengler +Date: Sat Mar 16 22:00:30 2013 -0400 + + Drop reference on completed path walked in RCU mode or when violating + the chroot fchdir check inside a chroot -- possible culprit for a reported + vfsmount_lock hang during unmount + + fs/namei.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 +Author: Brad Spengler +Date: Sat Mar 16 16:43:45 2013 -0400 + + add user_arg_ptr back to exec.c + + fs/exec.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 +Author: Brad Spengler +Date: Sat Mar 16 11:22:36 2013 -0400 + + Don't globally include compat.h -- with the new X32 support it + changes some definitions involving ELF binaries resulting in invalid + coredumps, as reported by KDE on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 + Thanks to the PaX Team for debugging + + fs/exec.c | 3 +++ + grsecurity/grsec_exec.c | 13 +++++++++++++ + include/linux/grsecurity.h | 15 --------------- + 3 files changed, 16 insertions(+), 15 deletions(-) + +commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a +Author: Brad Spengler +Date: Thu Mar 14 20:59:26 2013 -0400 + + Add peer information to /proc/net/unix from Kenan Kalajdzic: + http://marc.info/?l=linux-netdev&m=126745636809191&w=2 + + We use a "P" prefix to the inode number instead of "peer=". This + additional information can be used, for instance, to find what processes + are connected to MySQL's unix domain socket. + + net/unix/af_unix.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +commit 1cd623d11a462d151ea8a5cace4521e1724911a3 +Author: Oliver Neukum +Date: Tue Mar 12 14:52:42 2013 +0100 + + Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa + + USB: cdc-wdm: fix buffer overflow + + The buffer for responses must not overflow. + If this would happen, set a flag, drop the data and return + an error after user space has read all remaining data. + + Signed-off-by: Oliver Neukum + CC: stable@kernel.org + Signed-off-by: Greg Kroah-Hartman + + drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- + 1 files changed, 20 insertions(+), 3 deletions(-) + +commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc +Merge: 9cdf9bc db4cb92 +Author: Brad Spengler +Date: Thu Mar 14 20:23:14 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/keys/compat.c + +commit db4cb924546e3fec3a59f78d056f48176eaf7100 +Author: Brad Spengler +Date: Thu Mar 14 20:22:24 2013 -0400 + + Update to pax-linux-3.8.2-test8.patch + + arch/arm/include/asm/cache.h | 2 ++ + arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- + arch/arm/mach-omap2/omap_device.c | 4 ++-- + arch/arm/mach-omap2/omap_device.h | 4 ++-- + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + 5 files changed, 19 insertions(+), 15 deletions(-) + +commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae +Merge: 3c865f9 1a45c31 +Author: Brad Spengler +Date: Thu Mar 14 20:20:54 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/arm/include/asm/delay.h + arch/arm/include/asm/pgtable.h + arch/arm/lib/delay.c + security/keys/compat.c + +commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 +Author: Al Viro +Date: Tue Mar 12 02:59:49 2013 +0000 + + Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 + + vfs: fix pipe counter breakage + + If you open a pipe for neither read nor write, the pipe code will not + add any usage counters to the pipe, causing the 'struct pipe_inode_info" + to be potentially released early. + + That doesn't normally matter, since you cannot actually use the pipe, + but the pipe release code - particularly fasync handling - still expects + the actual pipe infrastructure to all be there. And rather than adding + NULL pointer checks, let's just disallow this case, the same way we + already do for the named pipe ("fifo") case. + + This is ancient going back to pre-2.4 days, and until trinity, nobody + naver noticed. + + Reported-by: Dave Jones + Signed-off-by: Linus Torvalds + + fs/pipe.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 +Author: Mathieu Desnoyers +Date: Mon Feb 25 10:20:36 2013 -0500 + + Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 + + Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys + + Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to + compat_process_vm_rw() shows that the compatibility code requires an + explicit "access_ok()" check before calling + compat_rw_copy_check_uvector(). The same difference seems to appear when + we compare fs/read_write.c:do_readv_writev() to + fs/compat.c:compat_do_readv_writev(). + + This subtle difference between the compat and non-compat requirements + should probably be debated, as it seems to be error-prone. In fact, + there are two others sites that use this function in the Linux kernel, + and they both seem to get it wrong: + + Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() + also ends up calling compat_rw_copy_check_uvector() through + aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to + be missing. Same situation for + security/keys/compat.c:compat_keyctl_instantiate_key_iov(). + + I propose that we add the access_ok() check directly into + compat_rw_copy_check_uvector(), so callers don't have to worry about it, + and it therefore makes the compat call code similar to its non-compat + counterpart. Place the access_ok() check in the same location where + copy_from_user() can trigger a -EFAULT error in the non-compat code, so + the ABI behaviors are alike on both compat and non-compat. + + While we are here, fix compat_do_readv_writev() so it checks for + compat_rw_copy_check_uvector() negative return values. + + And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error + handling. + + Acked-by: Linus Torvalds + Acked-by: Al Viro + Signed-off-by: Mathieu Desnoyers + Signed-off-by: Linus Torvalds + + Conflicts: + + security/keys/compat.c + + fs/compat.c | 15 +++++++-------- + mm/process_vm_access.c | 8 -------- + security/keys/compat.c | 3 ++- + 3 files changed, 9 insertions(+), 17 deletions(-) + +commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 +Author: Brad Spengler +Date: Mon Mar 11 18:38:38 2013 -0400 + + Fix leak of signal handler addresses across execve, found by Emese Revfy + + kernel/signal.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 79b130c4b11c7940daf2b33d653a17666331c634 +Merge: 6480ce9 3c865f9 +Author: Brad Spengler +Date: Sun Mar 10 20:04:03 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d +Author: Brad Spengler +Date: Sun Mar 10 20:03:12 2013 -0400 + + Update to pax-linux-3.8.2-test7.patch: + - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) + - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) + + fs/binfmt_elf.c | 3 ++- + fs/exec.c | 3 +++ + include/linux/mm_types.h | 2 +- + init/main.c | 4 ++-- + mm/mmap.c | 2 +- + mm/page_alloc.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 11 +++++++---- + 7 files changed, 18 insertions(+), 11 deletions(-) + +commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 +Merge: 4a5305e 25b3569 +Author: Brad Spengler +Date: Sun Mar 10 10:41:16 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 25b356980568bed9958315bb5a551fdc610055ed +Author: Brad Spengler +Date: Sun Mar 10 10:40:48 2013 -0400 + + Update to pax-linux-3.8.2-test6.patch: + - fixed a KERNEXEC false positive on arm reported by Gu1 + - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) + - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) + - added fix from spender for some namespace breakage reported by zakalwe + - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot + + Documentation/kernel-parameters.txt | 5 +++++ + arch/arm/kernel/patch.c | 2 ++ + arch/x86/kernel/sys_i386_32.c | 5 +++-- + drivers/acpi/blacklist.c | 2 +- + drivers/video/aty/mach64_cursor.c | 1 + + init/main.c | 4 ---- + mm/page_alloc.c | 27 +++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 2 +- + security/Kconfig | 5 +++++ + tools/gcc/latent_entropy_plugin.c | 7 +++++-- + 10 files changed, 50 insertions(+), 10 deletions(-) + +commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f +Author: Brad Spengler +Date: Sat Mar 9 11:19:06 2013 -0500 + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause , + Stephen Hemminger + Subject: [PATCH 1/3] bridge: fix mdb info leaks + Date: Sat, 9 Mar 2013 16:52:19 +0100 + + The bridging code discloses heap and stack bytes via the RTM_GETMDB + netlink interface and via the notify messages send to group RTNLGRP_MDB + afer a successful add/del. + + Fix both cases by initializing all unset members/padding bytes with + memset(0). + + Cc: Stephen Hemminger + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices + Date: Sat, 9 Mar 2013 16:52:20 +0100 + + Initialize the mac address buffer with 0 as the driver specific function + will probably not fill the whole buffer. In fact, all in-kernel drivers + fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible + bytes. Therefore we currently leak 26 bytes of stack memory to userland + via the netlink interface. + + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks + Date: Sat, 9 Mar 2013 16:52:21 +0100 + + The dcb netlink interface leaks stack memory in various places: + * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, + * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., + * the same is true for CEE -- no in-kernel driver fills the whole + struct, + + Prevent all of the above stack info leaks by properly initializing the + buffers/structures involved. + + Signed-off-by: Mathias Krause + + net/bridge/br_mdb.c | 4 ++++ + net/core/rtnetlink.c | 1 + + net/dcb/dcbnl.c | 8 ++++++++ + 3 files changed, 13 insertions(+), 0 deletions(-) + +commit 601dd446f896e3a362f706943df18a68d50420a1 +Author: Brad Spengler +Date: Sat Mar 9 09:35:25 2013 -0500 + + add open/close wrappers in __patch_text() as reported by Gu1 on IRC + + arch/arm/kernel/patch.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ae39966fd85a493e9079b357e3faa62245a41222 +Author: Peter Hurley +Date: Fri Mar 8 12:43:27 2013 -0800 + + Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 + + ipc: don't allocate a copy larger than max + + When MSG_COPY is set, a duplicate message must be allocated for the copy + before locking the queue. However, the copy could not be larger than was + sent which is limited to msg_ctlmax. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msg.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 61240e99650ea3e540a03a3e994349c5086f166b +Author: Peter Hurley +Date: Fri Mar 8 12:43:26 2013 -0800 + + Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 + + ipc: fix potential oops when src msg > 4k w/ MSG_COPY + + If the src msg is > 4k, then dest->next points to the + next allocated segment; resetting it just prior to dereferencing + is bad. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msgutil.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 51727f602a267f34fb2e0dc9557f1714028d51a2 +Author: Brad Spengler +Date: Fri Mar 8 22:14:06 2013 -0500 + + add missing 'else' in recent constify fixups + + net/ipv4/ip_fragment.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a38c1a640729b3d8e584d1ab98e908c221bc12cf +Merge: 1580bb3 47c3f47 +Author: Brad Spengler +Date: Fri Mar 8 18:18:37 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe +Author: Brad Spengler +Date: Fri Mar 8 18:17:22 2013 -0500 + + Update to pax-linux-3.8.2-test5.patch: + - fixed some fallout after the last round of constification changes, reported by several people + + arch/arm/common/gic.c | 4 ++-- + arch/arm/include/asm/hardware/gic.h | 3 ++- + arch/x86/include/asm/nmi.h | 2 +- + arch/x86/kernel/nmi.c | 2 +- + arch/x86/pci/irq.c | 2 +- + drivers/base/power/domain.c | 4 ++-- + drivers/cpufreq/cpufreq_governor.c | 4 ++-- + drivers/mfd/twl4030-irq.c | 1 + + drivers/video/vesafb.c | 7 +++++-- + include/linux/irq.h | 1 + + include/linux/pm_domain.h | 2 +- + kernel/sched/core.c | 4 ++++ + lib/Kconfig.debug | 4 ++-- + net/core/sysctl_net_core.c | 2 +- + net/decnet/af_decnet.c | 1 + + net/ipv4/devinet.c | 2 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/route.c | 2 +- + net/ipv4/sysctl_net_ipv4.c | 2 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- + net/ipv6/reassembly.c | 2 +- + scripts/sortextable.h | 6 +++--- + 22 files changed, 36 insertions(+), 25 deletions(-) + +commit 1580bb38b4db0bf2a46316599815e8b234edad81 +Author: Brad Spengler +Date: Thu Mar 7 22:02:59 2013 -0500 + + add an additional open/close wrapper + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 21622672d28d58e0d93a805cd1f9650a894a752a +Author: Brad Spengler +Date: Thu Mar 7 21:58:24 2013 -0500 + + fix oops at shutdown with new constify code + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec +Author: Brad Spengler +Date: Thu Mar 7 21:18:44 2013 -0500 + + Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally + it currently conflicts with some lock debugging options, so made as an + option to allow for debugging when necessary + + Makefile | 2 -- + lib/Kconfig.debug | 6 +++--- + security/Kconfig | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +commit 0885b00b8373a1597b69c38032a0c9eee279303b +Author: Brad Spengler +Date: Thu Mar 7 20:55:19 2013 -0500 + + disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c8a2617165e7127a54f293cbf57d22d50dd83abd +Author: Brad Spengler +Date: Thu Mar 7 20:30:41 2013 -0500 + + Fix error: + drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object + with cast and proper kernexec accessors + + drivers/video/vesafb.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 +Author: Brad Spengler +Date: Thu Mar 7 20:20:28 2013 -0500 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 +Author: Brad Spengler +Date: Thu Mar 7 20:12:17 2013 -0500 + + fix compilation error -- no reason for task_pid_nr to not take a const task ptr + + include/linux/sched.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f +Author: Kees Cook +Date: Mon Feb 25 21:32:25 2013 +0000 + + Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 + + proc connector: reject unprivileged listener bumps + + While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible + for an unprivileged user to turn off notifications for all listeners by + sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as + required for a multicast bind. + + Signed-off-by: Kees Cook + Cc: Evgeniy Polyakov + Cc: Matt Helsley + Cc: stable@vger.kernel.org + Acked-by: Evgeniy Polyakov + Acked-by: Matt Helsley + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit ac6014ded57101e3e608941555ff507e20c1ece3 +Author: Dan Carpenter +Date: Tue Feb 26 19:15:02 2013 +0000 + + Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a + + irda: small read beyond end of array in debug code + + charset comes from skb->data. It's a number in the 0-255 range. + If we have debugging turned on then this could cause a read beyond + the end of the array. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/irda/iriap.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe +Author: Guenter Roeck +Date: Wed Feb 27 10:57:31 2013 +0000 + + Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 + + net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS + + Building sctp may fail with: + + In function ‘copy_from_user’, + inlined from ‘sctp_getsockopt_assoc_stats’ at + net/sctp/socket.c:5656:20: + arch/x86/include/asm/uaccess_32.h:211:26: error: call to + ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() + buffer size is not provably correct + + if built with W=1 due to a missing parameter size validation + before the call to copy_from_user. + + Signed-off-by: Guenter Roeck + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c +Author: Guillaume Nault +Date: Fri Mar 1 05:02:02 2013 +0000 + + Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a + + l2tp: Restore socket refcount when sendmsg succeeds + + The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket + reference counter after successful transmissions. Any successful + sendmsg() call from userspace will then increase the reference counter + forever, thus preventing the kernel's session and tunnel data from + being freed later on. + + The problem only happens when writing directly on L2TP sockets. + PPP sockets attached to L2TP are unaffected as the PPP subsystem + uses pppol2tp_xmit() which symmetrically increase/decrease reference + counters. + + This patch adds the missing call to sock_put() before returning from + pppol2tp_sendmsg(). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 98a9a5f981f5deda4059a255c1196886f2f27e2f +Author: Cong Wang +Date: Sun Mar 3 16:18:11 2013 +0000 + + Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 + + rds: limit the size allocated by rds_message_alloc() + + Dave Jones reported the following bug: + + "When fed mangled socket data, rds will trust what userspace gives it, + and tries to allocate enormous amounts of memory larger than what + kmalloc can satisfy." + + WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() + Hardware name: GA-MA78GM-S2H + Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s + Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 + Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + ---[ end trace eed6ae990d018c8b ]--- + + Reported-by: Dave Jones + Cc: Dave Jones + Cc: David S. Miller + Cc: Venkat Venkatsubra + Signed-off-by: Cong Wang + Acked-by: Venkat Venkatsubra + Signed-off-by: David S. Miller + + net/rds/message.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 +Author: Cong Wang +Date: Sun Mar 3 16:28:27 2013 +0000 + + Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e + + sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE + + Don't definite its own MAX_KMALLOC_SIZE, use the one + defined in mm. + + Cc: Vlad Yasevich + Cc: Sridhar Samudrala + Cc: Neil Horman + Cc: David S. Miller + Signed-off-by: Cong Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + net/sctp/ssnmap.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit 4295a024e812f903fc580c81de5e81cc149503fa +Author: Brad Spengler +Date: Thu Mar 7 17:57:49 2013 -0500 + + Upstream commit: https://lkml.org/lkml/2013/3/6/535 + + security/keys/process_keys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 33edd486a9899a145a15586d7134636b0300aaee +Merge: 4eeeaf3 a2a2094 +Author: Brad Spengler +Date: Thu Mar 7 17:53:00 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/include/asm/domain.h + +commit a2a20947f5e1332e474160a39af520738b3c8c19 +Author: Brad Spengler +Date: Thu Mar 7 17:51:04 2013 -0500 + + Update to pax-linux-3.8.2-test4.patch: + fixed arm compilation problems reported by Michael Tremer + - the constify plugin got smarter that enabled, with some additional patching, + the elimination of about half the static function pointers on amd64/allmod + (up from about 18%), depending on the kernel config it can be even more (70%) + + Documentation/dontdiff | 2 + + arch/arm/include/asm/domain.h | 1 + + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/nmi.h | 4 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 2 +- + arch/x86/kernel/apic/io_apic.c | 10 +- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/cpu/perf_event.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/i8259.c | 6 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/nmi.c | 6 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 2 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/base/bus.c | 4 +- + drivers/base/node.c | 2 +- + drivers/base/syscore.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 4 +- + drivers/char/random.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 ++- + drivers/cpufreq/cpufreq.c | 7 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpu/drm/drm_drv.c | 2 +- + drivers/gpu/drm/drm_ioc32.c | 9 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/intel_display.c | 26 ++- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/iommu/iommu.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/mfd/twl4030-irq.c | 8 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/macvlan.c | 16 +- + drivers/net/vxlan.c | 2 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 6 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/usb/storage/usb.h | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 4 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 ++- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 4 +- + drivers/video/uvesafb.c | 14 +- + fs/exec.c | 6 +- + fs/ext4/super.c | 2 +- + fs/jfs/super.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/proc/proc_sysctl.c | 18 +- + include/drm/drmP.h | 12 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 2 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fscache.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/hwmon-sysfs.h | 5 +- + include/linux/iommu.h | 2 +- + include/linux/irq.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kobject.h | 1 + + include/linux/kobject_ns.h | 2 +- + include/linux/list.h | 14 +- + include/linux/mod_devicetable.h | 2 +- + include/linux/module.h | 5 +- + include/linux/net.h | 2 +- + include/linux/netfilter.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/rculist.h | 16 ++ + include/linux/sched.h | 2 +- + include/linux/sock_diag.h | 2 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 1 + + include/linux/xattr.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/ip.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/net_namespace.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/xfrm.h | 4 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + kernel/kmod.c | 2 +- + kernel/ksysfs.c | 2 +- + kernel/module.c | 4 +- + kernel/pid_namespace.c | 2 +- + kernel/rcutree_plugin.h | 2 +- + kernel/sched/core.c | 39 ++-- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 2 +- + kernel/sysctl.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 2 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 57 ++++- + lib/swiotlb.c | 2 +- + mm/hugetlb.c | 16 +- + mm/memory-failure.c | 2 +- + mm/slab_common.c | 2 +- + net/9p/mod.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 11 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 15 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 12 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/ip_fragment.c | 9 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/route.c | 14 +- + net/ipv4/sysctl_net_ipv4.c | 43 ++-- + net/ipv6/addrconf.c | 4 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 6 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- + net/ipv6/reassembly.c | 11 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/phonet/sysctl.c | 2 +- + net/rds/rds.h | 2 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/sysctl.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/unix/sysctl_net_unix.c | 2 +- + net/xfrm/xfrm_policy.c | 11 +- + net/xfrm/xfrm_state.c | 29 ++- + net/xfrm/xfrm_sysctl.c | 2 +- + security/apparmor/lsm.c | 2 +- + security/keys/key.c | 18 +- + security/yama/yama_lsm.c | 22 +- + tools/gcc/Makefile | 4 +- + tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ + tools/gcc/size_overflow_plugin.c | 7 +- + 248 files changed, 994 insertions(+), 668 deletions(-) + +commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b +Author: Brad Spengler +Date: Wed Mar 6 12:58:21 2013 -0500 + + Make slab_state __read_only, it's only written to during init + + mm/slab_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a +Author: Brad Spengler +Date: Wed Mar 6 12:31:35 2013 -0500 + + Make two new helper functions: + gr_is_global_root() and gr_is_global_nonroot() + + grsecurity/gracl.c | 10 +++++----- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_link.c | 4 ++-- + grsecurity/grsec_sig.c | 10 +++++----- + grsecurity/grsec_tpe.c | 6 +++--- + include/linux/uidgid.h | 2 ++ + 6 files changed, 18 insertions(+), 16 deletions(-) + +commit d45d88eddd4998b280b1e5b5384289ee11ca7088 +Author: Brad Spengler +Date: Wed Mar 6 12:14:41 2013 -0500 + + convert remaining task->pid to task_pid_nr(task) + + grsecurity/gracl.c | 22 +++++++++++----------- + grsecurity/gracl_shm.c | 2 +- + grsecurity/grsec_chroot.c | 4 ++-- + grsecurity/grsec_sig.c | 4 ++-- + 4 files changed, 16 insertions(+), 16 deletions(-) + +commit c877f2ece03ee2232dd281c1977ae59507297124 +Author: Brad Spengler +Date: Tue Mar 5 17:29:54 2013 -0500 + + compat-log is only used anymore by vm86-on-64bit and allows unlimited + spamming of the kernel log buffer (and since it includes the changable + process name, can avoid syslog log deduplication) + Turn it off by default + + fs/compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7c1964c4b7276889d7967bee70e46918cdca1b14 +Author: Brad Spengler +Date: Mon Mar 4 17:19:10 2013 -0500 + + fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP + is enabled, introduced with recent userns support + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 +Author: Brad Spengler +Date: Sun Mar 3 18:46:12 2013 -0500 + + Prevent TOMOYO from auto-loading modules by unprivileged users + (Only reachable if TOMOYO is actually used) + + security/tomoyo/mount.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 79e142f9455b398759ff9d93d4963a21b98dddda +Author: Brad Spengler +Date: Sun Mar 3 18:28:45 2013 -0500 + + For now, don't permit any special access to /proc in a user namespace + Later we can go back and allow a userns-uid0 special access to a /proc + with a non-global pid namespace + + fs/proc/base.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8b91fb393049ce5f3c0a86f62247409853fd9700 +Merge: d931eb8 603ef05 +Author: Brad Spengler +Date: Sun Mar 3 17:42:09 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b +Author: Brad Spengler +Date: Sun Mar 3 17:41:31 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/mach-omap2/wd_timer.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b4c9ce81fdd7839a150c97873c710c479e788280 +Author: Brad Spengler +Date: Sun Mar 3 17:39:53 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d931eb81ab3da46896268fd61373a6aa7bbea930 +Merge: bfa7f44 5948f93 +Author: Brad Spengler +Date: Sun Mar 3 17:34:36 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 +Merge: ab30472 19b00d2 +Author: Brad Spengler +Date: Sun Mar 3 17:34:08 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 +Author: Brad Spengler +Date: Sun Mar 3 15:12:12 2013 -0500 + + Initial support for user namespaces, as we previously didn't allow + the option to be enabled at all. + + RBAC will act on the global uids/gids only, so all uids/gids in user + namespaces will be converted + + Because Eric Biederman is insulted that I didn't support his + backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN + check in for user namespaces, so this is generally irrelevant. + + fs/exec.c | 6 +- + fs/proc/base.c | 2 +- + fs/proc/proc_net.c | 4 +- + grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- + grsecurity/gracl_cap.c | 4 +- + grsecurity/gracl_ip.c | 16 +++--- + grsecurity/gracl_segv.c | 12 +++- + grsecurity/gracl_shm.c | 4 +- + grsecurity/grsec_disabled.c | 10 ++-- + grsecurity/grsec_fifo.c | 6 +- + grsecurity/grsec_init.c | 24 ++++---- + grsecurity/grsec_log.c | 3 - + grsecurity/grsec_tpe.c | 6 +- + include/linux/grinternal.h | 12 ++-- + include/linux/grsecurity.h | 12 ++-- + include/linux/uidgid.h | 3 + + init/Kconfig | 2 - + ipc/shm.c | 2 +- + kernel/cred.c | 5 +- + kernel/kallsyms.c | 2 +- + kernel/kmod.c | 6 +- + kernel/sys.c | 12 ++-- + 22 files changed, 166 insertions(+), 115 deletions(-) + +commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff +Author: Linus Torvalds +Date: Wed Feb 27 08:36:04 2013 -0800 + + Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 + + mm: do not grow the stack vma just because of an overrun on preceding vma + + The stack vma is designed to grow automatically (marked with VM_GROWSUP + or VM_GROWSDOWN depending on architecture) when an access is made beyond + the existing boundary. However, particularly if you have not limited + your stack at all ("ulimit -s unlimited"), this can cause the stack to + grow even if the access was really just one past *another* segment. + + And that's wrong, especially since we first grow the segment, but then + immediately later enforce the stack guard page on the last page of the + segment. So _despite_ first growing the stack segment as a result of + the access, the kernel will then make the access cause a SIGSEGV anyway! + + So do the same logic as the guard page check does, and consider an + access to within one page of the next segment to be a bad access, rather + than growing the stack to abut the next segment. + + Reported-and-tested-by: Heiko Carstens + Signed-off-by: Linus Torvalds + + mm/mmap.c | 27 +++++++++++++++++++++++++++ + 1 files changed, 27 insertions(+), 0 deletions(-) + +commit 5596211af754867ca825f58e6e0300a8439950fe +Author: H. Peter Anvin +Date: Wed Feb 27 12:46:40 2013 -0800 + + Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c + + x86: Make sure we can boot in the case the BDA contains pure garbage + + On non-BIOS platforms it is possible that the BIOS data area contains + garbage instead of being zeroed or something equivalent (firmware + people: we are talking of 1.5K here, so please do the sane thing.) + + We need on the order of 20-30K of low memory in order to boot, which + may grow up to < 64K in the future. We probably want to avoid the + lowest of the low memory. At the same time, it seems extremely + unlikely that a legitimate EBDA would ever reach down to the 128K + (which would require it to be over half a megabyte in size.) Thus, + pick 128K as the cutoff for "this is insane, ignore." We may still + end up reserving a bunch of extra memory on the low megabyte, but that + is not really a major issue these days. In the worst case we lose + 512K of RAM. + + This code really should be merged with trim_bios_range() in + arch/x86/kernel/setup.c, but that is a bigger patch for a later merge + window. + + Reported-by: Darren Hart + Signed-off-by: H. Peter Anvin + Cc: Matt Fleming + Cc: + Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org + + arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- + 1 files changed, 34 insertions(+), 19 deletions(-) + +commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea +Author: Wei Yongjun +Date: Wed Feb 27 17:05:46 2013 -0800 + + Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 + + memstick: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Maxim Levitsky + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/memstick/host/r592.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 +Author: Xi Wang +Date: Wed Feb 27 17:05:21 2013 -0800 + + Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 + + sysctl: fix null checking in bin_dn_node_address() + + The null check of `strchr() + 1' is broken, which is always non-null, + leading to OOB read. Instead, check the result of strchr(). + + Signed-off-by: Xi Wang + Cc: "Eric W. Biederman" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sysctl_binary.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 7ca96db0817416fd40761e7437d1939fc0731380 +Author: Tejun Heo +Date: Wed Feb 27 17:03:34 2013 -0800 + + Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 + + idr: fix a subtle bug in idr_get_next() + + The iteration logic of idr_get_next() is borrowed mostly verbatim from + idr_for_each(). It walks down the tree looking for the slot matching + the current ID. If the matching slot is not found, the ID is + incremented by the distance of single slot at the given level and + repeats. + + The implementation assumes that during the whole iteration id is aligned + to the layer boundaries of the level closest to the leaf, which is true + for all iterations starting from zero or an existing element and thus is + fine for idr_for_each(). + + However, idr_get_next() may be given any point and if the starting id + hits in the middle of a non-existent layer, increment to the next layer + will end up skipping the same offset into it. For example, an IDR with + IDs filled between [64, 127] would look like the following. + + [ 0 64 ... ] + /----/ | + | | + NULL [ 64 ... 127 ] + + If idr_get_next() is called with 63 as the starting point, it will try + to follow down the pointer from 0. As it is NULL, it will then try to + proceed to the next slot in the same level by adding the slot distance + at that level which is 64 - making the next try 127. It goes around the + loop and finds and returns 127 skipping [64, 126]. + + Note that this bug also triggers in idr_for_each_entry() loop which + deletes during iteration as deletions can make layers go away leaving + the iteration with unaligned ID into missing layers. + + Fix it by ensuring proceeding to the next slot doesn't carry over the + unaligned offset - ie. use round_up(id + 1, slot_distance) instead of + id += slot_distance. + + Signed-off-by: Tejun Heo + Reported-by: David Teigland + Cc: KAMEZAWA Hiroyuki + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/idr.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 745362f28034f54242ba2e64eaa7374ab9869613 +Author: Brad Spengler +Date: Fri Mar 1 20:31:42 2013 -0500 + + Fix dentry use-after-free after failed complete_walk() with RBAC enabled + Many thanks to zakalwe from #grsecurity for the report and debugging help + + fs/namei.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit b53b3b14330920c6f7cfb74c8508a3026e1be620 +Author: Brad Spengler +Date: Thu Feb 28 18:29:26 2013 -0500 + + Fix bad git merge + + fs/namespace.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede +Merge: 1cce1dd ab30472 +Author: Brad Spengler +Date: Thu Feb 28 17:45:14 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/core/sock_diag.c + +commit ab3047280e1dfb43f1b301a296123757b4ac4f6e +Merge: 4b61d21 4c91a0e +Author: Brad Spengler +Date: Thu Feb 28 17:43:56 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 +Author: Brad Spengler +Date: Wed Feb 27 22:20:22 2013 -0500 + + add compiler.h to sysrq.h to fix compilation problem reported by micu on forums + + include/linux/sysrq.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 +Author: Brad Spengler +Date: Wed Feb 27 17:52:31 2013 -0500 + + declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel + + kernel/printk.c | 12 +++++++----- + 1 files changed, 7 insertions(+), 5 deletions(-) + +commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 +Author: Brad Spengler +Date: Wed Feb 27 17:23:46 2013 -0500 + + Fix upstream vulnerability from addition of a /dev/kmsg device + while neglecting to add the same set of existing permission checks + from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. + A temporary workaround without this patch would be to + chmod 0600 /dev/kmsg (and is likely a good idea anyway). + + Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek + Initially reported to Redhat bugzilla by Christian Kujau: + https://bugzilla.redhat.com/show_bug.cgi?id=903192 + + kernel/printk.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 66c04806f5660988c3cb4855e60de294e77e3d0e +Author: David Howells +Date: Thu Feb 21 12:00:25 2013 +0000 + + Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f + + KEYS: Revert one application of "Fix unreachable code" patch + + A patch to fix some unreachable code in search_my_process_keyrings() got + applied twice by two different routes upstream as commits e67eab39bee2 + and b010520ab3d2 (both "fix unreachable code"). + + Unfortunately, the second application removed something it shouldn't + have and this wasn't detected by GIT. This is due to the patch not + having sufficient lines of context to distinguish the two places of + application. + + The effect of this is relatively minor: inside the kernel, the keyring + search routines may search multiple keyrings and then prioritise the + errors if no keys or negative keys are found in any of them. With the + extra deletion, the presence of a negative key in the thread keyring + (causing ENOKEY) is incorrectly overridden by an error searching the + process keyring. + + So revert the second application of the patch. + + Signed-off-by: David Howells + Cc: Jiri Kosina + Cc: Andrew Morton + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + security/keys/process_keys.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 954b0c8a95b08c09c3d15ec38106ce403bf714da +Author: Wei Yongjun +Date: Thu Feb 21 16:42:43 2013 -0800 + + Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a + + configfs: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Joel Becker + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/configfs/dir.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 +Author: Nicolas Pitre +Date: Sun Feb 24 20:06:09 2013 -0500 + + Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 + + tty vt: fix character insertion overflow + + Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on + command line edition") broke insert_char() in multiple ways. Then + commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") + partially fixed it. However, the buffer being moved is still too large + and overflowing beyond the end of the current line, corrupting existing + characters on the next line. + + Example test case: + + echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" + + Expected result: + + ab c + de + + Current result: + + ab c + e + + Needless to say that this is very annoying when inserting words in the + middle of paragraphs with certain text editors. + + Signed-off-by: Nicolas Pitre + Cc: Jean-François Moine + Cc: Greg Kroah-Hartman + Cc: + Signed-off-by: Linus Torvalds + + drivers/tty/vt/vt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6cda35071669b4aabde081bd039e0ffea36f997a +Author: Robin Holt +Date: Fri Feb 22 16:35:34 2013 -0800 + + Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 + + mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result of a + filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + Additionally, the list traversal in __mmu_notifier_release() is not + protected by the by the mmu_notifier_mm->hlist_lock which can result in + callouts to the ->release() notifier from both mmu_notifier_unregister() + and __mmu_notifier_release(). + + -stable suggestions: + + The stable trees prior to 3.7.y need commits 21a92735f660 and + 70400303ce0c cherry-picked in that order prior to cherry-picking this + commit. The 3.7.y tree already has those two commits. + + Signed-off-by: Robin Holt + Cc: Andrea Arcangeli + Cc: Wanpeng Li + Cc: Xiao Guangrong + Cc: Avi Kivity + Cc: Hugh Dickins + Cc: Marcelo Tosatti + Cc: Sagi Grimberg + Cc: Haggai Eran + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- + 1 files changed, 42 insertions(+), 40 deletions(-) + +commit bf5167ed78ba6131c6874887f714bda50c2cab83 +Author: Mike Galbraith +Date: Mon Jan 28 12:19:25 2013 +0100 + + Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 + + sched: Fix select_idle_sibling() bouncing cow syndrome + + If the previous CPU is cache affine and idle, select it. + + The current implementation simply traverses the sd_llc domain, + taking the first idle CPU encountered, which walks buddy pairs + hand in hand over the package, inflicting excruciating pain. + + 1 tbench pair (worst case) in a 10 core + SMT package: + + pre 15.22 MB/sec 1 procs + post 252.01 MB/sec 1 procs + + Signed-off-by: Mike Galbraith + Cc: Peter Zijlstra + Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net + Signed-off-by: Ingo Molnar + + kernel/sched/fair.c | 21 +++++++-------------- + 1 files changed, 7 insertions(+), 14 deletions(-) + +commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c +Author: Eric W. Biederman +Date: Fri Dec 28 18:58:39 2012 -0800 + + Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f + + userns: Avoid recursion in put_user_ns + + When freeing a deeply nested user namespace free_user_ns calls + put_user_ns on it's parent which may in turn call free_user_ns again. + When -fno-optimize-sibling-calls is passed to gcc one stack frame per + user namespace is left on the stack, potentially overflowing the + kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls + so we can't count on gcc to optimize this code. + + Remove struct kref and use a plain atomic_t. Making the code more + flexible and easier to comprehend. Make the loop in free_user_ns + explict to guarantee that the stack does not overflow with + CONFIG_FRAME_POINTER enabled. + + I have tested this fix with a simple program that uses unshare to + create a deeply nested user namespace structure and then calls exit. + With 1000 nesteuser namespaces before this change running my test + program causes the kernel to die a horrible death. With 10,000,000 + nested user namespaces after this change my test program runs to + completion and causes no harm. + + Acked-by: Serge Hallyn + Pointed-out-by: Vasily Kulikov + Signed-off-by: "Eric W. Biederman" + + include/linux/user_namespace.h | 10 +++++----- + kernel/user.c | 4 +--- + kernel/user_namespace.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 16 deletions(-) + +commit 81501c7106ccc186c94806f4db954626295b5ebe +Author: Brad Spengler +Date: Tue Feb 26 17:12:30 2013 -0500 + + Pass the same flags to kern_path_create as the original function + + fs/namei.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a677c8eee35afe48868f92c7d6745bfe809cd481 +Author: Al Viro +Date: Fri Feb 22 22:45:42 2013 -0500 + + Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 + + get rid of unprotected dereferencing of mnt->mnt_ns + + It's safe only under namespace_sem or vfsmount_lock; all places + in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use + current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in + there). + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/namespace.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit 89298124d0c96dc34a60377e7a1308f8f532ff75 +Author: Greg Thelen +Date: Fri Feb 22 16:36:01 2013 -0800 + + Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 + + tmpfs: fix use-after-free of mempolicy object + + The tmpfs remount logic preserves filesystem mempolicy if the mpol=M + option is not specified in the remount request. A new policy can be + specified if mpol=M is given. + + Before this patch remounting an mpol bound tmpfs without specifying + mpol= mount option in the remount request would set the filesystem's + mempolicy object to a freed mempolicy object. + + To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: + # mkdir /tmp/x + + # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 + + # mount -o remount,size=200M nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 + # note ? garbage in mpol=... output above + + # dd if=/dev/zero of=/tmp/x/f count=1 + # panic here + + Panic: + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [< (null)>] (null) + [...] + Oops: 0010 [#1] SMP DEBUG_PAGEALLOC + Call Trace: + mpol_shared_policy_init+0xa5/0x160 + shmem_get_inode+0x209/0x270 + shmem_mknod+0x3e/0xf0 + shmem_create+0x18/0x20 + vfs_create+0xb5/0x130 + do_last+0x9a1/0xea0 + path_openat+0xb3/0x4d0 + do_filp_open+0x42/0xa0 + do_sys_open+0xfe/0x1e0 + compat_sys_open+0x1b/0x20 + cstar_dispatch+0x7/0x1f + + Non-debug kernels will not crash immediately because referencing the + dangling mpol will not cause a fault. Instead the filesystem will + reference a freed mempolicy object, which will cause unpredictable + behavior. + + The problem boils down to a dropped mpol reference below if + shmem_parse_options() does not allocate a new mpol: + + config = *sbinfo + shmem_parse_options(data, &config, true) + mpol_put(sbinfo->mpol) + sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ + + This patch avoids the crash by not releasing the mempolicy if + shmem_parse_options() doesn't create a new mpol. + + How far back does this issue go? I see it in both 2.6.36 and 3.3. I did + not look back further. + + Signed-off-by: Greg Thelen + Acked-by: Hugh Dickins + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/shmem.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 +Author: Brad Spengler +Date: Sat Feb 23 11:08:05 2013 -0500 + + Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY + with a family greater or equal then AF_MAX -- the array size of + sock_diag_handlers[]. The current code does not test for this + condition therefore is vulnerable to an out-of-bound access opening + doors for a privilege escalation. + + Signed-off-by: Mathias Krause + + The sock_diag_lock_handler() and sock_diag_unlock_handler() actually + make the code less readable. Get rid of them and make the lock usage + and access to sock_diag_handlers[] clear on the first sight. + + Signed-off-by: Mathias Krause + + net/core/sock_diag.c | 27 ++++++++++----------------- + 1 files changed, 10 insertions(+), 17 deletions(-) + +commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 +Author: Brad Spengler +Date: Sat Feb 23 10:58:52 2013 -0500 + + Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined + + arch/arm/include/asm/domain.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7b729586eb81f344fdedf0942fab0acc738a6725 +Author: Brad Spengler +Date: Fri Feb 22 19:02:51 2013 -0500 + + Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. + + kernel/fork.c | 17 +++++++++++++++++ + 1 files changed, 17 insertions(+), 0 deletions(-) + +commit fadc560d0c486af88da83177735f5515e88acdcc +Author: Brad Spengler +Date: Thu Feb 21 23:06:48 2013 -0500 + + put is_hugetlbfs_mnt inside ifdefs + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8252176922d405484f986eb2cc350b7cd3ae586e +Author: Brad Spengler +Date: Thu Feb 21 23:02:07 2013 -0500 + + remove unused label + + kernel/module.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit dad4a980f0b625059e215d13da728aa7fd02a374 +Author: Brad Spengler +Date: Thu Feb 21 23:00:52 2013 -0500 + + compile fix + + fs/open.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 +Author: Brad Spengler +Date: Thu Feb 21 22:57:49 2013 -0500 + + remove kmalloc_array_error for the same reasons as kcalloc_error + + include/linux/slab.h | 9 --------- + 1 files changed, 0 insertions(+), 9 deletions(-) + +commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a +Author: Brad Spengler +Date: Thu Feb 21 22:49:35 2013 -0500 + + Initial port of grsecurity for Linux 3.8 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 10 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 14 +- + arch/arm/include/asm/cache.h | 2 + + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 27 +- + arch/arm/mm/mmap.c | 6 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 3 +- + arch/ia64/mm/hugetlbpage.c | 3 +- + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 3 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 19 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 6 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 3 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 3 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + crypto/ablkcipher.c | 12 +- + crypto/aead.c | 9 +- + crypto/ahash.c | 2 +- + crypto/blkcipher.c | 6 +- + crypto/crypto_user.c | 38 +- + crypto/pcompress.c | 3 +- + crypto/rng.c | 2 +- + crypto/shash.c | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 5 + + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 6 + + fs/btrfs/inode.c | 10 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 18 + + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 155 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 5 + + fs/fs_struct.c | 26 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 269 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1021 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4017 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 384 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 299 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 357 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 174 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 329 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 ++ + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 257 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 66 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/vermagic.h | 9 +- + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 5 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 109 +- + kernel/exit.c | 10 +- + kernel/fork.c | 24 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 80 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 38 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 62 +- + mm/mprotect.c | 8 + + mm/page_alloc.c | 6 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev.c | 9 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 4 +- + net/sctp/proc.c | 3 +- + net/socket.c | 62 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 19 + + security/Kconfig | 320 ++- + security/apparmor/lsm.c | 2 +- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/yama/Kconfig | 2 +- + tools/gcc/Makefile | 2 +- + 286 files changed, 15083 insertions(+), 2067 deletions(-) + +commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 +Author: Brad Spengler +Date: Wed Feb 20 21:00:42 2013 -0500 + + Initial import of pax-linux-3.8-test3.patch + + Documentation/dontdiff | 43 +- + Documentation/kernel-parameters.txt | 7 + + Makefile | 97 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 10 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 +++- + arch/arm/include/asm/cache.h | 3 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/delay.h | 8 +- + arch/arm/include/asm/domain.h | 32 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 4 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 10 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 20 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 14 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/fault.c | 78 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 186 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 28 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 13 +- + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/hugetlbpage.c | 2 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 6 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/uaccess.h | 142 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 8 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 +++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 4 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 31 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + + arch/x86/crypto/sha1_ssse3_asm.S | 3 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 12 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 ++- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 65 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/io.h | 13 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/page_64_types.h | 2 +- + arch/x86/include/asm/paravirt.h | 44 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 110 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 6 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 29 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 512 +++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head32.c | 4 +- + arch/x86/kernel/head_32.S | 237 ++- + arch/x86/kernel/head_64.S | 158 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 10 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes-opt.c | 12 +- + arch/x86/kernel/kprobes.c | 30 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 11 + + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 14 +- + arch/x86/kernel/setup_percpu.c | 27 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 247 ++ + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 47 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 68 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 ++- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 555 +++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 92 +- + arch/x86/mm/init_32.c | 122 +- + arch/x86/mm/init_64.c | 48 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 12 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_driver.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 18 +- + drivers/block/loop.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 8 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm.c | 2 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_generic.c | 2 +- + drivers/cpufreq/cpufreq.c | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 20 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 4 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 6 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 9 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 2 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/ramster/tmem.c | 54 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/udlfb.c | 32 +- + drivers/video/uvesafb.c | 39 +- + drivers/video/vesafb.c | 51 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 604 ++++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/relocation.c | 2 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 4 +- + fs/exec.c | 356 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/vfs.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/udf/misc.c | 2 +- + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 ++ + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 5 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 1 + + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 72 +- + include/linux/cpu.h | 2 +- + include/linux/crypto.h | 6 +- + include/linux/decompress/mm.h | 2 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 3 + + include/linux/mm.h | 91 +- + include/linux/mm_types.h | 22 +- + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 4 +- + include/linux/module.h | 55 +- + include/linux/moduleloader.h | 18 +- + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/random.h | 5 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 64 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/clnt.h | 8 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sysrq.h | 2 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/gro_cells.h | 6 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 6 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/structs.h | 4 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 4 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 24 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 78 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 2 +- + kernel/kprobes.c | 8 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 333 ++- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 6 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 72 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 18 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 2 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/softirq.c | 16 +- + kernel/srcu.c | 6 +- + kernel/stop_machine.c | 2 +- + kernel/sys.c | 12 +- + kernel/sysctl.c | 37 +- + kernel/sysctl_binary.c | 14 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 6 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/list_debug.c | 89 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 54 + + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 18 +- + mm/memory.c | 404 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 573 +++- + mm/mprotect.c | 138 +- + mm/mremap.c | 44 +- + mm/nommu.c | 11 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 14 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 104 +- + mm/slab.h | 5 +- + mm/slab_common.c | 9 +- + mm/slob.c | 200 +- + mm/slub.c | 98 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/rtnetlink.c | 2 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 2 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv6/addrconf.c | 2 +- + net/ipv6/ip6_gre.c | 2 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/raw.c | 19 +- + net/ipv6/udp.c | 8 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 4 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 10 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 2 +- + net/sctp/protocol.c | 8 +- + net/sctp/socket.c | 2 + + net/socket.c | 34 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 16 +- + net/xfrm/xfrm_state.c | 4 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/pnmtologo.c | 6 +- + security/Kconfig | 654 ++++- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 43 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 359 +++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 +++ + tools/gcc/latent_entropy_plugin.c | 321 ++ + tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/perf/util/include/asm/alternative-asm.h | 3 + + virt/kvm/kvm_main.c | 32 +- + 1311 files changed, 26668 insertions(+), 6394 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 +Author: Brad Spengler +Date: Sun Nov 24 17:50:21 2013 -0500 + + remove unnecessary code/comments after new reload method + + grsecurity/gracl.c | 4 ---- + grsecurity/gracl_policy.c | 13 ------------- + 2 files changed, 0 insertions(+), 17 deletions(-) + +commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d +Author: Brad Spengler +Date: Sun Nov 24 16:05:01 2013 -0500 + + Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous + features have been added since then) + + Introduce new atomic RBAC reload method, developed as part of sponsorship + by EIG + + This is accompanied by an updated 3.0 gradm which will use the new reload + method when -R is passed to gradm. The old method will still be available + via gradm -r (which is what a 2.9.1 gradm will continue to use). + + The new RBAC reload method is atomic in the sense that at no point in the + reload process will the system not be covered by a coherent full policy. + In contrast to previous reload behavior, it also preserves inherited subjects + and special roles. + + The old RBAC reload method has also been made atomic. Both methods have + been updated to perform role_allowed_ip checks only against the IP tagged + to the task at the time its role was first applied or changed. This resolves + long-standing usability problems with the use of role_allowed_ip and matches + the policies created by learning. + + grsecurity/Makefile | 2 +- + grsecurity/gracl.c | 3903 +++++++++++++------------------------------ + grsecurity/gracl_alloc.c | 42 +- + grsecurity/gracl_compat.c | 3 +- + grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ + grsecurity/gracl_segv.c | 12 +- + grsecurity/grsec_disabled.c | 7 - + grsecurity/grsec_init.c | 15 - + include/linux/gracl.h | 43 +- + include/linux/grinternal.h | 1 - + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 2 + + 12 files changed, 3082 insertions(+), 2787 deletions(-) + +commit d8981a4fd03025434a466fd87a0eaea93755bc70 +Author: Brad Spengler +Date: Sun Nov 24 15:08:28 2013 -0500 + + compile fix for recent GRKERNSEC_CHROOT_INITRD change + + init/main.c | 12 +++--------- + 1 files changed, 3 insertions(+), 9 deletions(-) + +commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f +Author: Brad Spengler +Date: Sat Nov 23 18:27:37 2013 -0500 + + Make the recent usermode_helper protection race-free as far as userland + is concerned by creating a copy of the path to be executed, then check against + that copied path instead of the still-mutable original path + + include/linux/kmod.h | 3 +++ + kernel/kmod.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+), 0 deletions(-) + +commit ecdd0610bef058fd33fee50b489d949c1a0db07a +Author: Brad Spengler +Date: Sat Nov 23 17:20:15 2013 -0500 + + Produce a UDEREF message when faulting on kernel access to a non-present + page in the userland range. This is purely for consistency of logs, + due to there being no domain present to fault based on. An + "Unable to handle kernel fault.." oops would already (and still is) + generated for these cases, triggering grsec's bruteforce prevention. + + Reported by acez on IRC + + arch/arm/mm/fault.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +commit 3f4adfade80bba0d865b5c603bd58da555ca4553 +Author: Brad Spengler +Date: Sat Nov 23 16:56:46 2013 -0500 + + Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, + Also make sure we mark init as run if no initrd was used. Though this + should already be enforced in grsec_chroot.c, this should future-proof + the feature a bit in case userland somehow changes drastically. + + Conflicts: + + init/main.c + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 2 +- + init/main.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + +commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 +Author: Brad Spengler +Date: Sat Nov 23 16:33:20 2013 -0500 + + limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected + + kernel/kmod.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit e727db195f8bed17c65d050e1772643d730fe565 +Author: Brad Spengler +Date: Sat Nov 23 16:02:01 2013 -0500 + + perform USERCOPY kernel text checks against the linear mapping on amd64 as well + + fs/exec.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb +Merge: 2fcc3a5 2d1263b +Author: Brad Spengler +Date: Fri Nov 22 21:11:44 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 +Merge: d52f291 e0cd057 +Author: Brad Spengler +Date: Fri Nov 22 21:11:33 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + drivers/net/ethernet/chelsio/cxgb3/sge.c + +commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 +Author: Brad Spengler +Date: Fri Nov 22 20:31:37 2013 -0500 + + Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" + + This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. + + It caused errors with traceroute, reported to upstream and fixed with + http://patchwork.ozlabs.org/patch/293614/ + But there's no reason for us to maintain this backport as we're + already impervious to recvmsg/msg_name infoleaks + + Conflicts: + + net/ipv4/ping.c + + net/ieee802154/dgram.c | 3 ++- + net/ipv4/ping.c | 11 +++++++++-- + net/ipv4/raw.c | 4 +++- + net/ipv4/udp.c | 7 ++++++- + net/ipv6/raw.c | 4 +++- + net/ipv6/udp.c | 5 ++++- + net/l2tp/l2tp_ip.c | 4 +++- + net/phonet/datagram.c | 9 +++++---- + 8 files changed, 35 insertions(+), 12 deletions(-) + +commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b +Author: Hannes Frederic Sowa +Date: Mon Nov 18 07:07:45 2013 +0100 + + Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 + + ping: prevent NULL pointer dereference on write to msg_name + + A plain read() on a socket does set msg->msg_name to NULL. So check for + NULL pointer first. + + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv4/ping.c | 34 +++++++++++++++++++--------------- + 1 files changed, 19 insertions(+), 15 deletions(-) + +commit 8bb32f2682953e1b748a59c4a4363b237c3510df +Author: Hannes Frederic Sowa +Date: Mon Nov 18 04:20:45 2013 +0100 + + Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 + + inet: prevent leakage of uninitialized memory to user in recv syscalls + + Only update *addr_len when we actually fill in sockaddr, otherwise we + can return uninitialized memory from the stack to the caller in the + recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) + checks because we only get called with a valid addr_len pointer either + from sock_common_recvmsg or inet_recvmsg. + + If a blocking read waits on a socket which is concurrently shut down we + now return zero and set msg_msgnamelen to 0. + + Reported-by: mpb + Suggested-by: Eric Dumazet + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ieee802154/dgram.c | 3 +-- + net/ipv4/ping.c | 19 +++++++------------ + net/ipv4/raw.c | 4 +--- + net/ipv4/udp.c | 7 +------ + net/ipv6/raw.c | 4 +--- + net/ipv6/udp.c | 5 +---- + net/l2tp/l2tp_ip.c | 4 +--- + net/phonet/datagram.c | 9 ++++----- + 8 files changed, 17 insertions(+), 38 deletions(-) + +commit 642d754081c130a151e7df27e5c07edf2f368106 +Author: Jeff Layton +Date: Wed Nov 13 09:08:21 2013 -0500 + + Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 + + nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once + + Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or + NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. + There is no guarantee that doing so will work however, so we can end up + retrying the call in an infinite loop. + + Worse yet, we create the new client using rpc_clone_client_set_auth, + which creates the new client as a child of the old one. Thus, we can end + up with a *very* long lineage of rpc_clnts. When we go to put all of the + references to them, we can end up with a long call chain that can smash + the stack as each rpc_free_client() call can recurse back into itself. + + This patch fixes this by simply ensuring that the SETCLIENTID call will + only be retried in this situation if the last attempt did not use + RPC_AUTH_UNIX. + + Note too that with this change, we don't need the (i > 2) check in the + -EACCES case since we now have a more reliable test as to whether we + should reattempt. + + Cc: stable@vger.kernel.org # v3.10+ + Cc: Chuck Lever + Tested-by/Acked-by: Weston Andros Adamson + Signed-off-by: Jeff Layton + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4state.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 +Author: Chuck Lever +Date: Wed Jul 24 12:28:28 2013 -0400 + + Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e + + NFS: Use root's credential for lease management when keytab is missing + + Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" + Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, + which forces our NFS client to establish a client ID immediately + during a mount operation rather than waiting until a user wants to + open a file. + + Normally machine credentials (eg. from a keytab) are used to perform + a mount operation that is protected by Kerberos. Before 05fc350, + SETCLIENTID used a machine credential, or fell back to a regular + user's credential if no keytab is available. + + On clients that don't have a keytab, performing SETCLIENTID early + means there's no user credential to fall back on, since no regular + user has kinit'd yet. 05f4c350 seems to have broken the ability + to mount with sec=krb5 on clients that don't have a keytab in + kernels 3.7 - 3.10. + + To address this regression, commit 4edaa308 (NFS: Use "krb5i" to + establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, + was merged in 3.10. This commit forces the NFS client to fall back + to AUTH_SYS for lease management operations if no keytab is + available. + + Neil Brown noticed that, since root is required to kinit to do a + sec=krb5 mount when a client doesn't have a keytab, we can try to + use root's Kerberos credential before AUTH_SYS. + + Now, when determining a principal and flavor to use for lease + management, the NFS client tries in this order: + + 1. Flavor: AUTH_GSS, krb5i + Principal: service principal (via keytab) + + 2. Flavor: AUTH_GSS, krb5i + Principal: user principal established for UID 0 (via kinit) + + 3. Flavor: AUTH_SYS + Principal: UID 0 / GID 0 + + Signed-off-by: Chuck Lever + Signed-off-by: Trond Myklebust + + fs/nfs/nfs4state.c | 19 ++++++++++++++++++- + 1 files changed, 18 insertions(+), 1 deletions(-) + +commit 6ebab64904f37af82e950b0c6d321437e810b248 +Author: Trond Myklebust +Date: Tue Nov 12 17:24:36 2013 -0500 + + Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b + + SUNRPC: Avoid deep recursion in rpc_release_client + + In cases where an rpc client has a parent hierarchy, then + rpc_free_client may end up calling rpc_release_client() on the + parent, thus recursing back into rpc_free_client. If the hierarchy + is deep enough, then we can get into situations where the stack + simply overflows. + + The fix is to have rpc_release_client() loop so that it can take + care of the parent rpc client hierarchy without needing to + recurse. + + Reported-by: Jeff Layton + Reported-by: Weston Andros Adamson + Reported-by: Bruce Fields + Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com + Cc: stable@vger.kernel.org + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit fcb4306973aed105cc6d042077bf31e21b812008 +Author: Trond Myklebust +Date: Fri Nov 8 16:03:50 2013 -0500 + + Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 + + SUNRPC: Fix a data corruption issue when retransmitting RPC calls + + The following scenario can cause silent data corruption when doing + NFS writes. It has mainly been observed when doing database writes + using O_DIRECT. + + 1) The RPC client uses sendpage() to do zero-copy of the page data. + 2) Due to networking issues, the reply from the server is delayed, + and so the RPC client times out. + + 3) The client issues a second sendpage of the page data as part of + an RPC call retransmission. + + 4) The reply to the first transmission arrives from the server + _before_ the client hardware has emptied the TCP socket send + buffer. + 5) After processing the reply, the RPC state machine rules that + the call to be done, and triggers the completion callbacks. + 6) The application notices the RPC call is done, and reuses the + pages to store something else (e.g. a new write). + + 7) The client NIC drains the TCP socket send buffer. Since the + page data has now changed, it reads a corrupted version of the + initial RPC call, and puts it on the wire. + + This patch fixes the problem in the following manner: + + The ordering guarantees of TCP ensure that when the server sends a + reply, then we know that the _first_ transmission has completed. Using + zero-copy in that situation is therefore safe. + If a time out occurs, we then send the retransmission using sendmsg() + (i.e. no zero-copy), We then know that the socket contains a full copy of + the data, and so it will retransmit a faithful reproduction even if the + RPC call completes, and the application reuses the O_DIRECT buffer in + the meantime. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- + 1 files changed, 21 insertions(+), 7 deletions(-) + +commit 2c59d4080ae744532dbe595f6923dcba72279977 +Merge: b2b99c6 d52f291 +Author: Brad Spengler +Date: Mon Nov 18 19:07:55 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d52f291621da9227cda5fd647e82dfe9bfc11265 +Author: Brad Spengler +Date: Mon Nov 18 19:07:14 2013 -0500 + + Update to pax-linux-3.11.8-test14.patch: + - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) + + mm/page_alloc.c | 2 +- + tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- + 2 files changed, 25 insertions(+), 11 deletions(-) + +commit b2b99c6972e345565d561b722de210f071e5e259 +Author: Brad Spengler +Date: Thu Nov 14 20:47:37 2013 -0500 + + Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e + + ipv6: fix headroom calculation in udp6_ufo_fragment + Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp + fragmentation for tunnel traffic.") changed the calculation if + there is enough space to include a fragment header in the skb from a + skb->mac_header dervived one to skb_headroom. Because we already peeled + off the skb to transport_header this is wrong. Change this back to check + if we have enough room before the mac_header. + + This fixes a panic Saran Neti reported. He used the tbf scheduler which + skb_gso_segments the skb. The offsets get negative and we panic in memcpy + because the skb was erroneously not expanded at the head. + + Reported-by: Saran Neti + Cc: Pravin B Shelar + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/udp_offload.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 012ee7647e16f464f8d1ad004e28eac2ba778158 +Author: Dan Carpenter +Date: Thu Nov 14 11:21:10 2013 +0300 + + Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 + + isdnloop: use strlcpy() instead of strcpy() + + These strings come from a copy_from_user() and there is no way to be + sure they are NUL terminated. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f +Author: Eric Dumazet +Date: Thu Nov 14 13:37:54 2013 -0800 + + Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf + + ipv4: fix possible seqlock deadlock + + ip4_datagram_connect() being called from process context, + it should use IP_INC_STATS() instead of IP_INC_STATS_BH() + otherwise we can deadlock on 32bit arches, or get corruptions of + SNMP counters. + + Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") + Signed-off-by: Eric Dumazet + Reported-by: Dave Jones + Signed-off-by: David S. Miller + + net/ipv4/datagram.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1a642170613ae336331f2df38aa8f2c1227d3c96 +Merge: 60c6423 84d78c7 +Author: Brad Spengler +Date: Thu Nov 14 20:28:51 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 +Author: Brad Spengler +Date: Thu Nov 14 20:28:07 2013 -0500 + + Update to pax-linux-3.11.8-test13.patch: + - forward port to 3.11.8 + - removed some no longer used code from bpf jit + - fixed some atomic_unchecked_t usage in oprofile and uio + - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy + + arch/x86/include/asm/mmu_context.h | 8 ++++++++ + arch/x86/kernel/setup.c | 2 +- + drivers/bluetooth/btwilink.c | 2 +- + drivers/md/dm-table.c | 2 +- + drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- + drivers/mfd/max8925-i2c.c | 2 +- + drivers/mfd/tps65910.c | 2 +- + drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- + drivers/net/wireless/airo.c | 2 +- + drivers/net/wireless/b43/phy_lp.c | 2 +- + drivers/nfc/nfcwilink.c | 2 +- + drivers/oprofile/oprofilefs.c | 4 ++-- + drivers/platform/x86/msi-wmi.c | 2 +- + drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- + drivers/usb/serial/console.c | 2 +- + include/linux/filter.h | 4 ---- + kernel/audit.c | 2 +- + 20 files changed, 41 insertions(+), 45 deletions(-) + +commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c +Author: Brad Spengler +Date: Thu Nov 14 20:15:51 2013 -0500 + + GRKERNSEC_HARDEN_IPC should depend on SYSVIPC + + grsecurity/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 +Author: Brad Spengler +Date: Thu Nov 14 19:07:11 2013 -0500 + + Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS + and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps + make it more obvious that while we make use of domains, CPU_USE_DOMAINS is + disabled as far as the kernel knows + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba +Author: Brad Spengler +Date: Thu Nov 14 19:01:59 2013 -0500 + + Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research + on overly-permissive shared memory found in hundreds of areas in Linux + distros: + http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + + Will let this sit in -test for a while to weed out any app incompatibilities + + grsecurity/Kconfig | 17 +++++++++++++++++ + grsecurity/Makefile | 2 +- + grsecurity/grsec_init.c | 4 ++++ + grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ + grsecurity/grsec_sysctl.c | 9 +++++++++ + include/linux/grinternal.h | 1 + + include/linux/grmsg.h | 1 + + ipc/util.c | 5 +++++ + 8 files changed, 60 insertions(+), 1 deletions(-) + +commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 +Merge: 08e883f d0a09ad +Author: Brad Spengler +Date: Wed Nov 13 22:27:13 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d0a09ad6430008135b98da6e1941e98a6110b59e +Merge: 4e826ac 02709ef +Author: Brad Spengler +Date: Wed Nov 13 22:27:03 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + +commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 +Author: Brad Spengler +Date: Mon Nov 11 10:48:10 2013 -0500 + + Fix the overflowable range check just to be correct. + Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt + but I believe this to be unexploitable due to bounds checks on 'count' + from rw_verify_area() in fs/read_write.c + + drivers/video/arcfb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 094c08532f9877a287ffac7a87b05841a56b4e5d +Author: Brad Spengler +Date: Sun Nov 10 22:01:33 2013 -0500 + + Add missing include + + fs/proc/proc_sysctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e383790f8252620f52895e202cc057c4318da3f4 +Author: Brad Spengler +Date: Sun Nov 10 17:50:12 2013 -0500 + + add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS + option: GRKERNSEC_OLD_ARM_USERLAND + + arch/arm/mm/Kconfig | 2 +- + grsecurity/Kconfig | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletions(-) + +commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 +Author: Brad Spengler +Date: Sun Nov 10 15:19:27 2013 -0500 + + On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr + was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF + loading). Fix this by setting a proper default on these architectures like set on the LSM-based + mmap_min_addr. + + Thanks to acez from IRC for debugging. + + mm/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 17f832897194f46c4759aa02e048ad5623a04eed +Author: Brad Spengler +Date: Sun Nov 10 13:54:25 2013 -0500 + + Compatibility fix for LXC: + Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, + use a CAP_NET_ADMIN check within the user namespace of the process performing the modification + CAP_SYS_ADMIN is still required for any other sysctl modification, including modification + of sysctls of a net namespace other than our own + + This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's + networking + + Thanks to ncopa from IRC for testing + + fs/proc/proc_sysctl.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 +Merge: fb281bd 4e826ac +Author: Brad Spengler +Date: Wed Nov 6 17:27:16 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/l2tp/l2tp_core.c + +commit 4e826ac763867707352d93b7d23ed86e4c6829cf +Merge: e309bfb 39773be +Author: Brad Spengler +Date: Wed Nov 6 17:26:23 2013 -0500 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + net/compat.c + +commit fb281bdee5ccb76facfe1172318a867b624011f4 +Author: Brad Spengler +Date: Wed Nov 6 16:23:36 2013 -0500 + + Force on DEBUG_LIST so all users can benefit from safe linking/unlinking + + Conflicts: + + security/Kconfig + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a +Author: Brad Spengler +Date: Wed Nov 6 16:19:21 2013 -0500 + + change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel + bruteforce deterrence + + Conflicts: + + lib/list_debug.c + + lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- + 1 files changed, 42 insertions(+), 23 deletions(-) + +commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba +Author: Dan Carpenter +Date: Tue Oct 29 23:01:43 2013 +0300 + + Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 + + Staging: sb105x: info leak in mp_get_count() + + The icount.reserved[] array isn't initialized so it leaks stack + information to userspace. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/sb105x/sb_pci_mp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de +Author: Dan Carpenter +Date: Tue Oct 29 22:06:04 2013 +0300 + + Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b + + uml: check length in exitcode_proc_write() + + We don't cap the size of buffer from the user so we could write past the + end of the array here. Only root can write to this file. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + arch/um/kernel/exitcode.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 1285d10ec38f216f3c5de7ce085ce43447c78916 +Author: Jason Wang +Date: Fri Nov 1 15:01:10 2013 +0800 + + Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd + + net: flow_dissector: fail on evil iph->ihl + + We don't validate iph->ihl which may lead a dead loop if we meet a IPIP + skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl + is evil (less than 5). + + This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae + (rps: support IPIP encapsulation). + + Cc: Eric Dumazet + Cc: Petr Matousek + Cc: Michael S. Tsirkin + Cc: Daniel Borkmann + Signed-off-by: Jason Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/core/flow_dissector.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc +Author: Ming Lei +Date: Thu Oct 31 16:34:17 2013 -0700 + + Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 + + lib/scatterlist.c: don't flush_kernel_dcache_page on slab page + + Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper + functions") introduces two sg buffer copy helpers, and calls + flush_kernel_dcache_page() on pages in SG list after these pages are + written to. + + Unfortunately, the commit may introduce a potential bug: + + - Before sending some SCSI commands, kmalloc() buffer may be passed to + block layper, so flush_kernel_dcache_page() can see a slab page + finally + + - According to cachetlb.txt, flush_kernel_dcache_page() is only called + on "a user page", which surely can't be a slab page. + + - ARCH's implementation of flush_kernel_dcache_page() may use page + mapping information to do optimization so page_mapping() will see the + slab page, then VM_BUG_ON() is triggered. + + Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, + and this patch fixes the bug by adding test of '!PageSlab(miter->page)' + before calling flush_kernel_dcache_page(). + + Signed-off-by: Ming Lei + Reported-by: Aaro Koskinen + Tested-by: Simon Baatz + Cc: Russell King - ARM Linux + Cc: Will Deacon + Cc: Aaro Koskinen + Acked-by: Catalin Marinas + Cc: FUJITA Tomonori + Cc: Tejun Heo + Cc: "James E.J. Bottomley" + Cc: Jens Axboe + Cc: [3.2+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/scatterlist.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 +Author: Dan Carpenter +Date: Tue Oct 29 23:01:11 2013 +0300 + + Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba + + Staging: bcm: info leak in ioctl + + The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel + information to user space. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/bcm/Bcmchar.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a2ab9d69265a08280241a2f2152e535316d02f53 +Author: Dan Carpenter +Date: Tue Oct 29 22:11:06 2013 +0300 + + Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 + + aacraid: missing capable() check in compat ioctl + + In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we + added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the + check as well. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/scsi/aacraid/linit.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e +Author: Dan Carpenter +Date: Tue Oct 29 23:00:15 2013 +0300 + + Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 + + staging: wlags49_h2: buffer overflow setting station name + + We need to check the length parameter before doing the memcpy(). I've + actually changed it to strlcpy() as well so that it's NUL terminated. + + You need CAP_NET_ADMIN to trigger these so it's not the end of the + world. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +commit afd645c1684265260b64ec8189cbc2703b91f6ab +Author: Dan Carpenter +Date: Tue Oct 29 22:07:47 2013 +0300 + + Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 + + staging: ozwpan: prevent overflow in oz_cdev_write() + + We need to check "count" so we don't overflow the ei->data buffer. + + Reported-by: Nico Golde + Reported-by: Fabian Yamaguchi + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds + + drivers/staging/ozwpan/ozcdev.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 4a907baeb462b7e0f50923be5a9d842aec93c97a +Author: Linus Torvalds +Date: Tue Oct 29 10:21:34 2013 -0700 + + Fixed a little differently than Linus... + + Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 + + Fix a few incorrectly checked [io_]remap_pfn_range() calls + + Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that + really should use the vm_iomap_memory() helper. This trivially converts + two of them to the helper, and comments about why the third one really + needs to continue to use remap_pfn_range(), and adds the missing size + check. + + Reported-by: Nico Golde + Cc: stable@kernel.org + Signed-off-by: Linus Torvalds +Date: Sun Oct 27 15:17:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e309bfbf7b506b2294b30233f7a3299173a75cf7 +Author: Hugh Dickins +Date: Wed Oct 16 13:47:09 2013 -0700 + + Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 + + mm: revert mremap pud_free anti-fix + + Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail + calling pmd_alloc()"). + + The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() + ensure that the pud, pmd, pt is already allocated, and seldom do they + need to allocate; on failure, upper levels are freed if appropriate by + the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an + unconditional pud_free() of a most-likely still-in-use pud: saved only + by the near-impossiblity of pmd_alloc() failing. + + Signed-off-by: Hugh Dickins + Cc: Chen Gang + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mremap.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 +Author: Eric Dumazet +Date: Tue Oct 1 21:04:11 2013 -0700 + + Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 + + net: do not call sock_put() on TIMEWAIT sockets + + commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / + hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. + + We should instead use inet_twsk_put() + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/inet_hashtables.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 +Author: Andi Kleen +Date: Mon Sep 30 13:29:08 2013 -0700 + + Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 + + igb: Avoid uninitialized advertised variable in eee_set_cur + + eee_get_cur assumes that the output data is already zeroed. It can + read-modify-write the advertised field: + + if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) + 2594 edata->advertised |= ADVERTISED_100baseT_Full; + + This is ok for the normal ethtool eee_get call, which always + zeroes the input data before. + + But eee_set_cur also calls eee_get_cur and it did not zero the input + field. Later on it then compares agsinst the field, which can contain partial + stack garbage. + + Zero the input field in eee_set_cur() too. + + Cc: jeffrey.t.kirsher@intel.com + Cc: netdev@vger.kernel.org + Signed-off-by: Andi Kleen + Acked-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 651730a8caabce37f78d8e6c84283b96e434d19f +Author: Dan Carpenter +Date: Thu Oct 3 00:27:20 2013 +0300 + + Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 + + net: heap overflow in __audit_sockaddr() + + We need to cap ->msg_namelen or it leads to a buffer overflow when we + to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to + exploit this bug. + + The call tree is: + ___sys_recvmsg() + move_addr_to_user() + audit_sockaddr() + __audit_sockaddr() + + Reported-by: Jüri Aedla + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + Conflicts: + + net/compat.c + + net/compat.c | 2 ++ + net/socket.c | 24 ++++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc +Author: Salva Peiró +Date: Wed Oct 16 12:46:50 2013 +0200 + + Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 + + wanxl: fix info leak in ioctl + + The wanxl_ioctl() code fails to initialize the two padding bytes of + struct sync_serial_settings after the ->loopback member. Add an explicit + memset(0) before filling the structure to avoid the info leak. + + Signed-off-by: Salva Peiró + Signed-off-by: David S. Miller + + drivers/net/wan/wanxl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f +Author: Geyslan G. Bem +Date: Fri Oct 11 16:49:16 2013 -0300 + + Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 + + ecryptfs: Fix memory leakage in keystore.c + + In 'decrypt_pki_encrypted_session_key' function: + + Initializes 'payload' pointer and releases it on exit. + + Signed-off-by: Geyslan G. Bem + Signed-off-by: Tyler Hicks + Cc: stable@vger.kernel.org # v2.6.28+ + + fs/ecryptfs/keystore.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 +Author: Colin Ian King +Date: Thu Oct 24 14:08:07 2013 +0000 + + Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e + + eCryptfs: fix 32 bit corruption issue + + Shifting page->index on 32 bit systems was overflowing, causing + data corruption of > 4GB files. Fix this by casting it first. + + https://launchpad.net/bugs/1243636 + + Signed-off-by: Colin Ian King + Reported-by: Lars Duesing + Cc: stable@vger.kernel.org # v3.11+ + Signed-off-by: Tyler Hicks + + fs/ecryptfs/crypto.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 +Author: Brad Spengler +Date: Sun Oct 27 13:29:49 2013 -0400 + + This is a replacement patch only for stable which does fix the problems + handled by the following two commits in -net: + + "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) + "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) + + Three frames are written on a corked udp socket for which the output + netdevice has UFO enabled. If the first and third frame are smaller than + the mtu and the second one is bigger, we enqueue the second frame with + skb_append_datato_frags without initializing the gso fields. This leads + to the third frame appended regulary and thus constructing an invalid skb. + + This fixes the problem by always using skb_append_datato_frags as soon + as the first frag got enqueued to the skb without marking the packet + as SKB_GSO_UDP. + + The problem with only two frames for ipv6 was fixed by "ipv6: udp + packets following an UFO enqueued packet need also be handled by UFO" + (2811ebac2521ceac84f2bdae402455baa6a7fb47). + + Cc: Jiri Pirko + Cc: Eric Dumazet + Cc: David Miller + Signed-off-by: Hannes Frederic Sowa + + include/linux/skbuff.h | 5 +++++ + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 +Merge: 5cf8361 ddadc82 +Author: Brad Spengler +Date: Sat Oct 26 08:42:26 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec +Author: Brad Spengler +Date: Sat Oct 26 08:41:24 2013 -0400 + + - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) + - updated config help for latent entropy to reflect recent changes + + arch/x86/include/asm/uaccess_64.h | 4 ++-- + security/Kconfig | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad +Author: Johannes Weiner +Date: Wed Oct 16 13:47:00 2013 -0700 + + Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc + + fs: buffer: move allocation failure loop into the allocator + + Buffer allocation has a very crude indefinite loop around waking the + flusher threads and performing global NOFS direct reclaim because it can + not handle allocation failures. + + The most immediate problem with this is that the allocation may fail due + to a memory cgroup limit, where flushers + direct reclaim might not make + any progress towards resolving the situation at all. Because unlike the + global case, a memory cgroup may not have any cache at all, only + anonymous pages but no swap. This situation will lead to a reclaim + livelock with insane IO from waking the flushers and thrashing unrelated + filesystem cache in a tight loop. + + Use __GFP_NOFAIL allocations for buffers for now. This makes sure that + any looping happens in the page allocator, which knows how to + orchestrate kswapd, direct reclaim, and the flushers sensibly. It also + allows memory cgroups to detect allocations that can't handle failure + and will allow them to ultimately bypass the limit if reclaim can not + make progress. + + Reported-by: azurIt + Signed-off-by: Johannes Weiner + Cc: Michal Hocko + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/buffer.c | 14 ++++++++++++-- + mm/memcontrol.c | 2 ++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +commit 799326c8683d8d70b2035b1e5ab913c159112b6b +Author: Miklos Szeredi +Date: Thu Oct 10 16:48:19 2013 +0200 + + Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 + + ext[34]: fix double put in tmpfile + + d_tmpfile() already swallowed the inode ref. + + Signed-off-by: Miklos Szeredi + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/ext3/namei.c | 5 ++--- + fs/ext4/namei.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 +Author: Jan Klos +Date: Sun Oct 6 21:08:20 2013 +0200 + + Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 + + cifs: Fix inability to write files >2GB to SMB2/3 shares + + When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). + + The patch fixes this by checking for the correct bit according to the protocol version. + + CC: Stable + Signed-off-by: Jan Klos + Reviewed-by: Jeff Layton + Signed-off-by: Steve French + + fs/cifs/cifsfs.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 +Author: Tim Gardner +Date: Sun Oct 13 13:29:03 2013 -0600 + + Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a + + cifs: ntstatus_to_dos_map[] is not terminated + + Functions that walk the ntstatus_to_dos_map[] array could + run off the end. For example, ntstatus_to_dos() loops + while ntstatus_to_dos_map[].ntstatus is not 0. Granted, + this is mostly theoretical, but could be used as a DOS attack + if the error code in the SMB header is bogus. + + [Might consider adding to stable, as this patch is low risk - Steve] + + Reviewed-by: Jeff Layton + Signed-off-by: Tim Gardner + Signed-off-by: Steve French + + fs/cifs/netmisc.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit ed8c09a96fa260e1864c632e1dd91b1320876305 +Author: Eric Dumazet +Date: Tue Oct 15 11:54:30 2013 -0700 + + Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 + + tcp: must unclone packets before mangling them + + TCP stack should make sure it owns skbs before mangling them. + + We had various crashes using bnx2x, and it turned out gso_size + was cleared right before bnx2x driver was populating TC descriptor + of the _previous_ packet send. TCP stack can sometime retransmit + packets that are still in Qdisc. + + Of course we could make bnx2x driver more robust (using + ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. + + We have identified two points where skb_unclone() was needed. + + This patch adds a WARN_ON_ONCE() to warn us if we missed another + fix of this kind. + + Kudos to Neal for finding the root cause of this bug. Its visible + using small MSS. + + Signed-off-by: Eric Dumazet + Signed-off-by: Neal Cardwell + Cc: Yuchung Cheng + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +commit e5dcf1772ca2a85952da10a21d0650507dc061d3 +Author: Dan Carpenter +Date: Mon Oct 14 15:28:38 2013 +0300 + + Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 + + yam: integer underflow in yam_ioctl() + + We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be + negative. I don't know the impact of using a negative bitrate but let's + prevent it. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + include/linux/yam.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1f5d72d633f317248bba25158c326a61394aebf2 +Merge: 7ca4328 4df1b96 +Author: Brad Spengler +Date: Fri Oct 18 19:36:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + ipc/shm.c + +commit 4df1b965687831808af2548487e0f35a2ccc5c29 +Merge: e41125e 5070441 +Author: Brad Spengler +Date: Fri Oct 18 19:35:31 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + arch/x86/kernel/setup.c + +commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 +Author: Brad Spengler +Date: Wed Oct 16 18:35:00 2013 -0400 + + From: Mathias Krause + To: Evgeniy Polyakov + Cc: Mathias Krause , netdev@vger.kernel.org + Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length + + The current code tests the length of the whole netlink message to be + at least as long to fit a cn_msg. This is wrong as nlmsg_len includes + the length of the netlink message header. Use nlmsg_len() instead to + fix this "off-by-NLMSG_HDRLEN" size check. + + Cc: stable@vger.kernel.org # v2.6.14+ + Signed-off-by: Mathias Krause + + drivers/connector/connector.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 +Author: Brad Spengler +Date: Wed Oct 16 18:36:25 2013 -0400 + + From: Mathias Krause + To: linux-audit@redhat.com + Cc: Mathias Krause , Al Viro , Eric Paris + Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests + + We leak 4 bytes of kernel stack in response to an AUDIT_GET request as + we miss to initialize the mask member of status_set. Fix that. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ + Signed-off-by: Mathias Krause + + kernel/audit.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9557a8727fd46e68f092dec0830a982e85b231f7 +Author: Brad Spengler +Date: Wed Oct 16 19:02:32 2013 -0400 + + add 2nd chunk of audit nlmsg_len() fix from minipli + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd +Author: Brad Spengler +Date: Wed Oct 16 18:37:59 2013 -0400 + + From: Mathias Krause + To: linux-audit@redhat.com + Cc: Mathias Krause , Al Viro , Eric Paris + Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length + + Using the nlmsg_len member of the netlink header to test if the message + is valid is wrong as it includes the size of the netlink header itself. + Thereby allowing to send short netlink messages that pass those checks. + + Use nlmsg_len() instead to test for the right message length. The result + of nlmsg_len() is guaranteed to be non-negative as the netlink message + already passed the checks of nlmsg_ok(). + + Also switch to min_t() to please checkpatch.pl. + + Cc: Al Viro + Cc: Eric Paris + Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd + + kernel/audit.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7547b29750381c776dfd47f4b1277a492d5b0f72 +Author: Brad Spengler +Date: Wed Oct 16 18:41:01 2013 -0400 + + From: Mathias Krause + To: netfilter-devel@vger.kernel.org + Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik + , Bart De Schuymer + Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Bart De Schuymer + Signed-off-by: Mathias Krause + + Conflicts: + + net/bridge/netfilter/ebt_ulog.c + + net/bridge/netfilter/ebt_ulog.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 +Author: Brad Spengler +Date: Wed Oct 16 18:43:01 2013 -0400 + + From: Mathias Krause + To: netfilter-devel@vger.kernel.org + Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik + + Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks + + The ulog messages leak heap bytes by the means of padding bytes and + incompletely filled string arrays. Fix those by memset(0)'ing the + whole struct before filling it. + + Cc: Pablo Neira Ayuso + Cc: Patrick McHardy + Cc: Jozsef Kadlecsik + Signed-off-by: Mathias Krause + + Conflicts: + + net/ipv4/netfilter/ipt_ULOG.c + + net/ipv4/netfilter/ipt_ULOG.c | 7 +------ + 1 files changed, 1 insertions(+), 6 deletions(-) + +commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 +Author: Brad Spengler +Date: Wed Oct 16 18:49:45 2013 -0400 + + From: Mathias Krause + To: "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org + Subject: [PATCH net] unix_diag: fix info leak + + When filling the netlink message we miss to wipe the pad field, + therefore leak one byte of heap memory to userland. Fix this by + setting pad to 0. + + Signed-off-by: Mathias Krause + + net/unix/diag.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc +Author: Mathias Krause +Date: Mon Sep 30 22:03:06 2013 +0200 + + Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 + + proc connector: fix info leaks + + Initialize event_data for all possible message types to prevent leaking + kernel stack contents to userland (up to 20 bytes). Also set the flags + member of the connector message to 0 to prevent leaking two more stack + bytes this way. + + Cc: stable@vger.kernel.org # v2.6.15+ + Signed-off-by: Mathias Krause + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 18 ++++++++++++++++++ + 1 files changed, 18 insertions(+), 0 deletions(-) + +commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 +Author: AKASHI Takahiro +Date: Wed Oct 9 15:58:29 2013 +0100 + + Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a + + ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() + + In ftrace_syscall_enter(), + syscall_get_arguments(..., 0, n, ...) + if (i == 0) { ...; n--;} + memcpy(..., n * sizeof(args[0])); + If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in + syscall_get_arguments(), none of arguments should be copied by memcpy(). + Otherwise 'n--' can be a big positive number and unexpected amount of data + will be copied. Tracing system calls which take no argument, say sync(void), + may hit this case and eventually make the system corrupted. + This patch fixes the issue both in syscall_get_arguments() and + syscall_set_arguments(). + + Cc: + Acked-by: Will Deacon + Signed-off-by: AKASHI Takahiro + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/include/asm/syscall.h | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 +Author: Dave Jones +Date: Thu Oct 10 20:05:35 2013 -0400 + + Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc + + ext4: fix memory leak in xattr + + If we take the 2nd retry path in ext4_expand_extra_isize_ea, we + potentionally return from the function without having freed these + allocations. If we don't do the return, we over-write the previous + allocation pointers, so we leak either way. + + Spotted with Coverity. + + [ Fixed by tytso to set is and bs to NULL after freeing these + pointers, in case in the retry loop we later end up triggering an + error causing a jump to cleanup, at which point we could have a double + free bug. -- Ted ] + + Signed-off-by: Dave Jones + Signed-off-by: "Theodore Ts'o" + Reviewed-by: Eric Sandeen + Cc: stable@vger.kernel.org + + fs/ext4/xattr.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 224e55268fbd4f81fca479e315c9483df591411d +Author: Salva Peiró +Date: Fri Oct 11 12:50:03 2013 +0300 + + Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 + + farsync: fix info leak in ioctl + + The fst_get_iface() code fails to initialize the two padding bytes of + struct sync_serial_settings after the ->loopback member. Add an explicit + memset(0) before filling the structure to avoid the info leak. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/net/wan/farsync.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 +Author: James Hogan +Date: Mon Oct 7 12:14:26 2013 +0100 + + Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 + + MIPS: stack protector: Fix per-task canary switch + + Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary + per task) was merged in v3.11 and introduced assembly in the MIPS resume + functions to update the value of the current canary in + __stack_chk_guard. However it used PTR_L resulting in a load of the + canary value, instead of PTR_LA to construct its address. The value is + intended to be random but is then treated as an address in the + subsequent LONG_S (store). + + This was observed to cause a fault and panic: + + CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 + Oops[#1]: + ... + $24 : 139fea20 1e1f7cb6 + ... + Call Trace: + [<8000cc0c>] resume+0xac/0x118 + [<8034f2a4>] __schedule+0x5f8/0x78c + [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c + [<80348eec>] rest_init+0x74/0x84 + [<804dc990>] start_kernel+0x43c/0x454 + Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc + + This can also be forced by modifying + arch/mips/include/asm/stackprotector.h so that the default + __stack_chk_guard value is more likely to be a bad (or unaligned) + pointer. + + Fix it to use PTR_LA instead, to load the address of the canary value, + which the LONG_S can then use to write into it. + + Reported-by: bobjones (via #mipslinux on IRC) + Signed-off-by: James Hogan + Cc: Ralf Baechle + Cc: Gregory Fong + Cc: linux-mips@linux-mips.org + Cc: stable@vger.kernel.org + Patchwork: https://patchwork.linux-mips.org/patch/6026/ + Signed-off-by: Ralf Baechle + + arch/mips/kernel/octeon_switch.S | 2 +- + arch/mips/kernel/r2300_switch.S | 2 +- + arch/mips/kernel/r4k_switch.S | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c +Author: Fan Du +Date: Tue Sep 17 15:14:13 2013 +0800 + + Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda + + xfrm: Guard IPsec anti replay window against replay bitmap + + For legacy IPsec anti replay mechanism: + + bitmap in struct xfrm_replay_state could only provide a 32 bits + window size limit in current design, thus user level parameter + sadb_sa_replay should honor this limit, otherwise misleading + outputs("replay=244") by setkey -D will be: + + 192.168.25.2 192.168.22.2 + esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) + E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 + A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 + seq=0x00000000 replay=244 flags=0x00000000 state=mature + created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 + diff: 22(s) hard: 30(s) soft: 26(s) + last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) + current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) + allocated: 22 hard: 0 soft: 0 + sadb_seq=1 pid=4854 refcnt=0 + 192.168.22.2 192.168.25.2 + esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) + E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 + A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 + seq=0x00000000 replay=244 flags=0x00000000 state=mature + created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 + diff: 22(s) hard: 30(s) soft: 26(s) + last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) + current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) + allocated: 22 hard: 0 soft: 0 + sadb_seq=0 pid=4854 refcnt=0 + + And also, optimizing xfrm_replay_check window checking by setting the + desirable x->props.replay_window with only doing the comparison once + for all when xfrm_state is first born. + + Signed-off-by: Fan Du + Signed-off-by: Steffen Klassert + + net/key/af_key.c | 3 ++- + net/xfrm/xfrm_replay.c | 3 +-- + net/xfrm/xfrm_user.c | 3 ++- + 3 files changed, 5 insertions(+), 4 deletions(-) + +commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 +Author: Thomas Egerer +Date: Thu Sep 19 13:19:19 2013 +0200 + + Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c + + xfrm: Fix aevent generation for each received packet + + If asynchronous events are enabled for a particular netlink socket, + the notify function is called by the advance function. The notify + function creates and dispatches a km_event if a replay timeout occurred, + or at least replay_maxdiff packets have been received since the last + asynchronous event has been sent. The function is supposed to return if + neither of the two events were detected for a state, or replay_maxdiff + is equal to zero. + Replay_maxdiff is initialized in xfrm_state_construct to the value of + the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state + if the netlink attribute XFRMA_REPLAY_THRESH is set. + If, however, replay_maxdiff is set to zero, then all of the three notify + implementations perform a break from the switch statement instead of + checking whether a timeout occurred, and -- if not -- return. As a + result an asynchronous event is generated for every replay update of a + state that has a zero replay_maxdiff value. + This patch modifies the notify functions such that they immediately + return if replay_maxdiff has the value zero, unless a timeout occurred. + + Signed-off-by: Thomas Egerer + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- + 1 files changed, 27 insertions(+), 24 deletions(-) + +commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 +Author: Steffen Klassert +Date: Tue Oct 8 10:49:45 2013 +0200 + + Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee + + xfrm: Add refcount handling to queued policies + + We need to ensure that policies can't go away as long as the hold timer + is armed, so take a refcont when we arm the timer and drop one if we + delete it. + + Bug was introduced with git commit a0073fe18 ("xfrm: Add a state + resolution packet queue") + + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- + 1 files changed, 17 insertions(+), 7 deletions(-) + +commit b4948dc963442682534b3a039664b564c764e4f8 +Author: Steffen Klassert +Date: Tue Oct 8 10:49:51 2013 +0200 + + Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 + + xfrm: check for a vaild skb in xfrm_policy_queue_process + + We might dreference a NULL pointer if the hold_queue is empty, + so add a check to avoid this. + + Bug was introduced with git commit a0073fe18 ("xfrm: Add a state + resolution packet queue") + + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_policy.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit fad7f264b264b0b17a307aa16162cb43c7688a30 +Author: Marc Kleine-Budde +Date: Mon Oct 7 23:19:58 2013 +0200 + + Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 + + net: vlan: fix nlmsg size calculation in vlan_get_size() + + This patch fixes the calculation of the nlmsg size, by adding the missing + nla_total_size(). + + Cc: Patrick McHardy + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + net/8021q/vlan_netlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd +Author: François Cachereul +Date: Wed Oct 2 10:16:02 2013 +0200 + + Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c + + l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses + + IPv4 mapped addresses cause kernel panic. + The patch juste check whether the IPv6 address is an IPv4 mapped + address. If so, use IPv4 API instead of IPv6. + + [ 940.026915] general protection fault: 0000 [#1] + [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse + [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 + [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 + [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 + [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 + [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 + [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 + [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 + [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 + [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 + [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 + [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 + [ 940.026915] Stack: + [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 + [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 + [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 + [ 940.026915] Call Trace: + [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 + [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] + [ 940.026915] [] ? pskb_expand_head+0x161/0x214 + [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] + [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] + [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] + [ 940.026915] [] ? vfs_write+0xa2/0x106 + [ 940.026915] [] ? SyS_write+0x56/0x8a + [ 940.026915] [] ? system_call_fastpath+0x16/0x1b + [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 + 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 + 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 + [ 940.026915] RIP [] ip6_xmit+0x276/0x326 + [ 940.026915] RSP + [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- + [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt + + Signed-off-by: François CACHEREUL + Signed-off-by: David S. Miller + + net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- + net/l2tp/l2tp_core.h | 3 +++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 +Merge: 28f9622 e41125e +Author: Brad Spengler +Date: Tue Oct 15 10:00:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/ds.c + net/sysctl_net.c + +commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 +Merge: 740e5ec a145cb9 +Author: Brad Spengler +Date: Tue Oct 15 09:58:29 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + +commit 28f9622091224541efadf3ae006f0e5651c7fa45 +Author: Brad Spengler +Date: Tue Oct 1 22:48:34 2013 -0400 + + Fix this strlcpy crap properly + + arch/sparc/kernel/ds.c | 7 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +commit 837193210e4125fe4e9e554b28d7bc33985f3554 +Author: David S. Miller +Date: Fri Sep 27 13:46:04 2013 -0700 + + Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 + + sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). + + Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using + strlcpy() instead of strcpy()") added a bug to ldom_reboot in + arch/sparc/kernel/ds.c + + - strcpy(full_boot_str + strlen("boot "), boot_command); + + strlcpy(full_boot_str + strlen("boot "), boot_command, + + sizeof(full_boot_str + strlen("boot "))); + + That last sizeof() expression evaluates to sizeof(size_t) which is + not what was intended. + + Also even the corrected: + + sizeof(full_boot_str) + strlen("boot ") + + is not right as the destination buffer length is just plain + "sizeof(full_boot_str)" and that's what the final argument + should be. + + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 +Author: Hannes Frederic Sowa +Date: Sun Sep 29 05:40:50 2013 +0200 + + Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae + + ipv6: gre: correct calculation of max_headroom + + gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, + so initialize max_headroom to zero. Otherwise the + + if (encap_limit >= 0) { + max_headroom += 8; + mtu -= 8; + } + + increments an uninitialized variable before max_headroom was reset. + + Found with coverity: 728539 + + Cc: Dmitry Kozlov + Signed-off-by: Hannes Frederic Sowa + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/ip6_gre.c + + net/ipv6/ip6_gre.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 0d68ac550952d0eaf60851497ceee68dbba24516 +Merge: 64257ad 740e5ec +Author: Brad Spengler +Date: Tue Oct 1 18:11:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/hid/hid-core.c + drivers/hid/hid-lg2ff.c + drivers/hid/hid-lg3ff.c + drivers/hid/hid-lg4ff.c + drivers/hid/hid-lgff.c + drivers/hid/hid-logitech-dj.c + drivers/hid/hid-steelseries.c + drivers/hid/hid-zpff.c + include/linux/hid.h + +commit 740e5ec087969afd43ae0b552b4e05914437ed32 +Merge: c38c6b0 db20388 +Author: Brad Spengler +Date: Tue Oct 1 17:40:46 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + +commit 64257ad95c51285d415f93ebdd486fae6bb9415d +Author: Hannes Frederic Sowa +Date: Sat Sep 21 06:27:00 2013 +0200 + + Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 + + ipv6: udp packets following an UFO enqueued packet need also be handled by UFO + + In the following scenario the socket is corked: + If the first UDP packet is larger then the mtu we try to append it to the + write queue via ip6_ufo_append_data. A following packet, which is smaller + than the mtu would be appended to the already queued up gso-skb via + plain ip6_append_data. This causes random memory corruptions. + + In ip6_ufo_append_data we also have to be careful to not queue up the + same skb multiple times. So setup the gso frame only when no first skb + is available. + + This also fixes a shortcoming where we add the current packet's length to + cork->length but return early because of a packet > mtu with dontfrag set + (instead of sutracting it again). + + Found with trinity. + + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Reported-by: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- + 1 files changed, 22 insertions(+), 31 deletions(-) + +commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 +Author: Dan Carpenter +Date: Tue Sep 24 15:27:45 2013 -0700 + + Just a whitespace fix to sync with upstream as we already applied this fix + via Vasiliy Kulikov in 2010. It fell through the cracks upstream + + cciss: fix info leak in cciss_ioctl32_passthru() + + The arg64 struct has a hole after ->buf_size which isn't cleared. Or if + any of the calls to copy_from_user() fail then that would cause an + information leak as well. + + This was assigned CVE-2013-2147. + + Signed-off-by: Dan Carpenter + Acked-by: Mike Miller + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/block/cciss.c + + drivers/block/cciss.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e +Author: Paul E. McKenney +Date: Tue Sep 24 18:29:11 2013 -0700 + + Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b + + mm: Place preemption point in do_mlockall() loop + + There is a loop in do_mlockall() that lacks a preemption point, which + means that the following can happen on non-preemptible builds of the + kernel. Dave Jones reports: + + "My fuzz tester keeps hitting this. Every instance shows the non-irq + stack came in from mlockall. I'm only seeing this on one box, but + that has more ram (8gb) than my other machines, which might explain + it. + + INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) + sending NMI to all CPUs: + NMI backtrace for cpu 3 + CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 + Call Trace: + lru_add_drain_all+0x15/0x20 + SyS_mlockall+0xa5/0x1a0 + tracesys+0xdd/0xe2" + + This commit addresses this problem by inserting the required preemption + point. + + Reported-by: Dave Jones + Signed-off-by: Paul E. McKenney + Cc: KOSAKI Motohiro + Cc: Michel Lespinasse + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mlock.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 +Author: Brad Spengler +Date: Fri Sep 27 21:06:17 2013 -0400 + + Don't log attempts to create a socket with a family that the kernel doesn't + support + Further, if the kernel doesn't support the socket family, instead of returning + -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 + sockets in RBAC policy despite a kernel that doesn't support ipv6 + observed during a Debian userland update necessitating a policy change + + grsecurity/gracl_ip.c | 7 +++---- + net/socket.c | 26 +++++++++++++++----------- + 2 files changed, 18 insertions(+), 15 deletions(-) + +commit 55f1e409275973513a3314fe5bfa76a4781c0db7 +Merge: 2eac654 c38c6b0 +Author: Brad Spengler +Date: Fri Sep 27 20:35:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/hid/hid-picolcd_core.c + +commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 +Merge: 115bf6a a3308b5 +Author: Brad Spengler +Date: Fri Sep 27 20:34:15 2013 -0400 + + Merge branch 'linux-3.11.y' into pax-test + + Conflicts: + arch/x86/ia32/ia32_signal.c + arch/x86/include/asm/checksum_32.h + arch/x86/include/asm/mmu_context.h + arch/x86/kernel/signal.c + arch/x86/lib/csum-wrappers_64.c + include/linux/compat.h + +commit 2eac65435fdffca548a56e5187840908438fc95c +Merge: ba0ebde 115bf6a +Author: Brad Spengler +Date: Thu Sep 26 20:00:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 115bf6af0083ea28c751d551a39cfdba1798e9dc +Author: Brad Spengler +Date: Thu Sep 26 19:59:14 2013 -0400 + + Update to pax-linux-3.11.1-test10.patch: + - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine + - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard + - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) + - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) + - beefed up latent entropy extraction + - latent_entropy itself will be initialized to a compile-time random value (instead of 0) + - entropy will be collected from various irq and softirq handlers + + arch/arm/kernel/module.c | 2 ++ + arch/arm/kernel/vmlinux.lds.S | 2 +- + block/blk-iopoll.c | 2 +- + block/blk-softirq.c | 2 +- + fs/binfmt_elf.c | 8 +++++--- + include/linux/genhd.h | 2 +- + include/linux/random.h | 4 ++-- + kernel/hrtimer.c | 2 +- + kernel/rcutiny.c | 2 +- + kernel/rcutree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 4 ++-- + kernel/timer.c | 2 +- + lib/percpu-refcount.c | 2 +- + net/core/dev.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 2 +- + 16 files changed, 24 insertions(+), 20 deletions(-) + +commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 +Author: Brad Spengler +Date: Sun Sep 22 18:14:07 2013 -0400 + + Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" + + This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. + + net/netlink/genetlink.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 +Merge: f1e4228 90db383 +Author: Brad Spengler +Date: Wed Sep 18 17:34:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 90db383fd7d650172d52229b0116ad7604c9bec1 +Author: Brad Spengler +Date: Wed Sep 18 17:32:42 2013 -0400 + + Update to pax-linux-3.11.1-test9.patch: + - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer + - better implementation of __read_only for modules + - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard + + arch/arm/kernel/entry-common.S | 12 ++++++------ + arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- + arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- + arch/x86/include/asm/cache.h | 4 ---- + drivers/bus/arm-cci.c | 2 +- + drivers/clk/socfpga/clk.c | 2 +- + drivers/mmc/host/mmci.c | 4 +++- + drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- + include/linux/cache.h | 4 ++++ + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + scripts/module-common.lds | 4 ++++ + 12 files changed, 49 insertions(+), 19 deletions(-) + +commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 +Author: Brad Spengler +Date: Wed Sep 18 17:32:25 2013 -0400 + + Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" + + This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. + + net/sctp/protocol.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f1e42285e17479067b6cbcffc43916720e6dedd3 +Merge: 456ca17 5e30989 +Author: Brad Spengler +Date: Mon Sep 16 21:42:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5e30989102e2d0df166ab6ff915b90f675f8786f +Author: Brad Spengler +Date: Mon Sep 16 21:41:44 2013 -0400 + + mark sctp_af_inet forward declaration as __read_only to fix compile error + + net/sctp/protocol.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 456ca176141f10355c1569b29225c9ce4b7db18e +Merge: b406eac 5df8f36 +Author: Brad Spengler +Date: Mon Sep 16 20:02:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 +Author: Brad Spengler +Date: Mon Sep 16 20:01:38 2013 -0400 + + Update to pax-linux-3.11.1-test7.patch: + - fixed arm compile error, reported by Arnaud Ebalard + - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) + - fixed od_ops constification, fixes cpufreq ondemand on AMD + - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) + - __read_only will now be enforced in modules as well + - removed unneccessary __read_only from ntfs + + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/x86/include/asm/cache.h | 4 ++++ + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 2 +- + fs/ntfs/file.c | 4 ++-- + include/linux/init.h | 5 ----- + include/net/xfrm.h | 5 ++++- + init/main.c | 9 +++------ + mm/page_alloc.c | 1 + + net/ipv4/xfrm4_policy.c | 4 ++-- + net/ipv6/xfrm6_policy.c | 4 ++-- + net/xfrm/xfrm_policy.c | 11 ++--------- + 12 files changed, 23 insertions(+), 30 deletions(-) + +commit b406eac579bb3a5faa1c9d73b8af5530f942009a +Author: Brad Spengler +Date: Mon Sep 16 12:53:22 2013 -0400 + + Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce + + author Steffen Klassert 2013-09-09 07:39:01 (GMT) + committer Steffen Klassert 2013-09-16 07:39:37 (GMT) + + xfrm: Fix replay size checking on async events + We pass the wrong netlink attribute to xfrm_replay_verify_len(). + It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as + we currently doing. This causes memory corruptions if the + replay esn attribute has incorrect length. Fix this by passing + the right attribute to xfrm_replay_verify_len(). + + Reported-by: Michael Rossberg + Signed-off-by: Steffen Klassert + + net/xfrm/xfrm_user.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 +Merge: 84843a3 0a0ced6 +Author: Brad Spengler +Date: Sun Sep 15 11:24:30 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/wireless/ath/ath10k/core.c + drivers/net/wireless/ath/ath10k/htc.c + +commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d +Author: Brad Spengler +Date: Sun Sep 15 11:21:43 2013 -0400 + + Update to pax-linux-3.11.1-test6.patch: + - forward port to 3.11.1 + - fixed some CONSTIFY fallout, reported by spender + - fixed INVPCID on i386, reported by spender + - simplified/consolidated the recent security_ops change + + arch/x86/include/asm/mmu_context.h | 4 ++-- + arch/x86/include/asm/tlbflush.h | 6 +++--- + arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- + include/linux/security.h | 2 -- + security/security.c | 3 --- + security/selinux/hooks.c | 5 +++-- + 8 files changed, 16 insertions(+), 19 deletions(-) + +commit 84843a394cde0578be728cb5fd34da9859dcf110 +Author: Brad Spengler +Date: Sun Sep 15 09:19:21 2013 -0400 + + remove unnecessary check from when protocol was signed + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit cc7c916cac4c2eb0ec243690627e2b6a13234fef +Author: Brad Spengler +Date: Sun Sep 15 08:53:27 2013 -0400 + + resync with PaX + + security/selinux/hooks.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit fdeadf7ba061242685e07a2504c6be99161f292c +Author: Brad Spengler +Date: Sat Sep 14 23:04:53 2013 -0400 + + Fix constification of ath10k_hif_cb struct located on stack + + drivers/net/wireless/ath/ath10k/hif.h | 1 + + drivers/net/wireless/ath/ath10k/htc.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletions(-) + +commit 73c6875760e610cb636f86566a1be7a744d89b82 +Author: Brad Spengler +Date: Sat Sep 14 22:41:06 2013 -0400 + + use a no_const typedef for ath10k_htc_ops, which is located on the stack + + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + drivers/net/wireless/ath/ath10k/htc.h | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +commit bffb0279b95b717c739365a5a25ca0391e7479b1 +Author: Brad Spengler +Date: Sat Sep 14 22:13:46 2013 -0400 + + fix compilation error under constify + + drivers/net/wireless/ath/ath10k/core.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1044c726fd98de89a711c6655f811600d4051e46 +Merge: ffc8003 e39d12a +Author: Brad Spengler +Date: Sat Sep 14 21:57:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e39d12a3b877293ba677bf7642c8887144ae1576 +Author: Brad Spengler +Date: Sat Sep 14 21:56:56 2013 -0400 + + Update to pax-linux-3.11-test5.patch: + - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) + - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin + + mm/mremap.c | 5 ++++- + tools/gcc/kernexec_plugin.c | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b +Author: Brad Spengler +Date: Sat Sep 14 21:48:03 2013 -0400 + + fix compile error introduced by pipacs + + security/selinux/hooks.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 874e80f445b1325df45f04cc317f67587e241218 +Author: Brad Spengler +Date: Sat Sep 14 21:12:45 2013 -0400 + + Fix invalid dependency causing warning: + warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a +Author: Brad Spengler +Date: Sat Sep 14 19:53:56 2013 -0400 + + change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs + + arch/x86/include/asm/tlbflush.h | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 +Author: Daniel Borkmann +Date: Sat Sep 7 16:44:59 2013 +0200 + + Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 + + net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE + + If we do not add braces around ... + + mask |= POLLERR | + sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; + + ... then this condition always evaluates to true as POLLERR is + defined as 8 and binary or'd with whatever result comes out of + sock_flag(). Hence instead of (X | Y) ? A : B, transform it into + X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix + smatch warnings inside datagram_poll") forgot about SCTP. :-( + + Introduced by 7d4c04fc170 ("net: add option to enable error queue + packets waking select"). + + Signed-off-by: Daniel Borkmann + Cc: Jacob Keller + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Acked-by: Jacob Keller + Signed-off-by: David S. Miller + + net/sctp/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 +Author: Jason Wang +Date: Wed Sep 11 18:09:48 2013 +0800 + + Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 + + tuntap: correctly handle error in tun_set_iff() + + Commit c8d68e6be1c3b242f1c598595830890b65cea64a + (tuntap: multiqueue support) only call free_netdev() on error in + tun_set_iff(). This causes several issues: + + - memory of tun security were leaked + - use after free since the flow gc timer was not deleted and the tfile + were not detached + + This patch solves the above issues. + + Reported-by: Wannes Rombouts + Cc: Michael S. Tsirkin + Signed-off-by: Jason Wang + Acked-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/net/tun.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit b504140d8590bd67ed481ea84824a9846dde2d74 +Author: Herbert Xu +Date: Sun Sep 8 14:33:50 2013 +1000 + + Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa + + crypto: api - Fix race condition in larval lookup + + crypto_larval_lookup should only return a larval if it created one. + Any larval created by another entity must be processed through + crypto_larval_wait before being returned. + + Otherwise this will lead to a larval being killed twice, which + will most likely lead to a crash. + + Cc: stable@vger.kernel.org + Reported-by: Kees Cook + Tested-by: Kees Cook + Signed-off-by: Herbert Xu + + crypto/api.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 +Author: Daniel Borkmann +Date: Wed Sep 11 16:58:36 2013 +0200 + + Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 + + net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit + + Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not + being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport + does not seem to have the desired effect: + + SCTP + IPv4: + + 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) + 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 + 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) + 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): + + SCTP + IPv6: + + 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) + fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp + 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] + + Moreover, Alan says: + + This problem was seen with both Racoon and Racoon2. Other people have seen + this with OpenSwan. When IPsec is configured to encrypt all upper layer + protocols the SCTP connection does not initialize. After using Wireshark to + follow packets, this is because the SCTP packet leaves Box A unencrypted and + Box B believes all upper layer protocols are to be encrypted so it drops + this packet, causing the SCTP connection to fail to initialize. When IPsec + is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. + + In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" + string on the other end, results in cleartext on the wire where SCTP eventually + does not report any errors, thus in the latter case that Alan reports, the + non-paranoid user might think he's communicating over an encrypted transport on + SCTP although he's not (tcpdump ... -X): + + ... + 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... + 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... + + Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the + receiver side. Initial follow-up analysis from Alan's bug report was done by + Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. + + SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). + This has the implication that it probably never really got updated along with + changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. + + SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since + a call to inet6_csk_xmit() would solve this problem, but result in unecessary + route lookups, let us just use the cached flowi6 instead that we got through + sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), + we do the route lookup / flow caching in sctp_transport_route(), hold it in + tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in + sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect + of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() + instead to get the correct source routed dst entry, which we assign to the skb. + + Also source address routing example from 625034113 ("sctp: fix sctp to work with + ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 + it is actually 'recommended' to not use that anyway due to traffic amplification [1]. + So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if + we overwrite the flow destination here, the lower IPv6 layer will be unable to + put the correct destination address into IP header, as routing header is added in + ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, + result of this patch is that we do not have any XfrmInTmplMismatch increase plus on + the wire with this patch it now looks like: + + SCTP + IPv6: + + 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: + AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 + 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: + AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 + + This fixes Kernel Bugzilla 24412. This security issue seems to be present since + 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have + its fun with that. lksctp-tools IPv6 regression test suite passes as well with + this patch. + + [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf + + Reported-by: Alan Chester + Reported-by: Alexey Dobriyan + Signed-off-by: Daniel Borkmann + Cc: Steffen Klassert + Cc: Hannes Frederic Sowa + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/ipv6.c | 42 +++++++++++++----------------------------- + 1 files changed, 13 insertions(+), 29 deletions(-) + +commit 726915e42b1a23b88cd420029003d82208a30006 +Author: Kees Cook +Date: Fri Sep 13 14:52:04 2013 -0700 + + Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 + + isdn: clean up debug format string usage + + Avoid unneeded local string buffers for constructing debug output. Also + cleans up debug calls that contain a single parameter so that they cannot + be accidentally parsed as format strings. + + Signed-off-by: Kees Cook + Cc: Karsten Keil + Cc: David Miller + Signed-off-by: Andrew Morton + Signed-off-by: David S. Miller + + drivers/isdn/hisax/amd7930_fn.c | 4 +- + drivers/isdn/hisax/avm_pci.c | 4 +- + drivers/isdn/hisax/config.c | 2 +- + drivers/isdn/hisax/diva.c | 4 +- + drivers/isdn/hisax/elsa.c | 2 +- + drivers/isdn/hisax/elsa_ser.c | 2 +- + drivers/isdn/hisax/hfc_pci.c | 2 +- + drivers/isdn/hisax/hfc_sx.c | 2 +- + drivers/isdn/hisax/hscx_irq.c | 4 +- + drivers/isdn/hisax/icc.c | 4 +- + drivers/isdn/hisax/ipacx.c | 8 +++--- + drivers/isdn/hisax/isac.c | 4 +- + drivers/isdn/hisax/isar.c | 6 ++-- + drivers/isdn/hisax/jade.c | 18 ++++---------- + drivers/isdn/hisax/jade_irq.c | 4 +- + drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- + drivers/isdn/hisax/netjet.c | 2 +- + drivers/isdn/hisax/q931.c | 6 ++-- + drivers/isdn/hisax/w6692.c | 8 +++--- + 19 files changed, 57 insertions(+), 79 deletions(-) + +commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 +Author: Brad Spengler +Date: Sat Sep 14 19:16:48 2013 -0400 + + Fix a bad git merge, re-applied a previously reverted patch + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 5dea4b212b0405d6bcbea57516d77b21035d1178 +Author: Brad Spengler +Date: Sat Sep 14 16:56:37 2013 -0400 + + finish porting namei.c + + fs/namei.c | 50 +++++++++++--------------------------------------- + 1 files changed, 11 insertions(+), 39 deletions(-) + +commit a7d5c5e2d0fd4831df19247e41c73c362809b00f +Author: Brad Spengler +Date: Sat Sep 14 16:44:08 2013 -0400 + + cred->user -> current_user() + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit be3db5fa6532557384fb66d2d9297d77666912cf +Author: Brad Spengler +Date: Sat Sep 14 16:36:24 2013 -0400 + + Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce9afc12137b65991bfc7cce70e28d86bbb76956 +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 84aa149aa0f178516f5784d028522d60d35696c9 +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1145b56059535549be226da9891b56ab2d902b2f +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + Signed-off-by: Brad Spengler + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + 3 files changed, 20 insertions(+), 2 deletions(-) + +commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + Signed-off-by: Brad Spengler + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 74dc00678ec84a254617b500a2880974dac95220 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + Signed-off-by: Brad Spengler + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it + + Signed-off-by: Brad Spengler + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 889852764d245f44e416da4eb203fda0bd327584 +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit f30e932a87f25b53779d1f92b49923f8a2dc9834 +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 9f5ae466957014bc300929374ebb7afdd9d116d6 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit b643b8f8af23488d92f16a817bf16c162d612ce1 +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 975723a41239b1befae172e88082ff4422753508 +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 05c3db7daee82d79c628c15b304f8621159e14f3 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit a79f25f59fdd0abaf4ecfab93017aa49de089498 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c147e32922dd91edf1969b8a6eb333aafb4abb79 +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 +Author: Kees Cook +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + Signed-off-by: Brad Spengler + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs + + Signed-off-by: Brad Spengler + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit abde07f6c047c0331f511318cb49a36d49218dfc +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + Signed-off-by: Brad Spengler + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + Signed-off-by: Brad Spengler + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit d502375416b17270008ebdf11f1c3be7837f7c50 +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + Signed-off-by: Brad Spengler + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit f6c363aba68cccff2815a488a7e9ed68990100d2 +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages + + Signed-off-by: Brad Spengler + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 + + Signed-off-by: Brad Spengler + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + Signed-off-by: Brad Spengler + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 17 deletions(-) + +commit 5c0737b045d057152a39154746d8c8e5d59185ed +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs + + Signed-off-by: Brad Spengler + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + Signed-off-by: Brad Spengler + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + Signed-off-by: Brad Spengler + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d4d49138661d5cb646f0dd012178447380b79956 +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping + + Signed-off-by: Brad Spengler + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 4a307f7d3ff3ab232c0b6341415088e7618c494e +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 78011eb5c2454b8afc96b98bd86ac172e589b13c +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + Signed-off-by: Brad Spengler + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit 2669672647f6955f0e5154596492c73cd4fda330 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + Signed-off-by: Brad Spengler + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 75de5da79f5e03936a79ffe2c827462000001985 +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 9055a8feb8493a30d1ad0fcef25eb496630d223f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 129b6204587740fd082e731a54d00e8a9fc35f8b +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 798adb5cab6c3a8056e1b415e6f34a270f369721 +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 4d4945ce90d83784634b898f83cb5a7699537733 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6db464f72eff84f77335b69dc2748a3759e151d1 +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit e78a78dcfc089142273243b54509840d3b50c538 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b27005e62bebc09e6604a6f5dc099742bb6b4434 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 101b84a778c254dfd7399f5bcd6264ff437f1176 +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + Signed-off-by: Brad Spengler + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + Signed-off-by: Brad Spengler + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3e182e4da46de4c6b9a9f45d41030bef19260954 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 +++++------ + 1 files changed, 5 insertions(+), 6 deletions(-) + +commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + Signed-off-by: Brad Spengler + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 32537d92b8da84f38bf45eb85b6953f452064936 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + Signed-off-by: Brad Spengler + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 +Author: Brad Spengler +Date: Sat Sep 14 16:15:10 2013 -0400 + + Initial port of grsecurity to 3.11 using new git method + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 12 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 128 ++- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 2 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 256 +++- + fs/namespace.c | 16 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 166 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 ++- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 69 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 341 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 +++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 235 files changed, 4384 insertions(+), 1312 deletions(-) + +commit a76b033c58b4886552911442f1b89e0cee041dae +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + Signed-off-by: Brad Spengler + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit d1cf217118e0750f54aca9136d8c6a41f0ae439c +Author: Brad Spengler +Date: Sat Sep 14 14:36:40 2013 -0400 + + Initial import of pax-linux-3.11-test4.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 23 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 3 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 54 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 95 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-common.S | 40 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 3 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/process.c | 42 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 35 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/kvm/arm.c | 8 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 6 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/context.c | 10 +- + arch/arm/mm/fault.c | 104 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 185 +- + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 728 +++- + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/local.h | 57 + + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/include/asm/smtc_proc.h | 2 +- + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/irq.c | 6 +- + arch/mips/kernel/process.c | 12 - + arch/mips/kernel/smtc-proc.c | 6 +- + arch/mips/kernel/smtc.c | 2 +- + arch/mips/kernel/sync-r4k.c | 24 +- + arch/mips/kernel/traps.c | 13 +- + arch/mips/mm/fault.c | 25 + + arch/mips/mm/mmap.c | 51 +- + arch/mips/sgi-ip27/ip27-nmi.c | 6 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap.c | 16 + + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/smp_64.c | 12 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 52 +- + arch/sparc/kernel/traps_64.c | 27 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/sparc/mm/init_64.c | 10 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 16 +- + arch/x86/ia32/ia32entry.S | 157 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 16 +- + arch/x86/include/asm/desc.h | 74 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 8 +- + arch/x86/include/asm/futex.h | 20 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 128 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 124 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 82 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 29 +- + arch/x86/include/asm/smap.h | 64 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/tlbflush.h | 74 +- + arch/x86/include/asm/uaccess.h | 112 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 14 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 130 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 356 +- + arch/x86/kernel/entry_64.S | 669 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 228 +- + arch/x86/kernel/head_64.S | 138 +- + arch/x86/kernel/i386_ksyms_32.c | 12 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 67 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 20 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 42 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/relocate_kernel_64.S | 5 +- + arch/x86/kernel/setup.c | 65 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 19 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 28 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 12 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/tracepoint.c | 4 +- + arch/x86/kernel/traps.c | 62 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 6 +- + arch/x86/kernel/x86_init.c | 6 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 89 +- + arch/x86/lib/copy_user_nocache_64.S | 22 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 13 +- + arch/x86/lib/getuser.S | 74 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 22 +- + arch/x86/lib/memmove_64.S | 36 +- + arch/x86/lib/memset_64.S | 11 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 18 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 571 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 101 +- + arch/x86/mm/init_32.c | 111 +- + arch/x86/mm/init_64.c | 45 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 36 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 139 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/mm/uderef_64.c | 37 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 39 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 3 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 45 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-cgroup.c | 4 +- + block/blk-iopoll.c | 2 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 2 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 9 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 2 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/apei/ghes.c | 4 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 12 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_nl.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 43 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clk/socfpga/clk.c | 7 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/crypto/hifn_795x.c | 4 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_device.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci.c | 4 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 6 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 24 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/gpu/host1x/drm/dc.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hid/uhid.c | 6 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hv_balloon.c | 18 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mcg.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/misc/ims-pcu.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/input/serio/serio_raw.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_common.c | 2 + + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bcache/super.c | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 +- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-device.c | 4 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/usb/sierra_net.c | 4 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wimax/i2400m/rx.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/core.c | 4 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/android/timed_output.c | 6 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.h | 4 +- + drivers/target/sbp/sbp_target.c | 4 +- + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/hvc/hvsi.c | 12 +- + drivers/tty/hvc/hvsi_lib.c | 6 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/ioc4_serial.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/msm_serial.c | 4 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/dwc3/gadget.c | 2 - + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/misc/appledisplay.c | 4 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vfio/vfio.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/hyperv_fb.c | 4 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/afs/inode.c | 4 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 648 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/delayed-inode.c | 6 +- + fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/super.c | 2 +- + fs/buffer.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/ceph/super.c | 4 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 4 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 18 +- + fs/dcache.c | 3 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 +- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 38 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 26 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 16 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 6 +- + fs/ntfs/super.c | 6 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 41 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 7 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 16 + + include/asm-generic/uaccess.h | 16 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 5 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fdtable.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 17 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/linkage.h | 1 + + include/linux/list.h | 15 + + include/linux/math64.h | 8 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/preempt.h | 19 + + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 15 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/security.h | 2 +- + include/linux/seq_file.h | 1 + + include/linux/signal.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 48 +- + include/linux/slab_def.h | 32 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/smp.h | 2 + + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 18 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 9 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-device.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 17 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 18 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/ping.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 84 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 12 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 4 +- + kernel/fork.c | 170 +- + kernel/futex.c | 11 +- + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 2 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 10 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 24 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 74 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 49 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 32 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 14 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_clock.c | 4 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 10 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 3 +- + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 25 + + mm/mlock.c | 15 +- + mm/mmap.c | 588 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 44 +- + mm/shmem.c | 19 +- + mm/slab.c | 108 +- + mm/slab.h | 15 +- + mm/slab_common.c | 60 +- + mm/slob.c | 206 +- + mm/slub.c | 88 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 10 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 2 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/ceph/messenger.c | 4 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/netpoll.c | 4 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/skbuff.c | 6 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ieee802154/6lowpan.c | 2 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 14 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 20 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/datagram.c | 2 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/output_core.c | 15 +- + net/ipv6/ping.c | 28 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 6 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 10 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/auth_gss/svcauth_gss.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 4 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 33 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 690 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 12 +- + security/selinux/avc.c | 6 +- + security/selinux/hooks.c | 6 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/hda/hda_codec.c | 8 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 471 ++ + tools/gcc/latent_entropy_plugin.c | 321 + + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2113 +++++++ + tools/gcc/stackleak_plugin.c | 327 + + tools/gcc/structleak_plugin.c | 277 + + tools/lib/lk/Makefile | 2 +- + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1664 files changed, 32957 insertions(+), 7636 deletions(-) +commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c +Merge: c3ccfb2 777e08c +Author: Brad Spengler +Date: Sun Sep 8 19:49:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 +Author: Brad Spengler +Date: Sun Sep 8 19:47:32 2013 -0400 + + Update to pax-linux-3.10.11-test26.patch: + - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger + - fixed an uninitialized read in splice, reported by hunger + + fs/splice.c | 1 + + include/linux/syscalls.h | 14 +- + tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- + 3 files changed, 247 insertions(+), 194 deletions(-) + +commit 5c3161364270c842d901789faac731f79a9f9cd6 +Merge: cf9c476 85cdabb +Author: Brad Spengler +Date: Sun Sep 8 19:24:25 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c3ccfb29794a03413095422100ce90d40ef7df0f +Author: Jakob Bornecrantz +Date: Thu Aug 29 02:32:53 2013 +0200 + + Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f + + drm/vmwgfx: Split GMR2_REMAP commands if they are to large + + This fixes the piglit test texturing/max-texture-size + causing the VM to die due to a too large SVGA command. + + Signed-off-by: Jakob Bornecrantz + Reviewed-by: Biran Paul + Reviewed-by: Zack Rusin + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- + 1 files changed, 39 insertions(+), 19 deletions(-) + +commit d260badf708d6aa16c44f56f54727532dcae826e +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 +Author: Dan Carpenter +Date: Thu Aug 29 11:47:00 2013 +0300 + + Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 + + mISDN: return -EINVAL on error in dsp_control_req() + + If skb->len is too short then we should return an error. Otherwise we + read beyond the end of skb->data for several bytes. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/mISDN/dsp_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit da68dbcd96c617923a0aedb177d36b2701f9c858 +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with + CAP_SYS_ADMIN. This allows for more inventive uses of the feature + that would be impossible otherwise (like toggling it while the screen is + locked, etc) + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit ce0e893adc830ee110f97071cc17e661fb35ae3d +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what + GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for + users who know they want the functionality but don't want to bother + with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + security/security.c | 4 ++++ + 4 files changed, 24 insertions(+), 2 deletions(-) + +commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd +Merge: 7ee3899 cf9c476 +Author: Brad Spengler +Date: Sun Sep 1 13:56:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cf9c47690fa0f3da590de766ea8c6a543984ee3c +Author: Brad Spengler +Date: Sun Sep 1 13:56:16 2013 -0400 + + Update to pax-linux-3.10.10-test25.patch: + - fixed a few more REFCOUNT false positives, by Mathias Krause + - got inet_getid and ipv6_select_ident rid of the cmpxchg loop + + block/blk-cgroup.c | 4 ++-- + drivers/video/hyperv_fb.c | 4 ++-- + fs/namespace.c | 4 ++-- + include/net/inetpeer.h | 13 +++++-------- + kernel/trace/trace_clock.c | 4 ++-- + net/ipv6/output_core.c | 15 ++++++--------- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- + 7 files changed, 21 insertions(+), 27 deletions(-) + +commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa +Merge: fd0338c 2bdeae7 +Author: Brad Spengler +Date: Sat Aug 31 22:07:38 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 +Author: Brad Spengler +Date: Sat Aug 31 22:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test24.patch: + - fixed a REFCOUNT false positive, by Mathias Krause + - fixed a bunch more after a quick audit of atomic_inc_return users + + drivers/acpi/apei/ghes.c | 4 ++-- + drivers/ata/libata-core.c | 4 ++-- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/block/drbd/drbd_nl.c | 4 ++-- + drivers/crypto/hifn_795x.c | 4 ++-- + drivers/edac/edac_device.c | 4 ++-- + drivers/edac/edac_pci.c | 4 ++-- + drivers/firewire/core-card.c | 4 ++-- + drivers/hv/hv_balloon.c | 18 +++++++++--------- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/input/misc/ims-pcu.c | 4 ++-- + drivers/input/serio/serio_raw.c | 4 ++-- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 ++-- + drivers/media/v4l2-core/v4l2-device.c | 4 ++-- + drivers/net/usb/sierra_net.c | 4 ++-- + drivers/pci/hotplug/pciehp_hpc.c | 4 +--- + drivers/regulator/core.c | 4 ++-- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ + drivers/staging/android/timed_output.c | 6 +++--- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/target/sbp/sbp_target.c | 4 ++-- + drivers/tty/hvc/hvsi.c | 12 ++++++------ + drivers/tty/hvc/hvsi_lib.c | 6 +++--- + drivers/tty/serial/ioc4_serial.c | 6 +++--- + drivers/tty/serial/msm_serial.c | 4 ++-- + drivers/usb/misc/appledisplay.c | 4 ++-- + fs/afs/inode.c | 4 ++-- + fs/btrfs/delayed-inode.c | 6 +++--- + fs/btrfs/delayed-inode.h | 4 ++-- + fs/fscache/cookie.c | 4 ++-- + include/media/v4l2-device.h | 2 +- + net/ceph/messenger.c | 4 ++-- + net/core/netpoll.c | 4 ++-- + net/xfrm/xfrm_state.c | 4 ++-- + security/selinux/avc.c | 6 +++--- + 43 files changed, 93 insertions(+), 95 deletions(-) + +commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 +Merge: 1bdf7ec 85099d2 +Author: Brad Spengler +Date: Sat Aug 31 21:07:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed +Author: Brad Spengler +Date: Sat Aug 31 21:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test23.patch: + - added the necessary atomic_unchecked_t conversion for mips + - audited and fixed arm and sparc for proper atomic_unchecked_t usage + + arch/arm/kvm/arm.c | 8 ++++---- + arch/arm/mm/context.c | 10 +++++----- + arch/mips/kernel/irq.c | 6 +++--- + arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ + arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- + arch/sparc/kernel/smp_64.c | 12 ++++++------ + arch/sparc/kernel/traps_64.c | 14 +++++++------- + arch/sparc/mm/init_64.c | 10 +++++----- + 8 files changed, 45 insertions(+), 45 deletions(-) + +commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 +Merge: 995a168 38ee86c +Author: Brad Spengler +Date: Fri Aug 30 19:23:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 38ee86c05df0f8db582df8776b9f23f317d42bbb +Author: Brad Spengler +Date: Fri Aug 30 19:23:11 2013 -0400 + + Update to pax-linux-3.10.10-test22.patch: + - fixed !REFCOUNT/mips compilation, by Corey Minyard + - fixed a few more format strings + + arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- + drivers/md/bcache/super.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- + drivers/pci/hotplug/pciehp_hpc.c | 2 +- + drivers/platform/x86/wmi.c | 2 +- + drivers/scsi/sd.c | 2 +- + drivers/vfio/vfio.c | 4 ++-- + fs/ntfs/super.c | 6 +++--- + include/linux/workqueue.h | 6 +++--- + net/mac80211/main.c | 2 +- + sound/pci/hda/hda_codec.c | 8 ++------ + 11 files changed, 32 insertions(+), 25 deletions(-) + +commit 995a16841e2097c3a9dfc652e856469679c4a0ba +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 +Merge: be2497c 1052971 +Author: Brad Spengler +Date: Thu Aug 29 20:44:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + include/linux/sched.h + +commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 +Merge: e902dad 8bf3379 +Author: Brad Spengler +Date: Thu Aug 29 20:39:50 2013 -0400 + + Update to pax-linux-3.10.10-test21.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 +Merge: 081c22b e902dad +Author: Brad Spengler +Date: Wed Aug 28 20:52:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 +Author: Brad Spengler +Date: Wed Aug 28 20:51:21 2013 -0400 + + Update to pax-linux-3.10.9-test21.patch: + - removed unnecessary type cast in do_PrefetchAbort, noticed by spender + - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov + - fixed a REFCOUNT false positive in UHID + - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) + Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout + (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): + - icmpv6_filter: no memory corruption, probably just some logical error in the caller + - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) + - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) + - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now + - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless + - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network + + arch/arm/mm/fault.c | 2 +- + arch/mips/kernel/traps.c | 2 -- + drivers/hid/uhid.c | 6 +++--- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/i4l/isdn_common.c | 2 ++ + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + drivers/usb/dwc3/gadget.c | 2 -- + net/ieee802154/6lowpan.c | 2 +- + net/ipv6/raw.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- + 10 files changed, 14 insertions(+), 16 deletions(-) + +commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit + Kees' recent findings are motivation enough to publish it + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 8044382257ec75a03f3d784ce048ef14e94b90ca +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit 270ba9096ddecdc3cf6c4d76e6892184820116be +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 60115e8108e508060815bce5ef9504233c81898c +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 38627769bb2b9a550e251b2caf1babda7566fb4a +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 813f51e0881e4ea6d221da828b1cced02ad9694d +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 95e3cfb5a995dabe45b98cafb77e59d074de151f +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 96a55ce1b2f3af376c400a02059174e79ce4399c +Author: Brad Spengler +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + From: Kees Cook + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + --- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit eb1106eef5f17bfda833ca3cf89e315919173257 +Author: Dan Carpenter +Date: Fri Aug 9 12:52:31 2013 +0300 + + Upstream commit: 909bd5926d474e275599094acad986af79671ac9 + + Hostap: copying wrong data prism2_ioctl_giwaplist() + + We want the data stored in "addr" and "qual", but the extra ampersands + mean we are copying stack data instead. + + Signed-off-by: Dan Carpenter + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 +Author: Brad Spengler +Date: Wed Aug 28 17:01:21 2013 -0400 + + fix typo in ipv6 backport + + net/ipv6/addrconf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 +Author: Andy Lutomirski +Date: Thu Aug 22 11:39:15 2013 -0700 + + Upstream commit: d661684cf6820331feae71146c35da83d794467e + + net: Check the correct namespace when spoofing pid over SCM_RIGHTS + + This is a security bug. + + The follow-up will fix nsproxy to discourage this type of issue from + happening again. + + Cc: stable@vger.kernel.org + Signed-off-by: Andy Lutomirski + Reviewed-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/core/scm.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 +Author: Hannes Frederic Sowa +Date: Fri Aug 16 13:02:27 2013 +0200 + + Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 + + ipv6: remove max_addresses check from ipv6_create_tempaddr + + Because of the max_addresses check attackers were able to disable privacy + extensions on an interface by creating enough autoconfigured addresses: + + + + But the check is not actually needed: max_addresses protects the + kernel to install too many ipv6 addresses on an interface and guards + addrconf_prefix_rcv to install further addresses as soon as this limit + is reached. We only generate temporary addresses in direct response of + a new address showing up. As soon as we filled up the maximum number of + addresses of an interface, we stop installing more addresses and thus + also stop generating more temp addresses. + + Even if the attacker tries to generate a lot of temporary addresses + by announcing a prefix and removing it again (lifetime == 0) we won't + install more temp addresses, because the temporary addresses do count + to the maximum number of addresses, thus we would stop installing new + autoconfigured addresses when the limit is reached. + + This patch fixes CVE-2013-0343 (but other layer-2 attacks are still + possible). + + Thanks to Ding Tianhong to bring this topic up again. + + Cc: Ding Tianhong + Cc: George Kargiotakis + Cc: P J P + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Acked-by: Ding Tianhong + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/addrconf.c + + net/ipv6/addrconf.c | 10 ++++------ + 1 files changed, 4 insertions(+), 6 deletions(-) + +commit 8333e0981469a226a47d0142ff31090a48db95a4 +Author: David Vrabel +Date: Thu Aug 15 13:21:06 2013 +0100 + + Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 + + xen/events: initialize local per-cpu mask for all possible events + + The sizeof() argument in init_evtchn_cpu_bindings() is incorrect + resulting in only the first 64 (or 32 in 32-bit guests) ports having + their bindings being initialized to VCPU 0. + + In most cases this does not cause a problem as request_irq() will set + the irq affinity which will set the correct local per-cpu mask. + However, if the request_irq() is called on a VCPU other than 0, there + is a window between the unmasking of the event and the affinity being + set were an event may be lost because it is not locally unmasked on + any VCPU. If request_irq() is called on VCPU 0 then local irqs are + disabled during the window and the race does not occur. + + Fix this by initializing all NR_EVENT_CHANNEL bits in the local + per-cpu masks. + + Signed-off-by: David Vrabel + Signed-off-by: Konrad Rzeszutek Wilk + CC: stable@vger.kernel.org + + drivers/xen/events.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2a9a83768433937a2b7a97001ba1627156c0efed +Author: Roland Dreier +Date: Mon Aug 5 17:55:01 2013 -0700 + + Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 + + [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal + + There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances + leads to one process writing data into the address space of some other + random unrelated process if the ioctl is interrupted by a signal. + What happens is the following: + + - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the + underlying SCSI command will transfer data from the SCSI device to + the buffer provided in the ioctl) + + - Before the command finishes, a signal is sent to the process waiting + in the ioctl. This will end up waking up the sg_ioctl() code: + + result = wait_event_interruptible(sfp->read_wait, + (srp_done(sfp, srp) || sdp->detached)); + + but neither srp_done() nor sdp->detached is true, so we end up just + setting srp->orphan and returning to userspace: + + srp->orphan = 1; + write_unlock_irq(&sfp->rq_list_lock); + return result; /* -ERESTARTSYS because signal hit process */ + + At this point the original process is done with the ioctl and + blithely goes ahead handling the signal, reissuing the ioctl, etc. + + - Eventually, the SCSI command issued by the first ioctl finishes and + ends up in sg_rq_end_io(). At the end of that function, we run through: + + write_lock_irqsave(&sfp->rq_list_lock, iflags); + if (unlikely(srp->orphan)) { + if (sfp->keep_orphan) + srp->sg_io_owned = 0; + else + done = 0; + } + srp->done = done; + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (likely(done)) { + /* Now wake up any sg_read() that is waiting for this + * packet. + */ + wake_up_interruptible(&sfp->read_wait); + kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); + kref_put(&sfp->f_ref, sg_remove_sfp); + } else { + INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); + schedule_work(&srp->ew.work); + } + + Since srp->orphan *is* set, we set done to 0 (assuming the + userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN + ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() + to run in a workqueue. + + - In workqueue context we go through sg_rq_end_io_usercontext() -> + sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> + bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). + + The key point here is that we are doing copy_to_user() on a + workqueue -- that is, we're on a kernel thread with current->mm + equal to whatever random previous user process was scheduled before + this kernel thread. So we end up copying whatever data the SCSI + command returned to the virtual address of the buffer passed into + the original ioctl, but it's quite likely we do this copying into a + different address space! + + As suggested by James Bottomley , + add a check for current->mm (which is NULL if we're on a kernel thread + without a real userspace address space) in bio_uncopy_user(), and skip + the copy if we're on a kernel thread. + + There's no reason that I can think of for any caller of bio_uncopy_user() + to want to do copying on a kernel thread with a random active userspace + address space. + + Huge thanks to Costa Sapuntzakis for the + original pointer to this bug in the sg code. + + Signed-off-by: Roland Dreier + Tested-by: David Milburn + Cc: Jens Axboe + Cc: + Signed-off-by: James Bottomley + + fs/bio.c | 20 +++++++++++++++----- + 1 files changed, 15 insertions(+), 5 deletions(-) + +commit e6fe57dee152671afd618d6bc8cbf23155be6c34 +Merge: cdc8f7d f2095a4 +Author: Brad Spengler +Date: Tue Aug 27 18:13:35 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + security/Kconfig + +commit f2095a4787f7d332e5919f0bd00f8de6021ad612 +Author: Brad Spengler +Date: Tue Aug 27 18:08:23 2013 -0400 + + Update to pax-linux-3.10.9-test20.patch: + - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy + - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard + - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard + - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do + - added REFCOUNT support for mips, by Corey Minyard + - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) + - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) + + arch/arm/mm/fault.c | 11 +- + arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- + arch/mips/kernel/traps.c | 14 +- + arch/x86/include/asm/tlbflush.h | 4 + + arch/x86/include/asm/uaccess_64.h | 2 +- + fs/ntfs/file.c | 2 +- + kernel/events/internal.h | 4 +- + kernel/events/uprobes.c | 2 +- + kernel/futex.c | 2 +- + mm/filemap.c | 8 +- + security/Kconfig | 2 +- + tools/gcc/kernexec_plugin.c | 18 +- + tools/gcc/latent_entropy_plugin.c | 26 +- + tools/gcc/size_overflow_plugin.c | 3 +- + 14 files changed, 750 insertions(+), 70 deletions(-) + +commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 +Merge: 5a9ae57 745975e +Author: Brad Spengler +Date: Mon Aug 26 20:27:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 745975e3b3b74b64e00e85778f9a22714d1274f2 +Author: Brad Spengler +Date: Mon Aug 26 20:26:33 2013 -0400 + + Fix compilation when UDEREF is enabled and KERNEXEC is disabled, + as reported by fabled on the forums: + http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 + + arch/arm/include/asm/pgtable.h | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 +Merge: 486ec00 f68df21 +Author: Brad Spengler +Date: Tue Aug 20 20:15:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 +Author: Brad Spengler +Date: Tue Aug 20 20:14:50 2013 -0400 + + Update to pax-linux-3.10.9-test18.patch: + - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) + - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) + - forward port to 3.10.9 + + arch/x86/kernel/entry_64.S | 18 +++++++++--------- + arch/x86/kernel/i386_ksyms_32.c | 4 ++++ + arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ + 3 files changed, 17 insertions(+), 9 deletions(-) + +commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f +Merge: f47a293 d8fed0e +Author: Brad Spengler +Date: Tue Aug 20 20:12:47 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 +Merge: f6ace8e 0a4b6d4 +Author: Brad Spengler +Date: Tue Aug 20 20:12:33 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit f47a293a1440da2a3e2c239d43d636e37ca74f10 +Merge: f1e8ec7 f6ace8e +Author: Brad Spengler +Date: Tue Aug 20 18:20:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/kernel/perf_event.c + include/linux/sched.h + +commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 +Merge: b4fa847 6f54059 +Author: Brad Spengler +Date: Tue Aug 20 18:18:02 2013 -0400 + + Update to pax-linux-3.10.8-test18.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca +Merge: 6f88011 b4fa847 +Author: Brad Spengler +Date: Tue Aug 20 18:05:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 +Author: Brad Spengler +Date: Tue Aug 20 18:04:14 2013 -0400 + + Update to pax-linux-3.10.7-test18.patch: + - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) + - fixed a UDEREF resume regression due to the constification of clone_pgd_mask + - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause + + arch/arm/kernel/process.c | 2 +- + arch/x86/include/asm/processor.h | 25 ++----------------------- + arch/x86/kernel/cpu/common.c | 4 ++++ + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/staging/zcache/tmem.c | 4 ++-- + drivers/staging/zcache/tmem.h | 6 ++---- + 6 files changed, 47 insertions(+), 30 deletions(-) + +commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) + as reported by pipacs + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 +Merge: 6eba999 5de93c8 +Author: Brad Spengler +Date: Sun Aug 18 22:03:19 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db +Author: Brad Spengler +Date: Sun Aug 18 22:02:47 2013 -0400 + + Update to pax-linux-3.10.7-test15.patch: + - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) + - fixed some new REFCOUNT false positives, caught by inspection + + arch/x86/kernel/cpu/common.c | 5 +++-- + arch/x86/kernel/entry_64.S | 11 +++++++---- + fs/ceph/super.c | 4 ++-- + mm/backing-dev.c | 4 ++-- + 4 files changed, 14 insertions(+), 10 deletions(-) + +commit 94c119587c76723c1072237b98fff9886ccb7689 +Author: Brad Spengler +Date: Sun Aug 18 20:49:39 2013 -0400 + + fix pipacs' DEMORGAN typo + + arch/x86/include/asm/tlbflush.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 +Merge: df347f6 64a293e +Author: Brad Spengler +Date: Sun Aug 18 18:13:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 +Author: Brad Spengler +Date: Sun Aug 18 18:12:37 2013 -0400 + + Update to pax-linux-3.10.7-test14.patch: + - fixed compile error introduced by the previous PCID change + - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) + + arch/x86/include/asm/tlbflush.h | 2 +- + kernel/posix-timers.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 +Merge: d8efbc5 e11b314 +Author: Brad Spengler +Date: Sun Aug 18 08:15:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e11b314734c5b7317f5468be75305ad812e78c2b +Author: Brad Spengler +Date: Sun Aug 18 08:14:26 2013 -0400 + + Update to pax-linux-3.10.7-test13.patch: + - always enable the use of PCID and INVPCID when available in the CPU + - kvm guest kernels can use these features even if the host kernel lacks UDEREF + + arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- + arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- + 2 files changed, 70 insertions(+), 47 deletions(-) + +commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 6c8feffa95ce2db280160015027b52bb41a344c8 +Merge: dbf6930 0bb1c2b +Author: Brad Spengler +Date: Sat Aug 17 11:57:50 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 +Author: Brad Spengler +Date: Sat Aug 17 11:56:43 2013 -0400 + + Update to pax-linux-3.10.7-test12.patch: + - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause + - fixed some arm compile problems + + arch/x86/include/asm/tlbflush.h | 2 +- + drivers/clocksource/bcm_kona_timer.c | 2 +- + kernel/signal.c | 4 ++++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +commit dbf69305ad4f8a037aae95af90f9201f556dcb48 +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 +Merge: 68bd16f f562e3e +Author: Brad Spengler +Date: Sat Aug 17 10:35:02 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f562e3ef7737ea8d80431a722479b36a12504ace +Author: Brad Spengler +Date: Sat Aug 17 10:34:51 2013 -0400 + + add uderef_64.c + + arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 files changed, 37 insertions(+), 0 deletions(-) + +commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 +Author: Asbjoern Sloth Toennesen +Date: Mon Aug 12 16:30:09 2013 +0000 + + Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 + + rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header + + Fix the iproute2 command `bridge vlan show`, after switching from + rtgenmsg to ifinfomsg. + + Let's start with a little history: + + Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in + the 3.9 merge window. + In the kernel commit 6cbdceeb, he added attribute support to + bridge GETLINK requests sent with rtgenmsg. + + Mar 6th: Vlad got this iproute2 reference implementation of the bridge + vlan netlink interface accepted (iproute2 9eff0e5c) + + Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) + http://patchwork.ozlabs.org/patch/239602/ + http://marc.info/?t=136680900700007 + + Apr 28th: Linus released 3.9 + + Apr 30th: Stephen released iproute2 3.9.0 + + The `bridge vlan show` command haven't been working since the switch to + ifinfomsg, or in a released version of iproute2. Since the kernel side + only supports rtgenmsg, which iproute2 switched away from just prior to + the iproute2 3.9.0 release. + + I haven't been able to find any documentation, about neither rtgenmsg + nor ifinfomsg, and in which situation to use which, but kernel commit + 88c5b5ce seams to suggest that ifinfomsg should be used. + + Fixing this in kernel will break compatibility, but I doubt that anybody + have been using it due to this bug in the user space reference + implementation, at least not without noticing this bug. That said the + functionality is still fully functional in 3.9, when reversing iproute2 + commit 63338dca. + + This could also be fixed in iproute2, but thats an ugly patch that would + reintroduce rtgenmsg in iproute2, and from searching in netdev it seams + like rtgenmsg usage is discouraged. I'm assuming that the only reason + that Vlad implemented the kernel side to use rtgenmsg, was because + iproute2 was using it at the time. + + Signed-off-by: Asbjoern Sloth Toennesen + Reviewed-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/core/rtnetlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8c7bc5bafddddff55ed4687203a977e96f72540a +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb +Author: Daniel Borkmann +Date: Fri Aug 9 16:25:21 2013 +0200 + + Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e + + net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption + + Probably this one is quite unlikely to be triggered, but it's more safe + to do the call_rcu() at the end after we have dropped the reference on + the asoc and freed sctp packet chunks. The reason why is because in + sctp_transport_destroy_rcu() the transport is being kfree()'d, and if + we're unlucky enough we could run into corrupted pointers. Probably + that's more of theoretical nature, but it's safer to have this simple fix. + + Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings + for deferred call_rcu's"). I also did the 8c98653f regression test and + it's fine that way. + + Signed-off-by: Daniel Borkmann + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/transport.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3925eab5483946fd746575a46f97bee9d566bb77 +Author: Stephane Grosjean +Date: Fri Aug 9 11:44:06 2013 +0200 + + Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e + + can: pcan_usb: fix wrong memcpy() bytes length + + Fix possibly wrong memcpy() bytes length since some CAN records received from + PCAN-USB could define a DLC field in range [9..15]. + In that case, the real DLC value MUST be used to move forward the record pointer + but, only 8 bytes max. MUST be copied into the data field of the struct + can_frame object of the skb given to the network core. + + Cc: linux-stable + Signed-off-by: Stephane Grosjean + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c1ac6642baae4a400d1f87115024d1bb1ef53598 +Author: Linus Lüssing +Date: Tue Aug 6 20:21:15 2013 +0200 + + Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 + + batman-adv: fix potential kernel paging errors for unicast transmissions + + There are several functions which might reallocate skb data. Currently + some places keep reusing their old ethhdr pointer regardless of whether + they became invalid after such a reallocation or not. This potentially + leads to kernel paging errors. + + This patch fixes these by refetching the ethdr pointer after the + potential reallocations. + + Signed-off-by: Linus Lüssing + Signed-off-by: Marek Lindner + Signed-off-by: Antonio Quartulli + + net/batman-adv/bridge_loop_avoidance.c | 2 ++ + net/batman-adv/gateway_client.c | 13 ++++++++++++- + net/batman-adv/gateway_client.h | 3 +-- + net/batman-adv/soft-interface.c | 9 ++++++++- + net/batman-adv/unicast.c | 13 ++++++++++--- + 5 files changed, 33 insertions(+), 7 deletions(-) + +commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb +Author: Yuchung Cheng +Date: Fri Aug 9 17:21:27 2013 -0700 + + Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 + + netfilter: nf_conntrack: fix tcp_in_window for Fast Open + + Currently the conntrack checks if the ending sequence of a packet + falls within the observed receive window. However it does so even + if it has not observe any packet from the remote yet and uses an + uninitialized receive window (td_maxwin). + + If a connection uses Fast Open to send a SYN-data packet which is + dropped afterward in the network. The subsequent SYNs retransmits + will all fail this check and be discarded, leading to a connection + timeout. This is because the SYN retransmit does not contain data + payload so + + end == initial sequence number (isn) + 1 + sender->td_end == isn + syn_data_len + receiver->td_maxwin == 0 + + The fix is to only apply this check after td_maxwin is initialized. + + Reported-by: Michael Chan + Signed-off-by: Yuchung Cheng + Acked-by: Eric Dumazet + Acked-by: Jozsef Kadlecsik + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec +Author: Dan Carpenter +Date: Thu Aug 1 12:36:57 2013 +0300 + + Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 + + netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message + + These structs have a "_pad" member. Also the "phw" structs have an 8 + byte "hw_addr[]" array but sometimes only the first 6 bytes are + initialized. + + Signed-off-by: Dan Carpenter + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_log.c | 6 +++++- + net/netfilter/nfnetlink_queue_core.c | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:46:46 2013 +0200 + + Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 + + netfilter: xt_TCPOPTSTRIP: fix possible off by one access + + Fix a possible off by one access since optlen() + touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. + + This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen + that stores the TCP header length, to save some cycles. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +commit 4634def261cf5f635bc60afe8a6ad436b3ec151e +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:37:49 2013 +0200 + + Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd + + netfilter: xt_TCPMSS: fix handling of malformed TCP header and options + + Make sure the packet has enough room for the TCP header and + that it is not malformed. + + While at it, store tcph->doff*4 in a variable, as it is used + several times. + + This patch also fixes a possible off by one in case of malformed + TCP options. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ + 1 files changed, 16 insertions(+), 12 deletions(-) + +commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 +Author: Dave Jones +Date: Fri Aug 9 11:16:34 2013 -0700 + + Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e + + 8139cp: Fix skb leak in rx_status_loop failure path. + + Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 + ("8139cp: Add dma_mapping_error checking") + + Signed-off-by: Dave Jones + Signed-off-by: David S. Miller + + drivers/net/ethernet/realtek/8139cp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 227b279491a0bbcc70ca3654f34903282c378600 +Author: Timo Teräs +Date: Tue Aug 6 13:45:43 2013 +0300 + + Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b + + ip_gre: fix ipgre_header to return correct offset + + Fix ipgre_header() (header_ops->create) to return the correct + amount of bytes pushed. Most callers of dev_hard_header() seem + to care only if it was success, but af_packet.c uses it as + offset to the skb to copy from userspace only once. In practice + this fixes packet socket sendto()/sendmsg() to gre tunnels. + + Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 + ("GRE: Refactor GRE tunneling code.") + + Cc: Pravin B Shelar + Signed-off-by: Timo Teräs + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb +Author: Eric Dumazet +Date: Mon Aug 5 11:18:49 2013 -0700 + + Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 + + fib_trie: remove potential out of bound access + + AddressSanitizer [1] dynamic checker pointed a potential + out of bound access in leaf_walk_rcu() + + We could allocate one more slot in tnode_new() to leave the prefetch() + in-place but it looks not worth the pain. + + Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") + + [1] : + https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + + Reported-by: Andrey Konovalov + Signed-off-by: Eric Dumazet + Cc: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv4/fib_trie.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 +Author: Daniel Borkmann +Date: Mon Aug 5 12:49:35 2013 +0200 + + Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 + + net: esp{4,6}: fix potential MTU calculation overflows + + Commit 91657eafb ("xfrm: take net hdr len into account for esp payload + size calculation") introduced a possible interger overflow in + esp{4,6}_get_mtu() handlers in case of x->props.mode equals + XFRM_MODE_TUNNEL. Thus, the following expression will overflow + + unsigned int net_adj; + ... + + net_adj = 0; + ... + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - + net_adj) & ~(align - 1)) + (net_adj - 2); + + where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned + context. Fix it by simply removing brackets as those operations here + do not need to have special precedence. + + Signed-off-by: Daniel Borkmann + Cc: Benjamin Poirier + Cc: Steffen Klassert + Acked-by: Benjamin Poirier + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit f02bce292d1c2fe610be509c96593e70b3de387b +Author: Julia Lawall +Date: Mon Aug 5 16:47:38 2013 +0200 + + Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 + + net/vmw_vsock/af_vsock.c: drop unneeded semicolon + + Drop the semicolon at the end of the list_for_each_entry loop header. + + Signed-off-by: Julia Lawall + Signed-off-by: David S. Miller + + net/vmw_vsock/af_vsock.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 +Author: Tiger Yang +Date: Tue Aug 13 16:00:58 2013 -0700 + + Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 + + ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page + + Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as + the struct file pointer, it finally result in a null pointer dereference + in ocfs2_duplicate_clusters_by_page. + + This patch replace file pointer with inode pointer in + cow_duplicate_clusters to fix this issue. + + [jeff.liu@oracle.com: rebased patch against linux-next tree] + Signed-off-by: Tiger Yang + Signed-off-by: Jie Liu + Cc: Joel Becker + Cc: Mark Fasheh + Acked-by: Tao Ma + Tested-by: David Weber + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/ocfs2/aops.c | 2 +- + fs/ocfs2/file.c | 6 ++-- + fs/ocfs2/move_extents.c | 2 +- + fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- + fs/ocfs2/refcounttree.h | 6 ++-- + 5 files changed, 16 insertions(+), 53 deletions(-) + +commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 +Author: Dan Carpenter +Date: Thu Aug 15 15:52:57 2013 +0300 + + Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e + + tun: signedness bug in tun_get_user() + + The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is + not totally correct. Because "len" and "sizeof()" are size_t type, that + means they are never less than zero. + + Signed-off-by: Dan Carpenter + Acked-by: Michael S. Tsirkin + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 26ad267ddda451919357965a0cf271ca24d1bcf2 +Author: Weiping Pan +Date: Tue Aug 13 21:46:56 2013 +0800 + + Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 + + tun: compare with 0 instead of total_len + + Since we set "len = total_len" in the beginning of tun_get_user(), + so we should compare the new len with 0, instead of total_len, + or the if statement always returns false. + + Signed-off-by: Weiping Pan + Signed-off-by: David S. Miller + + drivers/net/tun.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 +Author: Guenter Roeck +Date: Fri Aug 16 20:50:55 2013 -0700 + + Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 + + s390: Fix broken build + + Fix this build error: + + In file included from fs/exec.c:61:0: + arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' + arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] + arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': + arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' + + Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range + invalidation corner cases"). + + Cc: Greg Kroah-Hartman + Cc: stable@vger.kernel.org + Signed-off-by: Guenter Roeck + [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] + Signed-off-by: Linus Torvalds + + arch/s390/include/asm/tlb.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4e57312c2de2a25ddb181d129dafbc0251062c33 +Author: Linus Torvalds +Date: Thu Aug 15 11:42:25 2013 -0700 + + Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce + + Fix TLB gather virtual address range invalidation corner cases + + Ben Tebulin reported: + + "Since v3.7.2 on two independent machines a very specific Git + repository fails in 9/10 cases on git-fsck due to an SHA1/memory + failures. This only occurs on a very specific repository and can be + reproduced stably on two independent laptops. Git mailing list ran + out of ideas and for me this looks like some very exotic kernel issue" + + and bisected the failure to the backport of commit 53a59fc67f97 ("mm: + limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). + + That commit itself is not actually buggy, but what it does is to make it + much more likely to hit the partial TLB invalidation case, since it + introduces a new case in tlb_next_batch() that previously only ever + happened when running out of memory. + + The real bug is that the TLB gather virtual memory range setup is subtly + buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: + enable tlb flush range in generic mmu_gather"), and the range handling + was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB + range flushed when __tlb_remove_page() runs out of slots"), but that fix + was not complete. + + The problem with the TLB gather virtual address range is that it isn't + set up by the initial tlb_gather_mmu() initialization (which didn't get + the TLB range information), but it is set up ad-hoc later by the + functions that actually flush the TLB. And so any such case that forgot + to update the TLB range entries would potentially miss TLB invalidates. + + Rather than try to figure out exactly which particular ad-hoc range + setup was missing (I personally suspect it's the hugetlb case in + zap_huge_pmd(), which didn't have the same logic as zap_pte_range() + did), this patch just gets rid of the problem at the source: make the + TLB range information available to tlb_gather_mmu(), and initialize it + when initializing all the other tlb gather fields. + + This makes the patch larger, but conceptually much simpler. And the end + result is much more understandable; even if you want to play games with + partial ranges when invalidating the TLB contents in chunks, now the + range information is always there, and anybody who doesn't want to + bother with it won't introduce subtle bugs. + + Ben verified that this fixes his problem. + + Reported-bisected-and-tested-by: Ben Tebulin + Build-testing-by: Stephen Rothwell + Build-testing-by: Richard Weinberger + Reviewed-by: Michal Hocko + Acked-by: Peter Zijlstra + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + arch/arm/include/asm/tlb.h | 7 +++++-- + arch/arm64/include/asm/tlb.h | 7 +++++-- + arch/ia64/include/asm/tlb.h | 9 ++++++--- + arch/s390/include/asm/tlb.h | 8 ++++++-- + arch/sh/include/asm/tlb.h | 6 ++++-- + arch/um/include/asm/tlb.h | 6 ++++-- + fs/exec.c | 4 ++-- + include/asm-generic/tlb.h | 2 +- + mm/hugetlb.c | 2 +- + mm/memory.c | 36 +++++++++++++++++++++--------------- + mm/mmap.c | 4 ++-- + 11 files changed, 57 insertions(+), 34 deletions(-) + +commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 +Merge: 5568c80 ffceabf +Author: Brad Spengler +Date: Sat Aug 17 09:11:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ffceabfcc65c60109ba5fca694d78d4dc7047809 +Author: Brad Spengler +Date: Sat Aug 17 09:10:44 2013 -0400 + + Update to pax-linux-3.10.7-test11.patch: + - simplified some arm code + - disabled preemption when calling show_regs, reported by Corey Minyard + - added PCID based support for UDEREF on amd64 (blog will have more details) + - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc + - nopcid turns it off + - by default a strong form of UDEREF is used under PCID + - pax_weakuderef switches to the older, less secure UDEREF + - fixed several bugs that would also have manifested under SMAP + - INVPCID is used when available (Haswell) + - added a few more return insn instrumentation in new amd64 crypto code + + Documentation/kernel-parameters.txt | 7 + + arch/arm/include/asm/uaccess.h | 3 + + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ + arch/x86/ia32/ia32_signal.c | 2 +- + arch/x86/ia32/ia32entry.S | 24 ++++- + arch/x86/include/asm/cpufeature.h | 3 +- + arch/x86/include/asm/fpu-internal.h | 2 + + arch/x86/include/asm/futex.h | 4 + + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- + arch/x86/include/asm/pgtable.h | 10 +- + arch/x86/include/asm/processor.h | 15 +++- + arch/x86/include/asm/segment.h | 5 +- + arch/x86/include/asm/smap.h | 64 +++++++++++- + arch/x86/include/asm/tlbflush.h | 63 +++++++++-- + arch/x86/include/asm/uaccess.h | 18 +++- + arch/x86/include/asm/xsave.h | 4 + + arch/x86/kernel/cpu/common.c | 38 +++++++ + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- + arch/x86/kernel/head_32.S | 2 +- + arch/x86/kernel/head_64.S | 8 +- + arch/x86/kernel/process_64.c | 5 + + arch/x86/kernel/setup.c | 8 +- + arch/x86/kernel/signal.c | 4 +- + arch/x86/kernel/smpboot.c | 15 ++- + arch/x86/lib/copy_user_64.S | 50 +-------- + arch/x86/lib/copy_user_nocache_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 11 ++- + arch/x86/lib/memcpy_64.S | 4 +- + arch/x86/lib/memmove_64.S | 2 +- + arch/x86/lib/memset_64.S | 4 +- + arch/x86/lib/usercopy_64.c | 5 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/fault.c | 29 ++++-- + arch/x86/mm/init.c | 7 +- + arch/x86/mm/init_64.c | 9 ++- + arch/x86/mm/pageattr.c | 2 +- + arch/x86/mm/pgtable.c | 3 + + arch/x86/platform/efi/efi_32.c | 2 +- + arch/x86/platform/efi/efi_64.c | 2 +- + arch/x86/realmode/rm/trampoline_64.S | 1 + + fs/exec.c | 2 + + include/asm-generic/uaccess.h | 8 ++ + include/linux/compat.h | 1 + + include/linux/preempt.h | 19 +++ + include/linux/signal.h | 1 + + include/linux/smp.h | 2 + + init/main.c | 14 ++- + kernel/signal.c | 16 +++ + security/Kconfig | 5 + + tools/lib/lk/Makefile | 2 +- + tools/perf/Makefile | 2 +- + 64 files changed, 673 insertions(+), 136 deletions(-) + +commit 5568c8059e78d6d002815409df4e90c83b3b08a8 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 +Author: Brad Spengler +Date: Fri Aug 16 22:55:24 2013 -0400 + + Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b + + arch/arm/kernel/perf_event.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit 3637bc893b57a227b01852fe34685ab237285b10 +Author: Stephen Boyd +Date: Wed Aug 7 16:18:08 2013 -0700 + + Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb + + perf/arm: Fix armpmu_map_hw_event() + + Fix constraint check in armpmu_map_hw_event(). + + Reported-and-tested-by: Vince Weaver + Cc: + Signed-off-by: Ingo Molnar + Signed-off-by: Linus Torvalds + + arch/arm/kernel/perf_event.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 11802e1f961a088c39af58d1c1b14d861eedfb35 +Author: Brad Spengler +Date: Fri Aug 16 22:53:30 2013 -0400 + + More ARM backports + + arch/arm/kernel/entry-armv.S | 3 ++- + arch/arm/kernel/fiq.c | 8 ++------ + 2 files changed, 4 insertions(+), 7 deletions(-) + +commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: + http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 +Author: yonghua zheng +Date: Tue Aug 13 16:01:03 2013 -0700 + + fs/proc/task_mmu.c: fix buffer overflow in add_page_map() + + Recently we met quite a lot of random kernel panic issues after enabling + CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something + to do with following bug in pagemap: + + In struct pagemapread: + + struct pagemapread { + int pos, len; + pagemap_entry_t *buffer; + bool v2; + }; + + pos is number of PM_ENTRY_BYTES in buffer, but len is the size of + buffer, it is a mistake to compare pos and len in add_page_map() for + checking buffer is full or not, and this can lead to buffer overflow and + random kernel panic issue. + + Correct len to be total number of PM_ENTRY_BYTES in buffer. + + [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] + Signed-off-by: Yonghua Zheng + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/task_mmu.c + + fs/proc/task_mmu.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 0a3dac834746de241c10d4978bf61b4f146ba89d +Merge: dc19474 e12de30 +Author: Brad Spengler +Date: Fri Aug 16 17:39:01 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 +Author: Brad Spengler +Date: Fri Aug 16 17:34:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch: + - Emese fixed a size overflow false positive reported by Sven Vermeulen + - fixed some arm compile problems reported by spender + - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard + eventually we'll have full REFCOUNT support on mips + + arch/arm/kernel/process.c | 5 ++- + arch/arm/mm/Kconfig | 2 +- + arch/arm/mm/fault.c | 3 ++ + arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ + mm/internal.h | 2 +- + 5 files changed, 65 insertions(+), 4 deletions(-) + +commit dc19474d0ea6ea3c939544ae5f906067b1784a10 +Merge: 51b78c0 82266f9 +Author: Brad Spengler +Date: Thu Aug 15 21:47:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 82266f90a3f87ab5017329fb539aebf94c42253a +Author: Brad Spengler +Date: Thu Aug 15 21:14:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch + + arch/arm/kernel/process.c | 6 ++---- + 1 files changed, 2 insertions(+), 4 deletions(-) + +commit 51b78c06d1f41614f593cd36456b4af559e9d7fa +Merge: e32d904 cb77ead +Author: Brad Spengler +Date: Thu Aug 15 20:53:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit cb77ead0eccb5abb75f7e437a3725d0254558ccd +Merge: 13675b8 519be45 +Author: Brad Spengler +Date: Thu Aug 15 20:50:47 2013 -0400 + + Update to pax-linux-3.10.7-test8.patch + + Merge branch 'linux-3.10.y' into pax-test + +commit e32d904b87292288e74e2637b900fd1115687b8e +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators + on sparc64 hugepages + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c +Author: Oleg Nesterov +Date: Thu Aug 8 18:55:32 2013 +0200 + + Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 + + another local DoS found in reaction to the one I reported, + we don't allow unpriv user ns use so this doesn't matter much to us + + userns: limit the maximum depth of user_namespace->parent chain + + Ensure that user_namespace->parent chain can't grow too much. + Currently we use the hardroded 32 as limit. + + Reported-by: Andy Lutomirski + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + include/linux/user_namespace.h | 1 + + kernel/user_namespace.c | 4 ++++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit 223ac007ef18bf3a5095ba0a56675c1f16200149 +Merge: 1c92de4 13675b8 +Author: Brad Spengler +Date: Thu Aug 8 20:45:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 13675b848cf02bffd26924b2b84d927095bc253d +Author: Brad Spengler +Date: Thu Aug 8 20:43:52 2013 -0400 + + Update to pax-linux-3.10.5-test8.patch: + - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) + - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard + - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard + + arch/arm/include/asm/pgtable-2level.h | 4 +++- + arch/arm/mm/proc-v7-2level.S | 3 --- + arch/mips/mm/fault.c | 8 ++++++++ + arch/x86/include/asm/processor.h | 3 ++- + include/linux/math64.h | 2 +- + security/Kconfig | 2 -- + 6 files changed, 14 insertions(+), 8 deletions(-) + +commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 +Merge: e65aa3d 1660f49 +Author: Brad Spengler +Date: Mon Aug 5 18:50:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 1660f496848b8400d263f7920989dae15e72185a +Merge: 7f91ba1 dc51cd2 +Author: Brad Spengler +Date: Mon Aug 5 18:50:12 2013 -0400 + + Update to pax-linux-3.10.5-test7.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/head_64.S + mm/mempolicy.c + +commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the + gentoo-hardened bugzilla: + https://bugs.gentoo.org/show_bug.cgi?id=382793 + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 +Author: Dan Carpenter +Date: Tue Jul 30 13:23:39 2013 +0300 + + Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 + + net_sched: info leak in atm_tc_dump_class() + + The "pvc" struct has a hole after pvc.sap_family which is not cleared. + + Signed-off-by: Dan Carpenter + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/sched/sch_atm.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 50d20ebce56b6e0b9622685930e007e46c7c04bb +Author: Daniel Borkmann +Date: Fri Aug 2 11:32:43 2013 +0200 + + Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 + + net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails + + Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa + resource that was allocated via inet_alloc_ifa() unfreed when returning + the function with -EINVAL. Thus, free it first via inet_free_ifa(). + + Signed-off-by: Daniel Borkmann + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/ipv4/devinet.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 +Author: Himanshu Madhani +Date: Fri Aug 2 23:15:56 2013 -0400 + + Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 + + qlcnic: Free up memory in error path. + + Signed-off-by: Himanshu Madhani + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a +Author: Shahed Shaikh +Date: Fri Aug 2 23:15:54 2013 -0400 + + Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f + + qlcnic: Fix MAC address filter issue on 82xx adapter + + Driver was passing the address of a pointer instead of + the pointer itself. + + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we + cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 24 ++++++++++++++++++++++-- + 2 files changed, 22 insertions(+), 19 deletions(-) + +commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b8966a5d577e9220fbc63306eee978f819f24e2e +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out + all others as suggested by pipacs + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1704c23fdc55b68f512dc9927940e72237f3f43e +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) + Remove textrel logging option, combine into rwx logging option + Enhance RWX logging option to display when PT_GNU_STACK-enabled library + is loaded under an MPROTECTed binary + Enhance RWX mprotect logging to display stack/heap instead of just + anon mapping + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit faf81c100c8565524e21c9af780a0ad2ce3fd925 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c +Merge: 65019c9 7f91ba1 +Author: Brad Spengler +Date: Wed Jul 31 17:47:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 65019c9bd05f860437071cbf00e2027fd2d68615 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 +Author: Brad Spengler +Date: Wed Jul 31 17:46:00 2013 -0400 + + Update to pax-linux-3.10.4-test7.patch: + - added a few more missing format strings + - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable + - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time + - fixed a UDEREF/i386 regression, __get_user_8 would always fail + + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/dumpstack.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/lib/getuser.S | 4 +- + arch/x86/xen/smp.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- + drivers/video/backlight/backlight.c | 2 +- + drivers/video/backlight/lcd.c | 2 +- + fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- + fs/exec.c | 50 +++++++++++++-------------- + include/linux/sched.h | 2 + + 14 files changed, 88 insertions(+), 47 deletions(-) + +commit 043130da54cb7cc8dc44e0ce889d426e889a0532 +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ed0a195abd4e41c2449a020a53a19c74dc866d78 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit e75b3f504692b97960a7530ad0855d91441d79c0 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e5abbaf95313066a724e1a843d4fc902a9a6450e +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 877d6c2f8b3518ff39601084560bb33c58d35a1f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 23278a1ee1c7738dd1e7005241394d32b82196e4 +Author: Brad Spengler +Date: Tue Jul 30 19:48:58 2013 -0400 + + revert recent PaX change that causes boot failures with 32bit userland + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit ec27f71a813656fea8ab37faecb2b485fe99d08e +Merge: 3a11bcf 05f0a61 +Author: Brad Spengler +Date: Tue Jul 30 19:42:21 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 +Author: Brad Spengler +Date: Tue Jul 30 19:41:44 2013 -0400 + + Update to pax-linux-3.10.4-test6.patch: + - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender + + include/linux/syscalls.h | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 8b744005f8bae565e24c1fd88af77e6e619b9434 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit b93b829afcc98b6108b18d99ff63c53642d0b951 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit ac695a081d1124fb28bec46814535d34c5e40611 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 82631f451cc7432b6c5578cf8d24155473feb25c +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading + Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 84c4a433dfb096e4a1162ee5e68025122c70b421 +Merge: c9d3ed3 9fe5897 +Author: Brad Spengler +Date: Mon Jul 29 17:08:56 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9fe58978938e357642885866ca48090a7753d403 +Merge: 8f693ad 6f7bb6b +Author: Brad Spengler +Date: Mon Jul 29 17:08:43 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 +Merge: d5e5bfd 8f693ad +Author: Brad Spengler +Date: Sun Jul 28 10:03:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8f693ade9b3e448f92706d34148b00a087637f70 +Author: Brad Spengler +Date: Sun Jul 28 10:02:16 2013 -0400 + + Update to pax-linux-3.10.3-test5.patch: + - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) + - fixed handling of faulting userland accesses for UDEREF/arm, from spender + - updated the size overflow hash table, from Emese + + arch/arm/kernel/entry-armv.S | 3 +- + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- + 7 files changed, 513 insertions(+), 55 deletions(-) + +commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 +Merge: 19e077b 8a8a0d0 +Author: Brad Spengler +Date: Thu Jul 25 21:05:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 +Author: Brad Spengler +Date: Thu Jul 25 21:04:09 2013 -0400 + + Update to pax-linux-3.10.3-test4.patch: + - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. + this is finer grained sanitization than the existing per-page based approach (which + is still done) at a somewhat higher performance cost. the pax_sanitize_slab command + line option can be used to enable/disable it on boot (it's enabled by default when + CONFIG_PAX_MEMORY_SANITIZE is enabled). + + Documentation/kernel-parameters.txt | 4 ++++ + fs/buffer.c | 2 +- + fs/dcache.c | 3 ++- + include/linux/slab.h | 7 +++++++ + include/linux/slab_def.h | 4 ++++ + kernel/fork.c | 2 +- + mm/rmap.c | 6 ++++-- + mm/slab.c | 27 +++++++++++++++++++++++++++ + mm/slab.h | 12 +++++++++++- + mm/slab_common.c | 14 ++++++++++++++ + mm/slob.c | 5 +++++ + mm/slub.c | 11 +++++++++++ + net/core/skbuff.c | 6 ++++-- + security/Kconfig | 23 +++++++++++++++++------ + 14 files changed, 112 insertions(+), 14 deletions(-) + +commit 19e077bfff54ca211d0142c07cb6dd88069a390c +Merge: 960ec51 c8f7f51 +Author: Brad Spengler +Date: Thu Jul 25 19:53:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c8f7f51591207b82530214300e86277028919286 +Merge: d5142e3 81a4648 +Author: Brad Spengler +Date: Thu Jul 25 19:52:29 2013 -0400 + + Update to pax-linux-3.10.3-test3.patch: + - fixed some compile issues reported by Michael Tremer and spender + - fixed an i386 regression with the lower address space gap on i386, reported by cnu + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + kernel/time/tick-broadcast.c + +commit 960ec51ab2142544fbae563d4fd5744775408965 +Author: Al Viro +Date: Sat Jul 20 03:13:55 2013 +0400 + + Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 + + livelock avoidance in sget() + + Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about + to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, + ->s_active is 1. Along comes two more processes, trying to mount the same + thing; sget() in each is picking that superblock, bumping ->s_count and + trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) + finally gets to deactivate_locked_super() on failure; ->s_active is 2, + superblock is still ->fs_supers because shutdown will *not* happen until + ->s_active hits 0. ->s_umount is dropped and now we have two processes + chasing each other: + s_active = 2, A acquired ->s_umount, B blocked + A sees that the damn thing is stillborn, does deactivate_locked_super() + s_active = 1, A drops ->s_umount, B gets it + A restarts the search and finds the same superblock. And bumps it ->s_active. + s_active = 2, B holds ->s_umount, A blocked on trying to get it + ... and we are in the earlier situation with A and B switched places. + + The root cause, of course, is that ->s_active should not grow until we'd + got MS_BORN. Then failing ->mount() will have deactivate_locked_super() + shut the damn thing down. Fortunately, it's easy to do - the key point + is that grab_super() is called only for superblocks currently on ->fs_supers, + so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and + bump ->s_active; we must never increment ->s_count for superblocks past + ->kill_sb(), but grab_super() is never called for those. + + The bug is pretty old; we would've caught it by now, if not for accidental + exclusion between sget() for block filesystems; the things like cgroup or + e.g. mtd-based filesystems don't have anything of that sort, so they get + bitten. The right way to deal with that is obviously to fix sget()... + + Signed-off-by: Al Viro + + fs/super.c | 25 ++++++++++--------------- + 1 files changed, 10 insertions(+), 15 deletions(-) + +commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 +Merge: ab95b58 d5142e3 +Author: Brad Spengler +Date: Sun Jul 21 22:47:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d5142e31785f8c32c7338c51fcc27313bdd4a84e +Merge: f36ae8c 0f4a56e +Author: Brad Spengler +Date: Sun Jul 21 22:47:34 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit ab95b5842899d61ff5c30f4582e72029b3155be8 +Author: Brad Spengler +Date: Sun Jul 21 22:28:40 2013 -0400 + + compile fix with constification reported by Michael Tremer + + drivers/gpu/host1x/drm/dc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 817cd2d1e7a55720326599dd8f542578eef30927 +Author: Hannes Frederic Sowa +Date: Fri Jul 12 23:46:33 2013 +0200 + + Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 + + ipv6: only static routes qualify for equal cost multipathing + + Static routes in this case are non-expiring routes which did not get + configured by autoconf or by icmpv6 redirects. + + To make sure we actually get an ecmp route while searching for the first + one in this fib6_node's leafs, also make sure it matches the ecmp route + assumptions. + + v2: + a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + + v3: + a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + + Cc: Nicolas Dichtel + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_fib.c | 15 +++++++++++---- + 1 files changed, 11 insertions(+), 4 deletions(-) + +commit 77db8196d51b043e2e2d124094da101b0f01bccb +Author: Dan Carpenter +Date: Fri Jul 12 09:39:03 2013 +0300 + + Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 + + svcrdma: underflow issue in decode_write_list() + + My static checker marks everything from ntohl() as untrusted and it + complains we could have an underflow problem doing: + + return (u32 *)&ary->wc_array[nchunks]; + + Also on 32 bit systems the upper bound check could overflow. + + Cc: stable@vger.kernel.org + Signed-off-by: Dan Carpenter + Signed-off-by: J. Bruce Fields + + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ + 1 files changed, 14 insertions(+), 6 deletions(-) + +commit 926473317fd7953137ef97835edd36dabc584b01 +Author: Brad Spengler +Date: Wed Jul 17 21:29:02 2013 -0400 + + add missing asm/pgtable.h include, reported by Michael Tremer + + drivers/clk/socfpga/clk.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c592ae0001b31932ef1491784dfa374058797c66 +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 +Merge: 9c96441 f36ae8c +Author: Brad Spengler +Date: Sun Jul 14 19:23:13 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f36ae8c741ae32b1caff10825be12c327792c925 +Author: Brad Spengler +Date: Sun Jul 14 19:22:15 2013 -0400 + + Update to pax-linux-3.10-test2.patch: + - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer + - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer + - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer + - spender fixed an madvise regression, reported by Peter Keel + - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) + - fixed a headers_install regression, reported by Mathias Krause + - fixed a SLOB compile regression, reported by Mathias Krause + + arch/arm/include/asm/uaccess.h | 4 ++-- + arch/arm/mm/mmu.c | 15 +++++++++++++-- + drivers/clk/socfpga/clk.c | 6 ++++-- + mm/madvise.c | 4 ++-- + mm/slab.c | 4 ++-- + mm/slob.c | 4 ++-- + scripts/headers_install.sh | 2 +- + 7 files changed, 26 insertions(+), 13 deletions(-) + +commit 9c9644156a49637050741d9165df79174e59b0ef +Author: Brad Spengler +Date: Sun Jul 14 19:19:54 2013 -0400 + + Fix sparc64 compilation, reported by Blake Self + + arch/sparc/kernel/sys_sparc_64.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + mm/madvise.c | 15 +++++++-------- + 1 files changed, 7 insertions(+), 8 deletions(-) + +commit a10e377d0eddd37e8a3665b135e546ab03d9d171 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 08c5adca34d408772255b313f90d82c250c1d967 +Author: Brad Spengler +Date: Sun Jul 14 11:26:34 2013 -0400 + + don't make high vector mapping non-present on old ARM architectures, no + point in emulating some vector entries when the processor doesn't even support XN + + arch/arm/mm/mmu.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 2b40781d4197a89a003616af584884e36361c5b2 +Author: Brad Spengler +Date: Sun Jul 14 09:51:58 2013 -0400 + + Temporary compile fix for code incorrectly modifying const data + Wrap a cast version of the code with open/close + + Thanks to Michael Tremer for the report + + drivers/clk/socfpga/clk.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit a8258c1b4098c396cd4ea719e20858182feac1c1 +Author: Brad Spengler +Date: Sun Jul 14 09:41:16 2013 -0400 + + Fix missing right parens in pipacs' "improvement" of my ARM code ;) + Thanks to Michael Tremer for reporting + + arch/arm/include/asm/uaccess.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 8542e1e973be7cc9a009d2ada8033576b2890e6f +Merge: 86f446e 2577f8e +Author: Brad Spengler +Date: Sat Jul 13 20:46:58 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + mm/memcontrol.c + +commit 2577f8e4ec41efb347706a59c6838de20f0c90da +Merge: 75a36f0 cb5d8be +Author: Brad Spengler +Date: Sat Jul 13 20:43:42 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + crypto/algapi.c + drivers/block/nbd.c + +commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 +Author: Brad Spengler +Date: Fri Jul 12 23:02:11 2013 -0400 + + we always want the vector page to be noaccess for userland + therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY + which turns into supervisor rwx, userland rx, we instead omit that entirely, + leaving it as supervisor rwx only + + Fixes booting on ARMv5 and earlier, which need to write directly + to the high vector mapping via set_tls when context switching + + Thanks to Michael Tremer for the bugreport + + arch/arm/mm/mmu.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 90cd0827eef656ec884f19c977873fefe2f2e47d +Author: Cong Wang +Date: Sat Jun 29 12:02:59 2013 +0800 + + Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 + + gre: fix a regression in ioctl + + When testing GRE tunnel, I got: + + # ip tunnel show + get tunnel gre0 failed: Invalid argument + get tunnel gre1 failed: Invalid argument + + This is a regression introduced by commit c54419321455631079c7d + ("GRE: Refactor GRE tunneling code.") because previously we + only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, + after that commit, the check is moved for all commands. + + So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + + After this patch I got: + + # ip tunnel show + gre0: gre/ip remote any local any ttl inherit nopmtudisc + gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit + + Cc: Pravin B Shelar + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 +Author: Cong Wang +Date: Sat Jun 29 13:00:57 2013 +0800 + + Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 + + vti: remove duplicated code to fix a memory leak + + vti module allocates dev->tstats twice: in vti_fb_tunnel_init() + and in vti_tunnel_init(), this lead to a memory leak of + dev->tstats. + + Just remove the duplicated operations in vti_fb_tunnel_init(). + + (candidate for -stable) + + Cc: Stephen Hemminger + Cc: Saurabh Mohan + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd +Author: Michal Schmidt +Date: Mon Jul 1 17:23:05 2013 +0200 + + Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a + + bnx2x: remove zeroing of dump data buffer + + There is no need to initialize the dump data with zeros. + data is allocated with vzalloc, so it's already zero-filled. + + More importantly, the memset is harmful, because dump->len (the length + requested by userspace) can be bigger than the allocated buffer (whose + size is determined by asking the driver's .get_dump_flag method). + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit c771072b72c261f9bddd6734dca6979c1b96e7df +Author: Michal Schmidt +Date: Mon Jul 1 17:23:06 2013 +0200 + + Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 + + bnx2x: fix dump flag handling + + bnx2x interprets the dump flag as an index of a register preset. + It is important to validate the index to avoid out of bounds + memory accesses. + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit aed315c8fad9b2044143b46b239574b1b72135ce +Author: Michal Schmidt +Date: Mon Jul 1 17:23:30 2013 +0200 + + Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 + + ethtool: make .get_dump_data() harder to misuse by drivers + + As the patch "bnx2x: remove zeroing of dump data buffer" showed, + it is too easy implement .get_dump_data incorrectly in a driver. + + Let's make sure drivers cannot get confused by userspace requesting + a too big dump. + + Also WARN if the driver sets dump->len to something weird and make + sure the length reported to userspace is the actual length of data + copied to userspace. + + Signed-off-by: Michal Schmidt + Reviewed-by: Ben Hutchings + Signed-off-by: David S. Miller + + net/core/ethtool.c | 21 ++++++++++++++++++++- + 1 files changed, 20 insertions(+), 1 deletions(-) + +commit 5c57991e66216e386dcc875d34c33f0edd038569 +Author: Wei Yongjun +Date: Tue Jul 2 09:02:07 2013 +0800 + + Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd + + l2tp: add missing .owner to struct pppox_proto + + Add missing .owner of struct pppox_proto. This prevents the + module from being removed from underneath its users. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 +Author: Benjamin Herrenschmidt +Date: Sun Jun 30 14:37:11 2013 +1000 + + Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 + + cxgb3: Missing rtnl lock in error recovery + + When exercising error injection on IBM pseries machine, I hit the + following warning: + + [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 + [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) + [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 + [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) + [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 + [ 254.895474] Call Trace: + [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) + [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c + [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 + [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] + [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] + [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 + [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 + [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 + [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 + [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 + [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 + + It appears that t3_resume_ports() is called with the rtnl_lock held from + the fatal error task but not from the PCI error callbacks. This fixes it. + + Signed-off-by: Benjamin Herrenschmidt + Signed-off-by: David S. Miller + + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 +Author: Hannes Frederic Sowa +Date: Mon Jul 1 20:21:30 2013 +0200 + + Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 + + ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data + + We accidentally call down to ip6_push_pending_frames when uncorking + pending AF_INET data on a ipv6 socket. This results in the following + splat (from Dave Jones): + + skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:126! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth + +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c + CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 + task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 + RIP: 0010:[] [] skb_panic+0x63/0x65 + RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 + RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 + RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 + RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 + R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 + FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 + Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 + Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 + Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 + RIP [] skb_panic+0x63/0x65 + RSP + + This patch adds a check if the pending data is of address family AF_INET + and directly calls udp_push_ending_frames from udp_v6_push_pending_frames + if that is the case. + + This bug was found by Dave Jones with trinity. + + (Also move the initialization of fl6 below the AF_INET check, even if + not strictly necessary.) + + Cc: Dave Jones + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +commit cd83094a85d9bbd5a67332156407d53cf8835432 +Author: Hannes Frederic Sowa +Date: Tue Jul 2 08:04:05 2013 +0200 + + Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be + + ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size + + If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track + of this when appending the second frame on a corked socket. This results + in the following splat: + + [37598.993962] ------------[ cut here ]------------ + [37598.994008] kernel BUG at net/core/skbuff.c:2064! + [37598.994008] invalid opcode: 0000 [#1] SMP + [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat + +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi + +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm + [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc + +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video + [37598.994008] CPU 0 + [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG + [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 + [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 + [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 + [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 + [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 + [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 + [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 + [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 + [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) + [37598.994008] Stack: + [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 + [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 + [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 + [37598.994008] Call Trace: + [37598.994008] [] ip6_append_data+0xccf/0xfe0 + [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 + [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 + [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 + [37598.994008] [] ? sock_has_perm+0x75/0x90 + [37598.994008] [] inet_sendmsg+0x63/0xb0 + [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 + [37598.994008] [] sock_sendmsg+0xb0/0xe0 + [37598.994008] [] ? __switch_to+0x181/0x4a0 + [37598.994008] [] sys_sendto+0x12d/0x180 + [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 + [37598.994008] [] ? syscall_trace_enter+0x231/0x240 + [37598.994008] [] tracesys+0xdd/0xe2 + [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 + [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP + [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + + While there, also check if path mtu discovery is activated for this + socket. The logic was adapted from ip6_append_data when first writing + on the corked socket. + + This bug was introduced with commit + 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec + fragment"). + + v2: + a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. + b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). + c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + + Acked-by: Gao feng + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 files changed, 10 insertions(+), 6 deletions(-) + +commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c +Author: Michael S. Tsirkin +Date: Sun Jul 7 14:26:53 2013 +0300 + + Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 + + vhost-net: fix use-after-free in vhost_net_flush + + vhost_net_ubuf_put_and_wait has a confusing name: + it will actually also free it's argument. + Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" + vhost_net_flush tries to use the argument after passing it + to vhost_net_ubuf_put_and_wait, this results + in use after free. + To fix, don't free the argument in vhost_net_ubuf_put_and_wait, + add an new API for callers that want to free ubufs. + + Acked-by: Asias He + Acked-by: Jason Wang + Signed-off-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/vhost/net.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 088806db74ac2f08c106202bc5498585a9ee529f +Author: Michal Hocko +Date: Mon Jul 8 16:00:29 2013 -0700 + + Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b + + memcg, kmem: fix reference count handling on the error path + + mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. + This is not correct because only memcg_propagate_kmem takes an + additional reference while mem_cgroup_sockets_init is allowed to fail as + well (although no current implementation fails) but it doesn't take any + reference. This all suggests that it should be memcg_propagate_kmem + that should clean up after itself so this patch moves mem_cgroup_put + over there. + + Unfortunately this is not that easy (as pointed out by Li Zefan) because + memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is + marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if + memcg_propagate_kmem fails so the additional reference is dropped in + that case in kmem_cgroup_destroy which means that the reference would be + dropped two times. + + The easiest way then would be to simply remove mem_cgrroup_put from + mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right + thing. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.8] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 08bfb6e700d13886ed722c2236e1ec10f03a95df +Author: Michal Hocko +Date: Mon Jul 8 16:00:27 2013 -0700 + + Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 + + Revert "memcg: avoid dangling reference count in creation failure" + + This reverts commit e4715f01be697a. + + mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops + an additional reference from all parents so the additional + mem_cgrroup_put(parent) potentially causes use-after-free. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.9+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 3267ec559f48327a1836eccecd53215afc5810d0 +Author: Tyler Hicks +Date: Thu Jun 20 13:13:59 2013 -0700 + + Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e + + libceph: Fix NULL pointer dereference in auth client code + + A malicious monitor can craft an auth reply message that could cause a + NULL function pointer dereference in the client's kernel. + + To prevent this, the auth_none protocol handler needs an empty + ceph_auth_client_ops->build_request() function. + + CVE-2013-1059 + + Signed-off-by: Tyler Hicks + Reported-by: Chanam Park + Reviewed-by: Seth Arnold + Reviewed-by: Sage Weil + Cc: stable@vger.kernel.org + + net/ceph/auth_none.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit cdfeb4049e7cb38702215b2c356ce0407974ac79 +Author: Eric Paris +Date: Wed Jul 3 15:08:29 2013 -0700 + + Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 + + fork: reorder permissions when violating number of processes limits + + When a task is attempting to violate the RLIMIT_NPROC limit we have a + check to see if the task is sufficiently priviledged. The check first + looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. + + A result is that tasks which are allowed by the uid=0 check are first + checked against the security subsystem. This results in the security + subsystem auditting a denial for sys_admin and sys_resource and then the + task passing the uid=0 check. + + This patch rearranges the code to first check uid=0, since if we pass that + we shouldn't hit the security system at all. We then check sys_resource, + since it is the smallest capability which will solve the problem. Lastly + we check the fallback everything cap_sysadmin. We don't want to give this + capability many places since it is so powerful. + + This will eliminate many of the false positive/needless denial messages we + get when a root task tries to violate the nproc limit. (note that + kthreads count against root, so on a sufficiently large machine we can + actually get past the default limits before any userspace tasks are + launched.) + + Signed-off-by: Eric Paris + Cc: Al Viro + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/fork.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08c87e049c8a50707908785d950fd48c334f4c09 +Author: Chen Gang +Date: Sat Jun 22 13:26:09 2013 +0800 + + Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 + + arch: sparc: kernel: check the memory length before use strcpy(). + + For the related next strcpy(), the destination length is less than 512, + but the source maximize length may be 'OPROMMAXPARAM' (4096) which is + more than 512. + + One work flow may: + openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) + getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. + opromsetopt() -> devide the buffer into 'var' and 'value' + of_set_property() -> pass + prom_setprop() -> pass + ldom_set_var() + + And do not mind the additional 4 alignment buffer increasing, since + 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 +Author: Brad Spengler +Date: Fri Jul 12 20:38:45 2013 -0400 + + Fix SLAB boot errors due to PAX_USERCOPY reported on the forums + + Unlike slub, slab can initally create two of the kmalloc_caches + which will be used later for generic kmallocs of their particular + aligned size (since the later loop in the unified allocator code + skips any already-existing kmalloc_caches) + + mm/slab.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e2d027c7e0f106be683c0c72482b8285daefcbe6 +Author: Brad Spengler +Date: Tue Jul 9 20:58:40 2013 -0400 + + commit successful merges + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 129 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 4 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/mwave/tp3780i.c | 1 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/resize.c | 17 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 234 ++- + fs/namespace.c | 16 + + fs/notify/fanotify/fanotify_user.c | 1 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 70 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 343 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 ++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 242 files changed, 4385 insertions(+), 2042 deletions(-) + +commit 043a378c0f72ed92cc30182c48abce39867ac93f +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 +Author: Brad Spengler +Date: Tue Jul 9 17:35:47 2013 -0400 + + Initial import of pax-linux-3.10-test1.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 14 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 122 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 33 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 28 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 +- + arch/x86/kernel/entry_64.S | 548 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 143 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 2 + + arch/x86/kernel/setup.c | 21 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 13 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 98 +- + arch/x86/mm/init_32.c | 113 +- + arch/x86/mm/init_64.c | 38 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 11 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/algapi.c | 2 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 45 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 6 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/output.c | 2 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 607 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/lockd/svc.c | 2 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 10 +- + fs/nfs/callback.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 40 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 65 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 42 +- + include/linux/slab_def.h | 28 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 10 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 83 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditfilter.c | 2 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 10 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 11 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 22 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 76 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 6 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 15 +- + mm/mmap.c | 606 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 79 +- + mm/slab.h | 5 +- + mm/slab_common.c | 46 +- + mm/slob.c | 201 +- + mm/slub.c | 79 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_core.c | 8 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 676 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + sound/sound_core.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 +++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 277 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1607 files changed, 30734 insertions(+), 7318 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 +Author: Brad Spengler +Date: Thu Jul 4 23:05:14 2013 -0400 + + always enforce a non-zero gap for RAND_THREADSTACK + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 40d67e38a42d4e94b43b3d7400addc662b9857dc +Author: Brad Spengler +Date: Thu Jul 4 16:09:28 2013 -0400 + + fix up file comparisons + + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_sig.c | 4 ++-- + include/linux/grinternal.h | 12 ++++++++++++ + 3 files changed, 15 insertions(+), 3 deletions(-) + +commit a1fff2c95162314626dd96bec71d951a8c1c4708 +Author: Brad Spengler +Date: Thu Jul 4 15:33:18 2013 -0400 + + fix suid binary matching + + grsecurity/grsec_sig.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 00131c458eea5200971c8fc326e90fdb6c2d0baa +Merge: 37b97a9 47beb61 +Author: Brad Spengler +Date: Thu Jul 4 15:02:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 +Author: Brad Spengler +Date: Thu Jul 4 15:01:37 2013 -0400 + + Update to pax-linux-3.9.9-test13.patch: + - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) + - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) + + arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- + arch/arm/kernel/armksyms.c | 2 +- + arch/arm/kernel/entry-armv.S | 4 ++-- + arch/arm/mm/Kconfig | 2 +- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/page.h | 1 + + arch/x86/kernel/entry_32.S | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + arch/x86/kernel/head64.c | 12 ++++++------ + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/init.c | 8 ++++++++ + arch/x86/mm/init_32.c | 6 ------ + arch/x86/mm/init_64.c | 6 ------ + arch/x86/platform/efi/efi_32.c | 5 +++++ + arch/x86/platform/efi/efi_64.c | 10 ++++++++++ + 15 files changed, 64 insertions(+), 44 deletions(-) + +commit 89085d2d0643813a62f23d1199a335dc1e129bc0 +Merge: 963af7f 0adf2e7 +Author: Brad Spengler +Date: Thu Jul 4 14:55:44 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 +Author: Brad Spengler +Date: Thu Jul 4 13:46:02 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 +Author: Brad Spengler +Date: Thu Jul 4 13:29:51 2013 -0400 + + update log arguments + + grsecurity/grsec_sig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 +Author: Brad Spengler +Date: Thu Jul 4 13:20:23 2013 -0400 + + Update logging of suid exec ban + + Conflicts: + + grsecurity/grsec_sig.c + + grsecurity/grsec_sig.c | 3 +-- + include/linux/grmsg.h | 1 + + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ef808866c070aa1901bd2224521baaf5d145a3a7 +Author: Brad Spengler +Date: Thu Jul 4 12:58:33 2013 -0400 + + Additional improvements to the user banning code: + + Separate the kernel-bruteforcing case from the suid bruteforcing case + In the suid bruteforcing case, only kill existing copies of the bruteforced + binary. Instead of preventing all future execs by this user, prevent them + from executing any suid/sgid binaries for the next 15 minutes. + + Kernel case is mostly unchanged from before, except the task trying to change + real uid to the banned user will be terminated instead of failing the setuid + call. + + Configuration help has been updated to reflect the new changes. + + fs/exec.c | 13 +++++--- + grsecurity/Kconfig | 5 ++- + grsecurity/gracl.c | 6 ++-- + grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 9 +++-- + 6 files changed, 65 insertions(+), 45 deletions(-) + +commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 +Author: Brad Spengler +Date: Wed Jul 3 16:14:09 2013 -0400 + + fix renamed export of csum_partial_copy_from_user, as reported by fabled + on the forums + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 318235973c2a548c3d25562645d6b69f66e85934 +Author: Brad Spengler +Date: Wed Jul 3 16:09:16 2013 -0400 + + make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error + reported on the forums by fabled + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b569a7f60fab7a522d8c142765c8b847bbce8a1e +Author: Brad Spengler +Date: Wed Jul 3 15:53:12 2013 -0400 + + Revise the user ban code to kill the process issuing a banned + set*id instead of returning an error. For the sake of keeping + unified user banning between the suid and kernel bruteforce case, + we will apply this killing to the suid bruteforce case, despite + a check just at exec time (that already existed) being sufficient. + + Returning an error could enable exploitation of the "failure to check + setuid return value" case which was recently effectively closed + upstream, albeit in a rare situation with a suitable binary and + two colluding users. + + Many thanks to stealth for reviewing the user ban code. + + grsecurity/gracl.c | 4 ++-- + grsecurity/grsec_sig.c | 16 +++++++++++++--- + 2 files changed, 15 insertions(+), 5 deletions(-) + +commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f +Author: Artem Bityutskiy +Date: Fri Jun 28 14:15:15 2013 +0300 + + Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d + + UBIFS: fix a horrid bug + + Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no + mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are + in the middle of 'ubifs_readdir()'. + + This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses + it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, + but this may corrupt memory and lead to all kinds of problems like crashes an + security holes. + + This patch fixes the problem by using the 'file->f_version' field, which + '->llseek()' always unconditionally sets to zero. We set it to 1 in + 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a + seek and it is time to clear the state saved in 'file->private_data'. + + I tested this patch by writing a user-space program which runds readdir and + seek in parallell. I could easily crash the kernel without these patches, but + could not crash it with these patches. + + Cc: stable@vger.kernel.org + Reported-by: Al Viro + Tested-by: Artem Bityutskiy + Signed-off-by: Artem Bityutskiy + Signed-off-by: Al Viro + + fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- + 1 files changed, 27 insertions(+), 3 deletions(-) + +commit c22280b85088978bd8b45bd23096879459b48008 +Author: Stephane Eranian +Date: Thu Jun 20 11:36:28 2013 +0200 + + Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 + + perf: Disable monitoring on setuid processes for regular users + + There was a a bug in setup_new_exec(), whereby + the test to disabled perf monitoring was not + correct because the new credentials for the + process were not yet committed and therefore + the get_dumpable() test was never firing. + + The patch fixes the problem by moving the + perf_event test until after the credentials + are committed. + + Signed-off-by: Stephane Eranian + Tested-by: Jiri Olsa + Acked-by: Peter Zijlstra + Cc: + Signed-off-by: Ingo Molnar + + fs/exec.c | 16 +++++++++------- + 1 files changed, 9 insertions(+), 7 deletions(-) + +commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 +Author: Brad Spengler +Date: Sat Jun 29 13:10:02 2013 -0400 + + on context switch, make sure we switch DACR when domain support and + KERNEXEC is disabled but UDEREF is enabled + + arch/arm/kernel/entry-armv.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08d017fa51370921694ce087b28c96fec92993d4 +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:26:58 2013 +0300 + + Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 + + macvtap: fix recovery from gup errors + + get user pages might fail partially in macvtap zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Signed-off-by: David S. Miller + + drivers/net/macvtap.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:19:03 2013 +0300 + + Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 + + tun: fix recovery from gup errors + + get user pages might fail partially in tun zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 +Author: Balazs Peter Odor +Date: Sat Jun 22 19:24:43 2013 +0200 + + Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 + + netfilter: nf_nat_sip: fix mangling + + In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) + there were some missing brackets around the logging information, thus + always returning drop. + + Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 + + Signed-off-by: Balazs Peter Odor + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_nat_sip.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 +Author: Anderson Lizardo +Date: Sun Jun 2 16:30:40 2013 -0400 + + Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d + + Bluetooth: Fix crash in l2cap_build_cmd() with small MTU + + If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus + controller, memory corruption happens due to a memcpy() call with + negative length. + + Fix this crash on either incoming or outgoing connections with a MTU + smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: + + [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 + [ 46.888037] IP: [] memcpy+0x1d/0x40 + [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 + [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC + [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common + [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 + [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] + [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 + [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 + [ 46.888037] EIP is at memcpy+0x1d/0x40 + [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 + [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c + [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 + [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 + [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + [ 46.888037] DR6: ffff0ff0 DR7: 00000400 + [ 46.888037] Stack: + [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 + [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 + [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 + [ 46.888037] Call Trace: + [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] + [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] + [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] + [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 + [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 + [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] + [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] + [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] + [ 46.888037] [] process_one_work+0x1a9/0x600 + [ 46.888037] [] ? process_one_work+0x12b/0x600 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] worker_thread+0xf7/0x320 + [ 46.888037] [] ? rescuer_thread+0x290/0x290 + [ 46.888037] [] kthread+0xa8/0xb0 + [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 + [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 + [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 + [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c + [ 46.888037] CR2: 00000000f56ad000 + [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- + + Signed-off-by: Anderson Lizardo + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b0471b6c1160858fc646d8e94628fd1299f61692 +Author: Jaganath Kanakkassery +Date: Fri Jun 21 19:55:11 2013 +0530 + + Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 + + Bluetooth: Fix invalid length check in l2cap_information_rsp() + + The length check is invalid since the length varies with type of + info response. + + This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 + + Because of this, l2cap info rsp is not handled and command reject is sent. + + > ACL data: handle 11 flags 0x02 dlen 16 + L2CAP(s): Info rsp: type 2 result 0 + Extended feature mask 0x00b8 + Enhanced Retransmission mode + Streaming mode + FCS Option + Fixed Channels + < ACL data: handle 11 flags 0x00 dlen 10 + L2CAP(s): Command rej: reason 0 + Command not understood + + Cc: stable@vger.kernel.org + Signed-off-by: Jaganath Kanakkassery + Signed-off-by: Chan-Yeol Park + Acked-by: Johan Hedberg + Signed-off-by: Gustavo Padovan + + net/bluetooth/l2cap_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4184af98c360d825e638b268b1a9847232e8d299 +Author: Eric Dumazet +Date: Wed Jun 26 04:15:07 2013 -0700 + + Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 + + ipv6: ip6_sk_dst_check() must not assume ipv6 dst + + It's possible to use AF_INET6 sockets and to connect to an IPv4 + destination. After this, socket dst cache is a pointer to a rtable, + not rt6_info. + + ip6_sk_dst_check() should check the socket dst cache is IPv6, or else + various corruptions/crashes can happen. + + Dave Jones can reproduce immediate crash with + trinity -q -l off -n -c sendmsg -c connect + + With help from Hannes Frederic Sowa + + Reported-by: Dave Jones + Reported-by: Hannes Frederic Sowa + Signed-off-by: Eric Dumazet + Acked-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 +Author: Zefan Li +Date: Wed Jun 26 15:29:54 2013 +0800 + + Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 + + dlci: acquire rtnl_lock before calling __dev_get_by_name() + + Otherwise the net device returned can be freed at anytime. + + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +commit 1fe6f23c9acd14d832d056909ff326bde418e645 +Author: Zefan Li +Date: Wed Jun 26 15:31:58 2013 +0800 + + Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a + + dlci: validate the net device in dlci_del() + + We triggered an oops while running trinity with 3.4 kernel: + + BUG: unable to handle kernel paging request at 0000000100000d07 + IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] + PGD 640c0d067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP + CPU 3 + ... + Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA + RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] + ... + Call Trace: + [] sock_ioctl+0x153/0x280 + [] do_vfs_ioctl+0xa4/0x5e0 + [] ? fget_light+0x3ea/0x490 + [] sys_ioctl+0x4f/0x80 + [] system_call_fastpath+0x16/0x1b + ... + + It's because the net device is not a dlci device. + + Reported-by: Li Jinyue + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 4d4464407611527ef6b6b5475cfcab6121b3da66 +Merge: 59571a9 963af7f +Author: Brad Spengler +Date: Thu Jun 27 18:54:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 963af7f7f591759b731ce6325ceb583a72fcf423 +Merge: c51e25a 55db48a +Author: Brad Spengler +Date: Thu Jun 27 18:54:42 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 59571a9db7485f530a1e865a13cacc4c991ec41f +Author: Brad Spengler +Date: Wed Jun 26 18:39:08 2013 -0400 + + From: Mathias Krause + To: Steffen Klassert , + "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org, + Herbert Xu + Subject: [PATCH] af_key: fix info leaks in notify messages + + key_notify_sa_flush() and key_notify_policy_flush() miss to initialize + the sadb_msg_reserved member of the broadcasted message and thereby + leak 2 bytes of heap memory to listeners. Fix that. + + Signed-off-by: Mathias Krause + Cc: Steffen Klassert + Cc: "David S. Miller" + Cc: Herbert Xu + + net/key/af_key.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 +Author: Brad Spengler +Date: Wed Jun 26 18:33:06 2013 -0400 + + update rand_threadstack code to continue the search for a gap if the first + choice doesn't have enough space, instead of returning ENOMEM + + mm/mmap.c | 17 ++++++++++------- + 1 files changed, 10 insertions(+), 7 deletions(-) + +commit 87020d4a4d83038d65ff1fd519938840f6888b9e +Merge: 2682346 c51e25a +Author: Brad Spengler +Date: Wed Jun 26 18:25:32 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c51e25a23f30a1198076bd085f19b2073caf164d +Author: Brad Spengler +Date: Wed Jun 26 18:24:54 2013 -0400 + + Update to pax-linux-3.9.7-test12.patch: + - fixed a regression on PARAVIRT/amd64 kernels + - simplified the recent vm_unmapped_area_info based change + + arch/x86/kernel/entry_64.S | 8 ++++---- + mm/mmap.c | 22 ++++++++++++---------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +commit 26823469a08e59cb67bea18d448d9e8c65f82e08 +Author: Brad Spengler +Date: Tue Jun 25 21:26:51 2013 -0400 + + re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX + vm_unmapped_area code is complete + + arch/x86/kernel/sys_i386_32.c | 5 +++++ + grsecurity/Kconfig | 2 +- + mm/mmap.c | 11 ++++++++++- + 3 files changed, 16 insertions(+), 2 deletions(-) + +commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 +Merge: e58fe8c c4e0704 +Author: Brad Spengler +Date: Tue Jun 25 19:08:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/sys_i386_32.c + +commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 +Author: Brad Spengler +Date: Tue Jun 25 19:05:39 2013 -0400 + + Update to pax-linux-3.9.7-test11.patch: + - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) + - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure + - fixed the recent nested nmi related fixes some more + - fixed a regression in kernel memory initialization on relocatable i386 kernels + - empty_zero_page can be read-only on amd64 as well + + arch/arm/mm/mmap.c | 6 -- + arch/x86/kernel/entry_64.S | 8 +-- + arch/x86/kernel/head_64.S | 1 - + arch/x86/kernel/setup.c | 2 +- + arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- + drivers/lguest/core.c | 2 +- + include/linux/mm.h | 6 +- + include/linux/vmalloc.h | 2 +- + mm/mmap.c | 30 +++++++- + 9 files changed, 83 insertions(+), 134 deletions(-) + +commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d +Author: Brad Spengler +Date: Sun Jun 23 14:37:14 2013 -0400 + + second compile fix, reported by forsaken on forums + + include/linux/vmalloc.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f +Author: Brad Spengler +Date: Sun Jun 23 14:36:35 2013 -0400 + + compile fix, reported by KDE on forums + + kernel/printk.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 1fc9a5e2e267205d28302e1e86ca0da434561111 +Author: Ben Hutchings +Date: Sun Jun 16 21:27:12 2013 +0100 + + Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d + + x86/efi: Fix dummy variable buffer allocation + + 1. Check for allocation failure + 2. Clear the buffer contents, as they may actually be written to flash + 3. Don't leak the buffer + + Compile-tested only. + + [ Tested successfully on my buggy ASUS machine - Matt ] + + Signed-off-by: Ben Hutchings + Cc: stable@vger.kernel.org + Signed-off-by: Matt Fleming + + arch/x86/platform/efi/efi.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 +Author: Dave Kleikamp +Date: Tue Jun 18 09:05:36 2013 -0500 + + Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 + + sparc: tsb must be flushed before tlb + + This fixes a race where a cpu may re-load a tlb from a stale tsb right + after it has been flushed by a remote function call. + + I still see some instability when stressing the system with parallel + kernel builds while creating memory pressure by writing to + /proc/sys/vm/nr_hugepages, but this patch improves the stability + significantly. + + Signed-off-by: Dave Kleikamp + Acked-by: Bob Picco + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d93b62f6485db9aadda34322a6867868db07f56f +Merge: 4ef62f5 71d83e9 +Author: Brad Spengler +Date: Fri Jun 21 16:52:55 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 71d83e97c936563913bcfb5a25c45b2021a331eb +Author: Brad Spengler +Date: Fri Jun 21 16:48:42 2013 -0400 + + Update to pax-linux-3.9.7-test10.patch: + - fixed a few format string problems uncovered by -Wformat-nonliteral + - another attempt at fixing the nested nmi/cr0.wp problem + - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) + - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) + - fixed a locking issue with track_exec_limit reported by spender + - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) + + Documentation/dontdiff | 1 + + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ + arch/x86/kernel/vmlinux.lds.S | 2 +- + block/genhd.c | 11 +++-- + crypto/algapi.c | 2 +- + crypto/pcrypt.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/power/sysfs.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/devfreq/devfreq.c | 2 +- + drivers/gpu/drm/drm_encoder_slave.c | 6 +-- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/iommu/irq_remapping.c | 2 +- + drivers/video/output.c | 2 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 2 +- + fs/lockd/svc.c | 2 +- + fs/nfs/callback.c | 4 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfscache.c | 3 +- + init/initramfs.c | 2 +- + kernel/rcutree.c | 2 +- + lib/kobject.c | 2 +- + mm/backing-dev.c | 4 +- + mm/mmap.c | 4 +- + mm/slub.c | 2 +- + mm/vmalloc.c | 15 +++---- + net/bluetooth/hci_core.c | 8 ++-- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/sunrpc/svc.c | 2 +- + security/Kconfig | 15 +++--- + sound/core/sound.c | 2 +- + sound/sound_core.c | 2 +- + 40 files changed, 116 insertions(+), 111 deletions(-) + +commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c +Merge: 39efd8f 256eff7 +Author: Brad Spengler +Date: Fri Jun 21 16:45:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + kernel/printk.c + +commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 +Merge: e6e3059 485f25f +Author: Brad Spengler +Date: Thu Jun 20 22:14:24 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d +Author: Brad Spengler +Date: Tue Jun 18 17:20:18 2013 -0400 + + add apparmor compat patch + + security/apparmor/Kconfig | 9 ++ + security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 240 insertions(+), 0 deletions(-) + +commit 49bee3c5341687504669bf62becf4a419a226ba0 +Author: Brad Spengler +Date: Mon Jun 17 18:48:04 2013 -0400 + + Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" + + This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. + + kernel/sys.c | 29 +++-------------------------- + 1 files changed, 3 insertions(+), 26 deletions(-) + +commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 +Author: Al Viro +Date: Sun Jun 16 18:06:06 2013 +0100 + + Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 + + lseek(fd, n, SEEK_END) does *not* go to eof - n + + When you copy some code, you are supposed to read it. If nothing else, + there's a chance to spot and fix an obvious bug instead of sharing it... + + X-Song: "I Got It From Agnes", by Tom Lehrer + Signed-off-by: Al Viro + [ Tom Lehrer? You're dating yourself, Al ] + Signed-off-by: Linus Torvalds + + drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- + drivers/scsi/bfa/bfad_debugfs.c | 2 +- + drivers/scsi/fnic/fnic_debugfs.c | 2 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +commit 5a450f1c46f0c84379518aee878993d3f4a331b6 +Author: Theodore Ts'o +Date: Thu Jun 6 11:14:31 2013 -0400 + + Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 + + ext4: verify group number in verify_group_input() before using it + + Check the group number for sanity earilier, before calling routines + such as ext4_bg_has_super() or ext4_group_overhead_blocks(). + + Reported-by: Jonathan Salwan + Signed-off-by: "Theodore Ts'o" + + fs/ext4/resize.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 +Author: Neil Horman +Date: Wed Jun 12 14:26:44 2013 -0400 + + Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 + + sctp: fully initialize sctp_outq in sctp_outq_init + + In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 + (refactor sctp_outq_teardown to insure proper re-initalization) + we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the + outq structure. Steve West recently asked me why I removed the q->error = 0 + initalization from sctp_outq_teardown. I did so because I was operating under + the impression that sctp_outq_init would properly initalize that value for us, + but it doesn't. sctp_outq_init operates under the assumption that the outq + struct is all 0's (as it is when called from sctp_association_init), but using + it in __sctp_outq_teardown violates that assumption. We should do a memset in + sctp_outq_init to ensure that the entire structure is in a known state there + instead. + + Signed-off-by: Neil Horman + Reported-by: "West, Steve (NSN - US/Fort Worth)" + CC: Vlad Yasevich + CC: netdev@vger.kernel.org + CC: davem@davemloft.net + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + Conflicts: + + net/sctp/outqueue.c + + net/sctp/outqueue.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit e13515ad7a9c7634599a105b2527752e527a905d +Author: Saurabh Mohan +Date: Mon Jun 10 17:45:10 2013 -0700 + + Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 + + net/ipv4: ip_vti clear skb cb before tunneling. + + If users apply shaper to vti tunnel then it will cause a kernel crash. The + problem seems to be due to the vti_tunnel_xmit function not clearing + skb->opt field before passing the packet to xfrm tunneling code. + + Signed-off-by: Saurabh Mohan + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:36 2013 +0200 + + Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 + + l2tp: Fix sendmsg() return value + + PPPoL2TP sockets should comply with the standard send*() return values + (i.e. return number of bytes sent instead of 0 upon success). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit af361b412e816e894fb42ddff7a0545b7def64c0 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:23 2013 +0200 + + Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 + + l2tp: Fix PPP header erasure and memory leak + + Copy user data after PPP framing header. This prevents erasure of the + added PPP header and avoids leaking two bytes of uninitialised memory + at the end of skb's data buffer. + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1f43aca088c35dda35abf76e08544e534c71fed4 +Author: Daniel Borkmann +Date: Wed Jun 12 16:02:27 2013 +0200 + + Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe + + packet: packet_getname_spkt: make sure string is always 0-terminated + + uaddr->sa_data is exactly of size 14, which is hard-coded here and + passed as a size argument to strncpy(). A device name can be of size + IFNAMSIZ (== 16), meaning we might leave the destination string + unterminated. Thus, use strlcpy() and also sizeof() while we're + at it. We need to memset the data area beforehand, since strlcpy + does not padd the remaining buffer with zeroes for user space, so + that we do not possibly leak anything. + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/packet/af_packet.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f +Author: Andy Lutomirski +Date: Wed Jun 5 19:38:26 2013 +0000 + + Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab + + net: Unbreak compat_sys_{send,recv}msg + + I broke them in this commit: + + commit 1be374a0518a288147c6a7398792583200a67261 + Author: Andy Lutomirski + Date: Wed May 22 14:07:44 2013 -0700 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept + MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It + also reverts some unnecessary checks in sys_socketcall. + + Apparently I was suffering from underscore blindness the first time around. + + Signed-off-by: Andy Lutomirski + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/linux/socket.h | 3 ++ + net/compat.c | 13 +++++++- + net/socket.c | 72 ++++++++++++++++++++++-------------------------- + 3 files changed, 47 insertions(+), 41 deletions(-) + +commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f +Author: Andy Lutomirski +Date: Wed May 22 14:07:44 2013 -0700 + + Upstream commit: 1be374a0518a288147c6a7398792583200a67261 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + To: linux-kernel@vger.kernel.org + Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. + Miller" + Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- + it's a hack that steals a bit to indicate to other networking code + that a compat entry was used. So don't allow it from a non-compat + syscall. + + This prevents an oops when running this code: + + int main() + { + int s; + struct sockaddr_in addr; + struct msghdr *hdr; + + char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (highpage == MAP_FAILED) + err(1, "mmap"); + + s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) + err(1, "socket"); + + addr.sin_family = AF_INET; + addr.sin_port = htons(1); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) + err(1, "connect"); + + void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; + printf("Evil address is %p\n", evil); + + if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) + err(1, "sendmmsg"); + + return 0; + } + + Cc: David S. Miller + Signed-off-by: Andy Lutomirski + Signed-off-by: David S. Miller + + net/socket.c | 33 +++++++++++++++++++++++++++++++-- + 1 files changed, 31 insertions(+), 2 deletions(-) + +commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e +Author: Kees Cook +Date: Fri May 10 14:48:21 2013 -0700 + + Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c + + b43: stop format string leaking into error msgs + + The module parameter "fwpostfix" is userspace controllable, unfiltered, + and is used to define the firmware filename. b43_do_request_fw() populates + ctx->errors[] on error, containing the firmware filename. b43err() + parses its arguments as a format string. For systems with b43 hardware, + this could lead to a uid-0 to ring-0 escalation. + + CVE-2013-2852 + + Signed-off-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/b43/main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit dfb67a67049ace7b94ad7e2febfac69816d50d85 +Author: Mark A. Greer +Date: Wed May 29 12:25:34 2013 -0700 + + Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 + + mwifiex: debugfs: Fix out of bounds array access + + When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', + the following panic occurs: + + $ cat /sys/kernel/debug/mwifiex/p2p0/info + Unable to handle kernel paging request at virtual address 74706164 + pgd = de530000 + [74706164] *pgd=00000000 + Internal error: Oops: 5 [#1] SMP ARM + Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex + CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 + task: de16b6c0 ti: de048000 task.ti: de048000 + PC is at strnlen+0xc/0x4c + LR is at string+0x3c/0xf8 + pc : [] lr : [] psr: a0000013 + sp : de049e10 ip : c06efba0 fp : de6d2092 + r10: bf01a260 r9 : ffffffff r8 : 74706164 + r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 + r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user + Control: 10c5387d Table: 9e530019 DAC: 00000015 + Process cat (pid: 1635, stack limit = 0xde048240) + Stack: (0xde049e10 to 0xde04a000) + 9e00: de6d2092 00000002 bf01a25e de6d209c + 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 + 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 + 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 + 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 + 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 + 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 + 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 + 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 + 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 + 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 + 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 + 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 + 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd + [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) + [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) + [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) + [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) + [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) + [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) + [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) + Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) + ---[ end trace ca98273dc605a04f ]--- + + The panic is caused by the mwifiex_info_read() routine assuming that + there can only be four modes (0-3) which is an invalid assumption. + For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the + code accesses data beyond the bounds of the bss_modes[] array which + causes the panic. Fix this by updating bss_modes[] to support the + current list of modes and adding a check to prevent the out-of-bounds + access from occuring in the future when more modes are added. + + Signed-off-by: Mark A. Greer + Acked-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- + 1 files changed, 17 insertions(+), 5 deletions(-) + +commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 +Author: Johan Hedberg +Date: Tue May 28 13:46:30 2013 +0300 + + Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 + + Bluetooth: Fix missing length checks for L2CAP signalling PDUs + + There has been code in place to check that the L2CAP length header + matches the amount of data received, but many PDU handlers have not been + checking that the data received actually matches that expected by the + specific PDU. This patch adds passing the length header to the specific + handler functions and ensures that those functions fail cleanly in the + case of an incorrect amount of data. + + Signed-off-by: Johan Hedberg + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- + 1 files changed, 52 insertions(+), 18 deletions(-) + +commit 628be2427afb241b5a1aa24bc5907d05287e1f25 +Author: Dan Carpenter +Date: Mon Jun 3 12:00:49 2013 +0300 + + Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 + + ipvs: info leak in __ip_vs_get_dest_entries() + + The entry struct has a 2 byte hole after ->port and another 4 byte + hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your + namespace to hit this information leak. + + Signed-off-by: Dan Carpenter + Acked-by: Julian Anastasov + Signed-off-by: Simon Horman + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/ipvs/ip_vs_ctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 066d9226bc6c569d5f420c978b758e0bddd23444 +Author: Robin Holt +Date: Wed Jun 12 14:04:37 2013 -0700 + + Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db + + reboot: rigrate shutdown/reboot to boot cpu + + We recently noticed that reboot of a 1024 cpu machine takes approx 16 + minutes of just stopping the cpus. The slowdown was tracked to commit + f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in + kernel_restart()"). + + The current implementation does all the work of hot removing the cpus + before halting the system. We are switching to just migrating to the + boot cpu and then continuing with shutdown/reboot. + + This also has the effect of not breaking x86's command line parameter + for specifying the reboot cpu. Note, this code was shamelessly copied + from arch/x86/kernel/reboot.c with bits removed pertaining to the + reboot_cpu command line parameter. + + Signed-off-by: Robin Holt + Tested-by: Shawn Guo + Cc: "Srivatsa S. Bhat" + Cc: H. Peter Anvin + Cc: Thomas Gleixner + Cc: Ingo Molnar + Cc: Russ Anderson + Cc: Robin Holt + Cc: Russell King + Cc: Guan Xuetao + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sys.c | 29 ++++++++++++++++++++++++++--- + 1 files changed, 26 insertions(+), 3 deletions(-) + +commit 94e2a91600b07d39825e7059195f35eb611a39a2 +Merge: 20cc761 e6e3059 +Author: Brad Spengler +Date: Thu Jun 13 16:23:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a +Merge: c6aadb1 4b73feb +Author: Brad Spengler +Date: Thu Jun 13 16:23:39 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 20cc7613e38cde07adc73179a91d6c15292e8d43 +Author: Daniel Borkmann +Date: Thu Jun 6 15:53:47 2013 +0200 + + Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c + + net: sctp: fix NULL pointer dereference in socket destruction + + While stress testing sctp sockets, I hit the following panic: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] sctp_endpoint_free+0xe/0x40 [sctp] + PGD 7cead067 PUD 7ce76067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: sctp(F) libcrc32c(F) [...] + CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 + Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 + task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 + RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 + RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 + RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 + RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 + FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded + ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e + 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e + Call Trace: + [] sctp_destroy_sock+0x3d/0x80 [sctp] + [] sk_common_release+0x1e/0xf0 + [] inet_create+0x2ae/0x350 + [] __sock_create+0x11f/0x240 + [] sock_create+0x30/0x40 + [] SyS_socket+0x4c/0xc0 + [] ? do_page_fault+0xe/0x10 + [] ? page_fault+0x22/0x30 + [] system_call_fastpath+0x16/0x1b + Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f + 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> + 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 + RIP [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP + CR2: 0000000000000020 + ---[ end trace e0d71ec1108c1dd9 ]--- + + I did not hit this with the lksctp-tools functional tests, but with a + small, multi-threaded test program, that heavily allocates, binds, + listens and waits in accept on sctp sockets, and then randomly kills + some of them (no need for an actual client in this case to hit this). + Then, again, allocating, binding, etc, and then killing child processes. + + This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' + is set. The cause for that is actually very simple: in sctp_endpoint_init() + we enter the path of sctp_auth_init_hmacs(). There, we try to allocate + our crypto transforms through crypto_alloc_hash(). In our scenario, + it then can happen that crypto_alloc_hash() fails with -EINTR from + crypto_larval_wait(), thus we bail out and release the socket via + sk_common_release(), sctp_destroy_sock() and hit the NULL pointer + dereference as soon as we try to access members in the endpoint during + sctp_endpoint_free(), since endpoint at that time is still NULL. Now, + if we have that case, we do not need to do any cleanup work and just + leave the destruction handler. + + Signed-off-by: Daniel Borkmann + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 386ba837978cc8a1111440bdcd8600f2df4634a4 +Author: Brad Spengler +Date: Wed Jun 12 20:37:48 2013 -0400 + + fix deadlock when booting i386 kernel without NX + + mm/mmap.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 +Author: Brad Spengler +Date: Tue Jun 11 22:18:07 2013 -0400 + + fix elif / elif defined() typo in recent change + + kernel/events/core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit bc43377e1e757cd37a06be0187884a42af718aab +Merge: 3cdea63 c6aadb1 +Author: Brad Spengler +Date: Tue Jun 11 18:50:39 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 +Author: Brad Spengler +Date: Tue Jun 11 18:49:36 2013 -0400 + + Update to pax-linux-3.9.4-test9.patch: + - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) + - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort + + arch/x86/kernel/setup.c | 2 +- + mm/mlock.c | 1 - + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 3cdea63e90607d8d55820b101854091623feedb8 +Author: Brad Spengler +Date: Mon Jun 10 21:21:44 2013 -0400 + + Fix fanotify infoleak reported by Dan Carpenter at: + https://lkml.org/lkml/2013/6/3/128 + + Requires CAP_SYS_ADMIN, so this is about as low priority as it gets + + fs/notify/fanotify/fanotify_user.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 373a2b5df78f82b9d3db72bd6577e29a71591323 +Author: Brad Spengler +Date: Mon Jun 10 21:16:46 2013 -0400 + + Backport infoleak fix by Dan Carpenter in cpqarray: + https://lkml.org/lkml/2013/6/3/131 + + drivers/block/cpqarray.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 251e84b9b05e063981b20be154c9389862f94759 +Author: Brad Spengler +Date: Mon Jun 10 21:04:17 2013 -0400 + + Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 + + drivers/cdrom/cdrom.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 383d89bf95818b05a485a6e8b118963b5bcbc83e +Author: Brad Spengler +Date: Mon Jun 10 18:34:32 2013 -0400 + + change const to __read_only + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 +Author: Brad Spengler +Date: Mon Jun 10 17:34:13 2013 -0400 + + compile fix, make const values const + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d +Author: Brad Spengler +Date: Mon Jun 10 17:37:13 2013 -0400 + + Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a + + drivers/char/mwave/tp3780i.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1c590aa70c95ebd76ba9672aa23d800b81780615 +Author: Brad Spengler +Date: Sun Jun 9 19:50:35 2013 -0400 + + allow -1 perf_event_paranoid + + kernel/sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 +Merge: 4e85539 117c3fa +Author: Brad Spengler +Date: Sun Jun 9 17:30:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 117c3fa8d26c3806103123560f807d99071b60b6 +Merge: ed9b427 5dd2e98 +Author: Brad Spengler +Date: Sun Jun 9 17:30:00 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 +Author: Eric Dumazet +Date: Mon May 13 21:25:52 2013 +0000 + + Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e + + tcp: fix tcp_md5_hash_skb_data() + + TCP md5 communications fail [1] for some devices, because sg/crypto code + assume page offsets are below PAGE_SIZE. + + This was discovered using mlx4 driver [2], but I suspect loopback + might trigger the same bug now we use order-3 pages in tcp_sendmsg() + + [1] Failure is giving following messages. + + huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, + exited with 00000101? + + [2] mlx4 driver uses order-2 pages to allocate RX frags + + Reported-by: Matt Schnall + Signed-off-by: Eric Dumazet + Cc: Bernhard Beck + Signed-off-by: David S. Miller + + net/ipv4/tcp.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb +Author: Eric Dumazet +Date: Fri May 17 04:53:13 2013 +0000 + + Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a + + ipv6: fix possible crashes in ip6_cork_release() + + commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") + added some code duplication and bad error recovery, leading to potential + crash in ip6_cork_release() as kfree() could be called with garbage. + + use kzalloc() to make sure this wont happen. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + Cc: Herbert Xu + Cc: Hideaki YOSHIFUJI + Cc: Neal Cardwell + + net/ipv6/ip6_output.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5771263fe368cd384127dd17d7596a7e1a4e2eec +Author: Chen Gang +Date: Thu May 16 23:13:04 2013 +0000 + + Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 + + net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. + + 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the + strncpy() will always left the last byte of 'discovery->data.info' + uninitialized. + + When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left + the last byte of 'discovery->data.info' uninitialized, the next + strlen() will cause issue. + + Also 'discovery->data' is 'struct irda_device_info' which defined in + "include/uapi/...", it may copy to user mode, so need whole initialized. + + All together, need use kzalloc() instead of kmalloc() to initialize all + members firstly. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + net/irda/irlap_frame.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c01c9af268cb066f240aec53454b8b74d8d01688 +Author: Dan Carpenter +Date: Sun May 19 08:36:36 2013 +0000 + + Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 + + isdn/kcapi: fix a small underflow + + In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes + from skb->data. The current code can underflow to one space before the + start of the array. + + The sanity check isn't needed in __get_capi_appl_by_nr() but I changed + it to match the others. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/capi/kcapi.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 +Author: Timo Teräs +Date: Wed May 22 01:40:47 2013 +0000 + + Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 + + xfrm: properly handle invalid states as an error + + The error exit path needs err explicitly set. Otherwise it + returns success and the only caller, xfrm_output_resume(), + would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is + NULL. + + Bug introduced in commit bb65a9cb (xfrm: removes a superfluous + check and add a statistic). + + Signed-off-by: Timo Teräs + Cc: Li RongQing + Cc: Steffen Klassert + Signed-off-by: David S. Miller + + net/xfrm/xfrm_output.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd +Author: Jeff Mahoney +Date: Fri May 31 15:07:52 2013 -0400 + + Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab + + reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + + After sleeping for filldir(), we check to see if the file system has + changed and research. The next_pos pointer is updated but its value + isn't pushed into the key used for the search itself. As a result, + the search returns the same item that the last cycle of the loop did + and filldir() is called multiple times with the same data. + + The end result is that the buffer can contain the same name multiple + times. This can be returned to userspace or used internally in the + xattr code where it can manifest with the following warning: + + jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) + + reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over + the xattr names and ends up trying to unlink the same name twice. The + second attempt fails with -ENOENT and the error is returned. At some + point I'll need to add support into reiserfsck to remove the orphaned + directories left behind when this occurs. + + The fix is to push the value into the key before researching. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/dir.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 +Author: Jeff Mahoney +Date: Fri May 31 15:51:17 2013 -0400 + + Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc + + reiserfs: fix deadlock with nfs racing on create/lookup + + Reiserfs is currently able to be deadlocked by having two NFS clients + where one has removed and recreated a file and another is accessing the + file with an open file handle. + + If one client deletes and recreates a file with timing such that the + recreated file obtains the same [dirid, objectid] pair as the original + file while another client accesses the file via file handle, the create + and lookup can race and deadlock if the lookup manages to create the + in-memory inode first. + + The create thread, in insert_inode_locked4, will hold the write lock + while waiting on the other inode to be unlocked. The lookup thread, + anywhere in the iget path, will release and reacquire the write lock while + it schedules. If it needs to reacquire the lock while the create thread + has it, it will never be able to make forward progress because it needs + to reacquire the lock before ultimately unlocking the inode. + + This patch drops the write lock across the insert_inode_locked4 call so + that the ordering of inode_wait -> write lock is retained. Since this + would have been the case before the BKL push-down, this is safe. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/inode.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 +Author: Jeff Mahoney +Date: Fri May 31 15:54:17 2013 -0400 + + Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b + + reiserfs: fix problems with chowning setuid file w/ xattrs + + reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr + and uses it to iterate over all the attrs associated with a file to change + ownership of xattrs (and transfer quota associated with the xattr files). + + When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode + are passed to all the xattrs as well. This means that the xattr directory + will have S_IFREG added to its mode bits. + + This has been prevented in practice by a missing IS_PRIVATE check + in reiserfs_acl_chmod, which caused a double-lock to occur while holding + the write lock. Since the file system was completely locked up, the + writeout of the corrupted mode never happened. + + This patch temporarily clears everything but ATTR_UID|ATTR_GID for the + calls to reiserfs_setattr and adds the missing IS_PRIVATE check. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 14 +++++++++++++- + fs/reiserfs/xattr_acl.c | 3 +++ + 2 files changed, 16 insertions(+), 1 deletions(-) + +commit c18cef940310c06bdf86d64d8cb227e56e165300 +Author: Dave Chinner +Date: Mon May 27 16:38:25 2013 +1000 + + Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b + + xfs: kill suid/sgid through the truncate path. + + XFS has failed to kill suid/sgid bits correctly when truncating + files of non-zero size since commit c4ed4243 ("xfs: split + xfs_setattr") introduced in the 3.1 kernel. Fix it. + + Fix it. + + cc: stable kernel + Signed-off-by: Dave Chinner + Reviewed-by: Brian Foster + Signed-off-by: Ben Myers + + (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) + + fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 files changed, 32 insertions(+), 15 deletions(-) + +commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc +Author: Trond Myklebust +Date: Wed May 29 15:36:40 2013 -0400 + + Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 + + NFSv4: Fix a thinko in nfs4_try_open_cached + + We need to pass the full open mode flags to nfs_may_open() when doing + a delegated open. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + fs/nfs/nfs4proc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c47de62893a9f269be0a272c2840aac1e2a35c68 +Author: Chen Gang +Date: Thu May 30 01:18:43 2013 +0000 + + Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 + + parisc: kernel: using strlcpy() instead of strcpy() + + 'boot_args' is an input args, and 'boot_command_line' has a fix length. + So use strlcpy() instead of strcpy() to avoid memory overflow. + + Signed-off-by: Chen Gang + Acked-by: Kyle McMartin + Signed-off-by: Helge Deller + + arch/parisc/kernel/setup.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce869e6f799f95fcac340420ba3612503df80dbf +Author: Chen Gang +Date: Mon May 27 04:57:09 2013 +0000 + + Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 + + parisc: memory overflow, 'name' length is too short for using + + 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 + * "%u:" + "%u" + '\0') may be 21. + + Since 'name' length is 20, it may be memory overflow. + + And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the + max length of 'name' must be less than 28. + + So simplify thinking, we can use 28 instead of 20 directly, and do not + think of whether 'patchc.bc[i]' can '> 100'. + + Signed-off-by: Chen Gang + Signed-off-by: Helge Deller + + arch/parisc/kernel/drivers.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5dc65cd34d442783118a17c518e2daedb90a31d0 +Author: Brad Spengler +Date: Tue Jun 4 17:52:23 2013 -0400 + + add PERF_HARDEN recommendation + + grsecurity/Kconfig | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c +Author: Brad Spengler +Date: Tue Jun 4 17:22:44 2013 -0400 + + Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN + + grsecurity/Kconfig | 19 +++++++++++++++++++ + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 10 +++++++++- + kernel/sysctl.c | 9 ++++++++- + 4 files changed, 41 insertions(+), 2 deletions(-) + +commit 84619a3501fd38285a72d9e963f58d1827beedd6 +Author: Brad Spengler +Date: Sat Jun 1 14:23:31 2013 -0400 + + remove user-triggerable BUG_ON in do_munlockall() + + mm/mlock.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 +Author: Brad Spengler +Date: Sat Jun 1 13:44:05 2013 -0400 + + Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 + + From: Kees Cook + Date: Thu, 23 May 2013 17:32:17 +0000 + Subject: iscsi-target: fix heap buffer overflow on error + + If a key was larger than 64 bytes, as checked by iscsi_check_key(), the + error response packet, generated by iscsi_add_notunderstood_response(), + would still attempt to copy the entire key into the packet, overflowing + the structure on the heap. + + Remote preauthentication kernel memory corruption was possible if a + target was configured and listening on the network. + + CVE-2013-2850 + + Embargo-screwup-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: Nicholas Bellinger + + drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- + drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e +Author: Brad Spengler +Date: Sat Jun 1 13:43:26 2013 -0400 + + Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" + Applying upstream fix instead + + This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. + + drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 +Author: Dan Carpenter +Date: Sun May 19 21:52:20 2013 +0300 + + Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 + + USB: cxacru: potential underflow in cxacru_cm_get_array() + + commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. + + The value of "offd" comes off the instance->rcv_buf[] and we used it as + the offset into an array. The problem is that we check the upper bound + but not for negative values. + + Signed-off-by: Dan Carpenter + Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Ben Hutchings + + drivers/usb/atm/cxacru.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 +Author: Brad Spengler +Date: Sat Jun 1 11:30:17 2013 -0400 + + Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters + + drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 8578566969d91678a3d7d5251b4eafc6d7775314 +Author: Brad Spengler +Date: Thu May 30 17:44:15 2013 -0400 + + Apply compatibility fix to previous RLIMIT_NPROC change + don't enforce the rlimit check at exec time if the user is root + Prevents problems with sudo if root is listed as part of a group + in limits.conf with process limits enforced + + kernel/sys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 +Merge: 643b294 ed9b427 +Author: Brad Spengler +Date: Wed May 29 19:19:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ed9b4276488528d0c3803df1dc0df804238241e0 +Author: Brad Spengler +Date: Wed May 29 19:18:45 2013 -0400 + + Updated to pax-linux-3.9.4-test8.patch: + - fixed some fallout detected by the checker plugin + + arch/x86/kernel/crash_dump_64.c | 2 +- + drivers/base/devtmpfs.c | 6 +++--- + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- + drivers/i2c/i2c-dev.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- + drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- + fs/9p/vfs_addr.c | 2 +- + fs/binfmt_elf.c | 4 ++-- + fs/compat_ioctl.c | 4 ++-- + fs/exec.c | 2 +- + fs/namespace.c | 8 ++++---- + fs/proc/vmcore.c | 12 ++++++++---- + fs/read_write.c | 2 +- + include/linux/syscalls.h | 8 ++++---- + init/do_mounts_initrd.c | 8 ++++---- + init/main.c | 4 ++-- + kernel/events/core.c | 2 +- + kernel/events/internal.h | 10 +++++----- + mm/page_io.c | 2 +- + security/keys/internal.h | 2 +- + tools/gcc/checker_plugin.c | 1 + + 24 files changed, 63 insertions(+), 54 deletions(-) + +commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 +Author: Brad Spengler +Date: Wed May 29 18:51:31 2013 -0400 + + eliminate gcc warning + + fs/exec.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 +Author: Brad Spengler +Date: Wed May 29 18:30:20 2013 -0400 + + use BUILD_BUG() instead of BUILD_BUG_ON(1) + + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 5343410354267368e5809f3ad8d9a264f141be18 +Author: Brad Spengler +Date: Wed May 29 17:57:41 2013 -0400 + + defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON + for unknown opcodes + + arch/x86/net/bpf_jit_comp.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d +Author: Xiao Guangrong +Date: Fri May 24 15:55:11 2013 -0700 + + Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 + + mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + + Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and + multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: + fix freed page still mapped in secondary MMU"). + + Since hlist_for_each_entry_rcu() is changed now, we can not revert that + patch directly, so this patch reverts the commit and simply fix the bug + spotted by that patch + + This bug spotted by commit 751efd8610d3 is: + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result + of a filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. + + The another issue spotted in the commit is "multiple ->release() + callouts", we needn't care it too much because it is really rare (e.g, + can not happen on kvm since mmu-notify is unregistered after + exit_mmap()) and the later call of multiple ->release should be fast + since all the pages have already been released by the first call. + Anyway, this issue should be fixed in a separate patch. + + -stable suggestions: Any version that has commit 751efd8610d3 need to be + backported. I find the oldest version has this commit is 3.0-stable. + + [akpm@linux-foundation.org: tweak comments] + Signed-off-by: Xiao Guangrong + Tested-by: Robin Holt + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- + 1 files changed, 39 insertions(+), 40 deletions(-) + +commit 163a5539b36247865d39b2bcfa8efc03a62124a6 +Author: Aneesh Kumar K.V +Date: Fri May 24 15:55:21 2013 -0700 + + Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 + + mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + + We should not use set_pmd_at to update pmd_t with pgtable_t pointer. + set_pmd_at is used to set pmd with huge pte entries and architectures + like ppc64, clear few flags from the pte when saving a new entry. + Without this change we observe bad pte errors like below on ppc64 with + THP enabled. + + BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 + + Signed-off-by: Aneesh Kumar K.V + Cc: Hugh Dickins + Cc: Benjamin Herrenschmidt + Reviewed-by: Andrea Arcangeli + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/huge_memory.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 3e54faf888d324d5f362dcba16173ea7bba61e8a +Author: OGAWA Hirofumi +Date: Fri May 24 15:55:08 2013 -0700 + + Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 + + fat: fix possible overflow for fat_clusters + + Intermediate value of fat_clusters can be overflowed on 32bits arch. + + Reported-by: Krzysztof Strasburger + Signed-off-by: OGAWA Hirofumi + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/fat/inode.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d +Author: Jarod Wilson +Date: Fri May 24 15:55:31 2013 -0700 + + Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 + + drivers/char/random.c: fix priming of last_data + + Commit ec8f02da9ea5 ("random: prime last_data value per fips + requirements") added priming of last_data per fips requirements. + + Unfortuantely, it did so in a way that can lead to multiple threads all + incrementing nbytes, but only one actually doing anything with the extra + data, which leads to some fun random corruption and panics. + + The fix is to simply do everything needed to prime last_data in a single + shot, so there's no window for multiple cpus to increment nbytes -- in + fact, we won't even increment or decrement nbytes anymore, we'll just + extract the needed EXTRACT_SIZE one time per pool and then carry on with + the normal routine. + + All these changes have been tested across multiple hosts and + architectures where panics were previously encoutered. The code changes + are are strictly limited to areas only touched when when booted in fips + mode. + + This change should also go into 3.8-stable, to make the myriads of fips + users on 3.8.x happy. + + Signed-off-by: Jarod Wilson + Tested-by: Jan Stancek + Tested-by: Jan Stodola + Cc: Herbert Xu + Acked-by: Neil Horman + Cc: "David S. Miller" + Cc: Matt Mackall + Cc: "Theodore Ts'o" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 30 +++++++++++++++--------------- + 1 files changed, 15 insertions(+), 15 deletions(-) + +commit 2d74639040ba6ce47f57ec010714ec06529c4b42 +Author: Jiri Kosina +Date: Fri May 24 15:55:33 2013 -0700 + + Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 + + random: fix accounting race condition with lockless irq entropy_count update + + Commit 902c098a3663 ("random: use lockless techniques in the interrupt + path") turned IRQ path from being spinlock protected into lockless + cmpxchg-retry update. + + That commit removed r->lock serialization between crediting entropy bits + from IRQ context and accounting when extracting entropy on userspace + read path, but didn't turn the r->entropy_count reads/updates in + account() to use cmpxchg as well. + + It has been observed, that under certain circumstances this leads to + read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets + corrupted and becomes negative, which in turn results in propagating 0 + all the way from account() to the actual read() call. + + Convert the accounting code to be the proper lockless counterpart of + what has been partially done by 902c098a3663. + + Signed-off-by: Jiri Kosina + Cc: Theodore Ts'o + Cc: Greg KH + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 26 +++++++++++++++++--------- + 1 files changed, 17 insertions(+), 9 deletions(-) + +commit 65d05c7ea468c23c175105526dd4f163302a92cf +Merge: 1a98d0a 6ce3a135 +Author: Brad Spengler +Date: Sat May 25 07:48:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/vm86_32.c + +commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 +Merge: 79bdd65 0bfd8ff +Author: Brad Spengler +Date: Sat May 25 07:46:55 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 +Author: Brad Spengler +Date: Thu May 23 18:42:23 2013 -0400 + + use existing local variable + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b2b80ef8586061e32e986b31608717c25d1e7c54 +Merge: cb45fbd 79bdd65 +Author: Brad Spengler +Date: Thu May 23 17:58:53 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 79bdd65dac68267bc1b201c6b4a99966a373c305 +Author: Brad Spengler +Date: Thu May 23 17:57:46 2013 -0400 + + Update to pax-linux-3.9.3-test7.patch: + - fixed some size overflow related warnings (hash table, attributes) + - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html + + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/kernel/head64.c | 2 +- + tools/gcc/constify_plugin.c | 48 ++- + tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ + 4 files changed, 651 insertions(+), 592 deletions(-) + +commit cb45fbda4967b1b544a754fbdc92d73283379522 +Merge: 62588fa 57c11b8 +Author: Brad Spengler +Date: Mon May 20 17:32:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 57c11b85acd841a088aa4df8e60be337880df8cd +Merge: 0598b37 4bb0869 +Author: Brad Spengler +Date: Mon May 20 17:32:08 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 +Merge: e261c7b 0598b37 +Author: Brad Spengler +Date: Fri May 17 22:57:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 +Author: Brad Spengler +Date: Fri May 17 22:57:07 2013 -0400 + + Update to pax-linux-3.9.2-test6.patch: + - fixed a gcc assert in the structleak plugin, reported by Emese Revfy + - fixed pfn extraction from pud/pgd entries, reported by ousado + + arch/x86/include/asm/pgtable.h | 9 +++++++-- + tools/gcc/structleak_plugin.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +commit e261c7bc611e9127bbb7bd95cddd51524bf255ae +Author: Brad Spengler +Date: Thu May 16 22:54:12 2013 -0400 + + add offset to topdown check, fixes compilation + + arch/x86/kernel/sys_x86_64.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 +Author: Brad Spengler +Date: Thu May 16 20:57:41 2013 -0400 + + CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, + reported by lulzh3ad on irc + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0d4593e84707cdf6deb6b925c18c676a476b1613 +Merge: 43cd0c0 39a877f +Author: Brad Spengler +Date: Thu May 16 20:39:11 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 39a877f192ed305d88edac10a14a9e8e1e161f3f +Author: Brad Spengler +Date: Thu May 16 20:37:35 2013 -0400 + + Update to pax-linux-3.9.2-test105.patch: + - fixed !EFI boot problem, reported by spender + - fixed a few compile warnings + - fixed some more compile errors due to constification + - fixed some arm fallout, reported by Michael Tremer + + arch/arm/include/asm/psci.h | 2 +- + arch/arm/kernel/psci.c | 2 +- + arch/x86/kernel/sys_x86_64.c | 3 +-- + arch/x86/realmode/init.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- + drivers/irqchip/irq-gic.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- + drivers/platform/x86/chromeos_laptop.c | 2 +- + fs/jfs/super.c | 4 ++-- + include/linux/irqchip/arm-gic.h | 2 ++ + include/sound/compress_driver.h | 2 +- + net/mac80211/cfg.c | 4 ++-- + sound/soc/fsl/fsl_ssi.c | 2 +- + 14 files changed, 31 insertions(+), 22 deletions(-) + +commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 +Author: Brad Spengler +Date: Thu May 16 20:35:22 2013 -0400 + + Fix usercopy false positive under gcc 4.1 + + arch/x86/kernel/signal.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 56a166129d817f6634c8c230e6ec497669bdfaca +Author: Amerigo Wang +Date: Thu May 9 21:56:37 2013 +0000 + + Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f + + ipv6,gre: do not leak info to user-space + + There is a hole in struct ip6_tnl_parm2, so we have to + zero the struct on stack before copying it to user-space. + + Cc: David S. Miller + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv6/ip6_gre.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit d6f50dae2653ad912952da40417a8ccbd59c7699 +Author: Brad Spengler +Date: Tue May 14 16:52:35 2013 -0400 + + disable unprivileged kernel profiling under HIDESYM, rename + the variable to something more appropriate + + include/linux/perf_event.h | 8 ++++---- + kernel/events/core.c | 6 +++++- + kernel/sysctl.c | 4 ++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +commit 01322c6951bed4eedefbd2178dbd99292b365d99 +Author: Brad Spengler +Date: Mon May 13 17:19:57 2013 -0400 + + mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its + existing stack-heap gap code for the new unified vm_unmapped_area + + grsecurity/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 +Author: Brad Spengler +Date: Mon May 13 15:40:32 2013 -0400 + + fix NX fault on early boot + + arch/x86/realmode/init.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 +Author: Brad Spengler +Date: Mon May 13 10:48:13 2013 -0400 + + compile fix, we weren't using %pa anyway and it's now being used + by upstream for physical address printing + + lib/vsprintf.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d +Author: Brad Spengler +Date: Mon May 13 10:39:52 2013 -0400 + + compile fix + + grsecurity/grsec_chroot.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b +Author: Brad Spengler +Date: Mon May 13 10:35:36 2013 -0400 + + compile fixes + + grsecurity/grsec_chroot.c | 2 +- + include/linux/grinternal.h | 8 ++++---- + include/linux/grsecurity.h | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 +Author: Brad Spengler +Date: Mon May 13 10:27:18 2013 -0400 + + compile fix + + fs/exec.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 +Author: Brad Spengler +Date: Mon May 13 10:23:17 2013 -0400 + + Initial port of grsecurity for 3.9.2 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 6 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/usb/storage/realtek_cr.c | 2 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 181 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 241 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1031 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 387 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 187 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 + + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 242 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 68 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/net/secure_seq.h | 1 + + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 13 +- + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 64 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/8021q/vlan.c | 7 + + net/core/dev_ioctl.c | 4 + + net/core/net-procfs.c | 5 + + net/core/secure_seq.c | 4 +- + net/core/sock_diag.c | 7 + + net/ipv4/af_inet.c | 5 +- + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 2 +- + net/sctp/probe.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/tipc/link.c | 11 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 342 ++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 291 files changed, 15221 insertions(+), 2052 deletions(-) + +commit 88854c350c899bceca4a94598c42bed44d0dc91b +Author: Brad Spengler +Date: Mon May 13 07:37:47 2013 -0400 + + Initial import of pax-linux-3.9.2-test2.patch + + Documentation/dontdiff | 45 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 6 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 15 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/kernel/us3_cpufreq.c | 69 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 21 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 6 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 113 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 530 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 1 - + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 120 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 19 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 248 + + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 57 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 +- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 90 +- + arch/x86/mm/init_32.c | 119 +- + arch/x86/mm/init_64.c | 44 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 4 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 10 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 605 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/super.c | 2 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 6 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 8 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compat.h | 6 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 110 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_fs.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 2 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 77 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 68 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 8 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 6 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 576 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 105 +- + mm/slab.h | 5 +- + mm/slab_common.c | 11 +- + mm/slob.c | 201 +- + mm/slub.c | 99 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 14 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 6 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.pl | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 675 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 518 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 ++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 276 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1555 files changed, 30474 insertions(+), 7126 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 +Merge: 814820a 3a59a59 +Author: Brad Spengler +Date: Sun May 12 21:51:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f +Author: Brad Spengler +Date: Sun May 12 21:50:07 2013 -0400 + + Update to pax-linux-3.8.13-test24.patch: + - fixed sparc/constification compile error, reported by blake + - UDEREF/amd64 should be a bit more efficient when disabled at boot time + - fixed some unnecessary integer truncations that could trip up the size overflow plugin + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + arch/sparc/kernel/us3_cpufreq.c | 4 ++-- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/pgtable.h | 6 ++++-- + arch/x86/include/asm/uaccess.h | 6 +++--- + arch/x86/kernel/kprobes-opt.c | 4 ++++ + arch/x86/lib/copy_user_nocache_64.S | 2 +- + arch/x86/lib/getuser.S | 8 ++++---- + arch/x86/lib/putuser.S | 8 ++++---- + arch/x86/mm/fault.c | 6 +++--- + drivers/net/slip/slhc.c | 2 +- + drivers/staging/iio/ring_sw.c | 2 +- + fs/binfmt_elf.c | 6 +++--- + fs/nfsd/nfscache.c | 2 +- + fs/xattr.c | 21 +++++++++++++++++++++ + include/linux/syscalls.h | 2 +- + include/linux/xattr.h | 3 +++ + init/main.c | 3 +++ + kernel/futex_compat.c | 2 +- + kernel/trace/trace.h | 2 +- + net/socket.c | 2 +- + security/Kconfig | 2 +- + 22 files changed, 67 insertions(+), 34 deletions(-) + +commit 814820abfe5b9a34401d838b2510431a4cd92be9 +Author: Dan Carpenter +Date: Mon May 6 09:31:17 2013 +0000 + + Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa + + tipc: potential divide by zero in tipc_link_recv_fragment() + + The worry here is that fragm_sz could be zero since it comes from + skb->data. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 +Author: Dan Carpenter +Date: Mon May 6 08:28:41 2013 +0000 + + Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc + + tipc: add a bounds check in link_recv_changeover_msg() + + The bearer_id here comes from skb->data and it can be a number from 0 to + 7. The problem is that the ->links[] array has only 2 elements so I + have added a range check. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit ed0428c4ef6c5498870772f212ac651216eb8d0c +Merge: 2452d8d dbf932a +Author: Brad Spengler +Date: Sun May 12 21:18:25 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/cpu/perf_event_intel_uncore.c + arch/x86/mm/init.c + +commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 +Author: Brad Spengler +Date: Sun May 12 20:24:01 2013 -0400 + + compile fix + + grsecurity/gracl.c | 1 + + grsecurity/gracl_segv.c | 1 + + 2 files changed, 2 insertions(+), 0 deletions(-) + +commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 +Author: Brad Spengler +Date: Sun May 12 18:25:26 2013 -0400 + + fix btrfs support here as well + + grsecurity/gracl_segv.c | 17 +++++++++-------- + 1 files changed, 9 insertions(+), 8 deletions(-) + +commit c75e4664fe4d20da1639f70d9def097c4f20856b +Author: Brad Spengler +Date: Sun May 12 18:12:57 2013 -0400 + + Fix RBAC compatibility with btrfs compiled as a module, as + reported on the forums by YuHg at: + http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 + + fs/btrfs/inode.c | 11 +---------- + grsecurity/gracl.c | 19 ++++++++++--------- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_disabled.c | 2 +- + 4 files changed, 13 insertions(+), 21 deletions(-) + +commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 +Author: Brad Spengler +Date: Sat May 11 12:12:00 2013 -0400 + + allow copies just up to the start of kernel code + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 04638852588cf243f865f5a73aa9dab94fab53b7 +Author: Brad Spengler +Date: Fri May 10 16:53:07 2013 -0400 + + MODULES_EXEC_VADDR is a virtual address + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 +Author: Brad Spengler +Date: Fri May 10 16:51:03 2013 -0400 + + exempt module rx areas from usercopy protection under i386 kernexec + their .rodata will be placed between stext/etext causing copies of + constant strings to trigger usercopy reports/terminations + + fs/exec.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da +Author: Brad Spengler +Date: Wed May 8 20:25:52 2013 -0400 + + User jorgus on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 + discovered that the upstreamed version of enforcing RLIMIT_NPROC + at setuid/exec time missed an important corner case: + If RLIMIT_NPROC is set after a setuid occurs and the user's process + limit is reached elsewhere, no enforcement of RLIMIT_NPROC will + happen at exec time for the task with a modified RLIMIT_NPROC. + + This patch fixes that. + + kernel/sys.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff +Merge: 539fff0 2452d8d +Author: Brad Spengler +Date: Wed May 8 18:13:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a +Merge: 6c850d8 9c9ab76 +Author: Brad Spengler +Date: Wed May 8 18:13:31 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/irq.c + kernel/trace/trace_stack.c + +commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a +Author: Brad Spengler +Date: Tue May 7 21:43:00 2013 -0400 + + turn counter into a flag + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 +Author: Brad Spengler +Date: Tue May 7 21:02:39 2013 -0400 + + add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity + useful for Fedora/RHEL users + + grsecurity/Kconfig | 10 ++++++++++ + grsecurity/grsec_chroot.c | 17 +++++++++++++++-- + 2 files changed, 25 insertions(+), 2 deletions(-) + +commit 418102925c0cfb0de51b0a021abaa575e28fafa6 +Author: Peter Zijlstra +Date: Fri May 3 14:11:25 2013 +0200 + + Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 + + perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL + + We should always have proper privileges when requesting kernel + data. + + Signed-off-by: Peter Zijlstra + Cc: + Cc: Andi Kleen + Cc: eranian@google.com + Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl + [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] + Signed-off-by: Ingo Molnar + Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org + + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- + 1 files changed, 10 insertions(+), 3 deletions(-) + +commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 +Author: Eric Dumazet +Date: Mon Apr 29 05:58:52 2013 +0000 + + Upstream commit: aebda156a570782a86fc4426842152237a19427d + + net: defer net_secret[] initialization + + Instead of feeding net_secret[] at boot time, defer the init + at the point first socket is created. + + This permits some platforms to use better entropy sources than + the ones available at boot time. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/net/secure_seq.h | 1 + + net/core/secure_seq.c | 4 +--- + net/ipv4/af_inet.c | 5 ++++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac +Author: Daniel Borkmann +Date: Wed May 1 02:59:23 2013 +0000 + + Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 + + net: sctp: attribute printl with __printf for gcc fmt checks + + Let GCC check for format string errors in sctp's probe printl + function. This patch fixes the warning when compiled with W=1: + + net/sctp/probe.c:73:2: warning: function might be possible candidate + for 'gnu_printf' format attribute [-Wmissing-format-attribute] + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/sctp/probe.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 +Author: Brad Spengler +Date: Thu May 2 19:58:54 2013 -0400 + + remove no-longer-needed vmware 8 compat fix + + mm/page_alloc.c | 6 ------ + 1 files changed, 0 insertions(+), 6 deletions(-) + +commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 +Author: Brad Spengler +Date: Thu May 2 19:55:23 2013 -0400 + + remove unnecessary < 0 check + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f +Author: Brad Spengler +Date: Wed May 1 18:30:48 2013 -0400 + + remove references to CONFIG_X86_WP_WORKS_OK + + arch/um/defconfig | 1 - + security/Kconfig | 2 +- + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 408da6791f93ffe00d26bfe919f1b2218fe0804d +Merge: a8dbe8e 6c850d8 +Author: Brad Spengler +Date: Wed May 1 18:28:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/mm/ultra.S + drivers/tty/tty_io.c + +commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf +Merge: cdbcbef 9fa1d01 +Author: Brad Spengler +Date: Wed May 1 18:25:18 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 +Author: Brad Spengler +Date: Mon Apr 29 18:44:23 2013 -0400 + + add module.h to silence compiler warning, thanks to + Sergei Trofimovich + + fs/btrfs/inode.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 55eba82aca97aa56378e000840c48965557721e8 +Author: Brad Spengler +Date: Mon Apr 29 18:43:03 2013 -0400 + + compilation fix + + kernel/trace/trace.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e3bf912b54af6df7fbebc68b5999554562056c5c +Merge: 5b72e37 cdbcbef +Author: Brad Spengler +Date: Mon Apr 29 18:34:42 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cdbcbef45c4f003cbee11e10668a35d424c17c60 +Author: Brad Spengler +Date: Mon Apr 29 18:33:35 2013 -0400 + + Update to pax-linux-3.8.10-test21.patch: + - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 + note that the false positive is not fixed yet + - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin + - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) + - reverted the nested NMI fix in search for a real one + - simplified the arm_delay_ops constification + + arch/arm/include/asm/delay.h | 8 ++++---- + arch/arm/lib/delay.c | 17 +++++------------ + arch/x86/kernel/entry_64.S | 11 ++++++++++- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kvm/vmx.c | 4 ++-- + drivers/block/pktcdvd.c | 2 +- + fs/btrfs/extent-tree.c | 2 +- + fs/nfsd/nfscache.c | 6 ++++-- + kernel/trace/trace.c | 2 +- + tools/gcc/structleak_plugin.c | 4 ++++ + 11 files changed, 34 insertions(+), 26 deletions(-) + +commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 +Author: Brad Spengler +Date: Fri Apr 26 20:53:06 2013 -0400 + + don't use file_inode() + + drivers/tty/tty_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 +Author: Jiri Slaby +Date: Fri Apr 26 13:48:53 2013 +0200 + + Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee + + TTY: fix atime/mtime regression + + In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") + we removed timestamps from tty inodes to fix a security issue and waited + if something breaks. Well, 'w', the utility to find out logged users + and their inactivity time broke. It shows that users are inactive since + the time they logged in. + + To revert to the old behaviour while still preventing attackers to + guess the password length, we update the timestamps in one-minute + intervals by this patch. + + Signed-off-by: Jiri Slaby + Cc: Greg Kroah-Hartman + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/tty/tty_io.c + + drivers/tty/tty_io.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec +Author: Jiri Slaby +Date: Fri Feb 15 15:25:05 2013 +0100 + + Upstream commit: b0de59b5733d + + TTY: do not update atime/mtime on read/write + + On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find + out length of a password using timestamps of /dev/ptmx. It is + documented in "Timing Analysis of Keystrokes and Timing Attacks on + SSH". To avoid that problem, do not update time when reading + from/writing to a TTY. + + I am afraid of regressions as this is a behavior we have since 0.97 + and apps may expect the time to be current, e.g. for monitoring + whether there was a change on the TTY. Now, there is no change. So + this would better have a lot of testing before it goes upstream. + + References: CVE-2013-0160 + + Signed-off-by: Jiri Slaby + Cc: stable # after 3.9 is out + Signed-off-by: Greg Kroah-Hartman + + drivers/tty/tty_io.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit 5344a24e2320d61dbdb88aae04922f0799deefd0 +Author: Zhao Hongjiang +Date: Fri Apr 26 11:03:53 2013 +0800 + + Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad + + aio: fix possible invalid memory access when DEBUG is enabled + + dprintk() shouldn't access @ring after it's unmapped. + + Signed-off-by: Zhao Hongjiang + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + fs/aio.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 +Author: John David Anglin +Date: Tue Apr 23 22:42:07 2013 +0200 + + Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 + + parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates + + User applications running on SMP kernels have long suffered from instability + and random segmentation faults. This patch improves the situation although + there is more work to be done. + + One of the problems is the various routines in pgtable.h that update page table + entries use different locking mechanisms, or no lock at all (set_pte_at). This + change modifies the routines to all use the same lock pa_dbit_lock. This lock + is used for dirty bit updates in the interruption code. The patch also purges + the TLB entries associated with the PTE to ensure that inconsistent values are + not used after the page table entry is updated. The UP and SMP code are now + identical. + + The change also includes a minor update to the purge_tlb_entries function in + cache.c to improve its efficiency. + + Signed-off-by: John David Anglin + Cc: Helge Deller + Signed-off-by: Helge Deller + + arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- + arch/parisc/kernel/cache.c | 5 +--- + 2 files changed, 26 insertions(+), 26 deletions(-) + +commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 +Merge: ba54c97 4d05084 +Author: Brad Spengler +Date: Fri Apr 26 18:17:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kvm/x86.c + include/linux/capability.h + +commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 +Merge: c664779 bb8dd67 +Author: Brad Spengler +Date: Fri Apr 26 18:15:45 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 +Author: David S. Miller +Date: Wed Apr 24 16:52:18 2013 -0700 + + Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee + + sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. + + Reported-by: Meelis Roos + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 +Author: David S. Miller +Date: Fri Apr 19 17:26:26 2013 -0400 + + Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 + + sparc64: Fix race in TLB batch processing. + + As reported by Dave Kleikamp, when we emit cross calls to do batched + TLB flush processing we have a race because we do not synchronize on + the sibling cpus completing the cross call. + + So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) + and either flushes are missed or flushes will flush the wrong + addresses. + + Fix this by using generic infrastructure to synchonize on the + completion of the cross call. + + This first required getting the flush_tlb_pending() call out from + switch_to() which operates with locks held and interrupts disabled. + The problem is that smp_call_function_many() cannot be invoked with + IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). + + We get the batch processing outside of locked IRQ disabled sections by + using some ideas from the powerpc port. Namely, we only batch inside + of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a + region, we flush TLBs synchronously. + + 1) Get rid of xcall_flush_tlb_pending and per-cpu type + implementations. + + 2) Do TLB batch cross calls instead via: + + smp_call_function_many() + tlb_pending_func() + __flush_tlb_pending() + + 3) Batch only in lazy mmu sequences: + + a) Add 'active' member to struct tlb_batch + b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE + c) Set 'active' in arch_enter_lazy_mmu_mode() + d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() + e) Check 'active' in tlb_batch_add_one() and do a synchronous + flush if it's clear. + + 4) Add infrastructure for synchronous TLB page flushes. + + a) Implement __flush_tlb_page and per-cpu variants, patch + as needed. + b) Likewise for xcall_flush_tlb_page. + c) Implement smp_flush_tlb_page() to invoke the cross-call. + d) Wire up global_flush_tlb_page() to the right routine based + upon CONFIG_SMP + + 5) It turns out that singleton batches are very common, 2 out of every + 3 batch flushes have only a single entry in them. + + The batch flush waiting is very expensive, both because of the poll + on sibling cpu completeion, as well as because passing the tlb batch + pointer to the sibling cpus invokes a shared memory dereference. + + Therefore, in flush_tlb_pending(), if there is only one entry in + the batch perform a completely asynchronous global_flush_tlb_page() + instead. + + Reported-by: Dave Kleikamp + Signed-off-by: David S. Miller + Acked-by: Dave Kleikamp + + arch/sparc/include/asm/pgtable_64.h | 1 + + arch/sparc/include/asm/switch_to_64.h | 3 +- + arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- + arch/sparc/kernel/smp_64.c | 41 ++++++++++- + arch/sparc/mm/tlb.c | 38 +++++++++- + arch/sparc/mm/tsb.c | 57 ++++++++++++---- + arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- + 7 files changed, 241 insertions(+), 55 deletions(-) + +commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 +Author: Linus Torvalds +Date: Fri Apr 19 15:32:32 2013 +0000 + + Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 + + net: fix incorrect credentials passing + + Commit 257b5358b32f ("scm: Capture the full credentials of the scm + sender") changed the credentials passing code to pass in the effective + uid/gid instead of the real uid/gid. + + Obviously this doesn't matter most of the time (since normally they are + the same), but it results in differences for suid binaries when the wrong + uid/gid ends up being used. + + This just undoes that (presumably unintentional) part of the commit. + + Reported-by: Andy Lutomirski + Cc: Eric W. Biederman + Cc: Serge E. Hallyn + Cc: David S. Miller + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + Acked-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + include/net/scm.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 +Author: Brad Spengler +Date: Thu Apr 18 19:22:40 2013 -0400 + + move _etext to only cover kernel code, not read-only data, as reported by Gu1 + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 98ad6adbc48759e4f9eae435d3e51ba487155685 +Author: Brad Spengler +Date: Thu Apr 18 19:17:24 2013 -0400 + + add asm/sections.h for USERCOPY change + + fs/exec.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 +Author: Dmitry Popov +Date: Thu Apr 11 08:55:07 2013 +0000 + + Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 + + tcp: incoming connections might use wrong route under synflood + + There is a bug in cookie_v4_check (net/ipv4/syncookies.c): + flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), + RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); + + Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be + taken. This dst_entry is used by new socket (get_cookie_sock -> + tcp_v4_syn_recv_sock), so its packets may take the wrong path. + + Signed-off-by: Dmitry Popov + Signed-off-by: David S. Miller + + net/ipv4/syncookies.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3600395e8fef3ae712e72f9b68c3609639616df8 +Author: Thomas Graf +Date: Thu Apr 11 10:57:18 2013 +0000 + + Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 + + tcp: Reallocate headroom if it would overflow csum_start + + If a TCP retransmission gets partially ACKed and collapsed multiple + times it is possible for the headroom to grow beyond 64K which will + overflow the 16bit skb->csum_start which is based on the start of + the headroom. It has been observed rarely in the wild with IPoIB due + to the 64K MTU. + + Verify if the acking and collapsing resulted in a headroom exceeding + what csum_start can cover and reallocate the headroom if so. + + A big thank you to Jim Foraker and the team at + LLNL for helping out with the investigation and testing. + + Reported-by: Jim Foraker + Signed-off-by: Thomas Graf + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 +Author: Ivan Vecera +Date: Fri Apr 12 16:49:24 2013 +0200 + + Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f + + be2net: take care of __vlan_put_tag return value + + The driver should use return value of __vlan_put_tag with appropriate + NULL-check instead of old skb pointer. + + Signed-off-by: Ivan Vecera + Signed-off-by: David S. Miller + + drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 +Author: Wei Yongjun +Date: Fri Apr 12 03:17:12 2013 +0000 + + Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 + + tuntap: fix error return code in tun_set_iff() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + [ Bug added in linux-3.8 , commit 4008e97f866db665 + ("tuntap: fix ambigious multiqueue API") ] + + Signed-off-by: Wei Yongjun + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + drivers/net/tun.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c +Author: Wei Yongjun +Date: Sat Apr 13 15:49:03 2013 +0000 + + Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 + + esp4: fix error return code in esp_output() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Acked-by: Steffen Klassert + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 2b45b5f52c2a8930f80c62de392a62516c83e225 +Author: Bjørn Mork +Date: Tue Apr 16 00:17:07 2013 +0000 + + Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 + + net: cdc_mbim: remove bogus sizeof() + + The intention was to test against the constant, not the size of + the constant. + + Signed-off-by: Bjørn Mork + Signed-off-by: David S. Miller + + drivers/net/usb/cdc_mbim.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 17d7408795519037a5a1272c7888238e20830bfe +Author: Vyacheslav Dubeyko +Date: Wed Apr 17 15:58:33 2013 -0700 + + Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 + + hfsplus: fix potential overflow in hfsplus_file_truncate() + + Change a u32 to loff_t hfsplus_file_truncate(). + + Signed-off-by: Vyacheslav Dubeyko + Cc: Christoph Hellwig + Cc: Al Viro + Cc: Hin-Tak Leung + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/hfsplus/extents.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b +Author: Emese Revfy +Date: Wed Apr 17 15:58:36 2013 -0700 + + Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f + + kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + + This fixes a kernel memory contents leak via the tkill and tgkill syscalls + for compat processes. + + This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field + when handling signals delivered from tkill. + + The place of the infoleak: + + int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) + { + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... + } + + Signed-off-by: Emese Revfy + Reviewed-by: PaX Team + Signed-off-by: Kees Cook + Cc: Al Viro + Cc: Oleg Nesterov + Cc: "Eric W. Biederman" + Cc: Serge Hallyn + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/signal.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 +Author: Brad Spengler +Date: Wed Apr 17 20:17:00 2013 -0400 + + Improve PAX_USERCOPY to reject direct copies to/from main kernel text + + fs/exec.c | 29 +++++++++++++++++++++++++++-- + 1 files changed, 27 insertions(+), 2 deletions(-) + +commit 3cb37d0c0c77dc3928ff8417f982139f95366eba +Merge: e87c19f c664779 +Author: Brad Spengler +Date: Wed Apr 17 20:06:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c664779987cb0c27a242029f0e0db812e3236203 +Author: Brad Spengler +Date: Wed Apr 17 19:54:09 2013 -0400 + + add intentional_overflow marking for resource_size() as reasoned by: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + + include/linux/ioport.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e87c19f8312355b8658e5138c16bfa6043a379c8 +Merge: 802d119 d0c636c +Author: Brad Spengler +Date: Wed Apr 17 16:57:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d0c636ceaaf406e606898ce3e770e32fb043ea8a +Merge: bc88628 2396403 +Author: Brad Spengler +Date: Wed Apr 17 16:57:01 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/paravirt.c + +commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b +Author: Brad Spengler +Date: Sun Apr 14 21:39:51 2013 -0400 + + move location of RBAC user check on setfsuid until after capability checks + for consistency with other checks + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1a860d7d67051559ab2e6d10f9888649c92904e6 +Author: Brad Spengler +Date: Sun Apr 14 21:34:46 2013 -0400 + + A denied setfsuid by the RBAC system would result in an abort_creds() being called + with an uninitalized pointer, introduced by a bad forward-port + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 +Merge: c38d142 bc88628 +Author: Brad Spengler +Date: Sun Apr 14 21:28:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit bc88628a6a8fcccaabb90908640809b0540df225 +Author: Brad Spengler +Date: Sun Apr 14 21:26:41 2013 -0400 + + Update to pax-linux-3.8.7-test20.patch: + - fixed KERNEXEC and NMI nesting problem reported by stef&hunger + - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 + - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) + - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) + + arch/powerpc/include/asm/smp.h | 2 +- + arch/x86/Kconfig | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + security/Kconfig | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +commit c38d142744489fc4d9be80188b6435a278438fd9 +Author: Suleiman Souhlal +Date: Sat Apr 13 16:03:06 2013 -0700 + + Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 + + vfs: Revert spurious fix to spinning prevention in prune_icache_sb + + Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). + + This commit doesn't look right: since we are looking at the tail of the + list (sb->s_inode_lru.prev) if we want to skip an inode, we should put + it back at the head of the list instead of the tail, otherwise we will + keep spinning on it. + + Discovered when investigating why prune_icache_sb came top in perf + reports of a swapping load. + + Signed-off-by: Suleiman Souhlal + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org # v3.2+ + Signed-off-by: Linus Torvalds + + fs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93019624b80ba59798393942798d7f6ed0c1dbc6 +Author: Linus Torvalds +Date: Sat Apr 13 15:15:30 2013 -0700 + + Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 + + kobject: fix kset_find_obj() race with concurrent last kobject_put() + + Anatol Pomozov identified a race condition that hits module unloading + and re-loading. To quote Anatol: + + "This is a race codition that exists between kset_find_obj() and + kobject_put(). kset_find_obj() might return kobject that has refcount + equal to 0 if this kobject is freeing by kobject_put() in other + thread. + + Here is timeline for the crash in case if kset_find_obj() searches for + an object tht nobody holds and other thread is doing kobject_put() on + the same kobject: + + THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) + splin_lock() + atomic_dec_return(kobj->kref), counter gets zero here + ... starts kobject cleanup .... + spin_lock() // WAIT thread A in kobj_kset_leave() + iterate over kset->list + atomic_inc(kobj->kref) (counter becomes 1) + spin_unlock() + spin_lock() // taken + // it does not know that thread A increased counter so it + remove obj from list + spin_unlock() + vfree(module) // frees module object with containing kobj + + // kobj points to freed memory area!! + kobject_put(kobj) // OOPS!!!! + + The race above happens because module.c tries to use kset_find_obj() + when somebody unloads module. The module.c code was introduced in + commit 6494a93d55fa" + + Anatol supplied a patch specific for module.c that worked around the + problem by simply not using kset_find_obj() at all, but rather than make + a local band-aid, this just fixes kset_find_obj() to be thread-safe + using the proper model of refusing the get a new reference if the + refcount has already dropped to zero. + + See examples of this proper refcount handling not only in the kref + documentation, but in various other equivalent uses of this pattern by + grepping for atomic_inc_not_zero(). + + [ Side note: the module race does indicate that module loading and + unloading is not properly serialized wrt sysfs information using the + module mutex. That may require further thought, but this is the + correct fix at the kobject layer regardless. ] + + Reported-analyzed-and-tested-by: Anatol Pomozov + Cc: Greg Kroah-Hartman + Cc: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + lib/kobject.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 5277b052b5fab36729e1255fb3b12f47a4b12867 +Author: Dave Hansen +Date: Fri Apr 12 16:23:54 2013 -0700 + + Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 + + x86-32: Fix possible incomplete TLB invalidate with PAE pagetables + + This patch attempts to fix: + + https://bugzilla.kernel.org/show_bug.cgi?id=56461 + + The symptom is a crash and messages like this: + + chrome: Corrupted page table at address 34a03000 + *pdpt = 0000000000000000 *pde = 0000000000000000 + Bad pagetable: 000f [#1] PREEMPT SMP + + Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: + enable tlb flush range support for x86") since that code started to free + unused pagetables. + + On x86-32 PAE kernels, that new code has the potential to free an entire + PMD page and will clear one of the four page-directory-pointer-table + (aka pgd_t entries). + + The hardware aggressively "caches" these top-level entries and invlpg + does not actually affect the CPU's copy. If we clear one we *HAVE* to + do a full TLB flush, otherwise we might continue using a freed pmd page. + (note, we do this properly on the population side in pud_populate()). + + This patch tracks whenever we clear one of these entries in the 'struct + mmu_gather', and ensures that we follow up with a full tlb flush. + + BTW, I disassembled and checked that: + + if (tlb->fullmm == 0) + and + if (!tlb->fullmm && !tlb->need_flush_all) + + generate essentially the same code, so there should be zero impact there + to the !PAE case. + + Signed-off-by: Dave Hansen + Cc: Peter Anvin + Cc: Ingo Molnar + Cc: Artem S Tashkinov + Signed-off-by: Linus Torvalds + + arch/x86/include/asm/tlb.h | 2 +- + arch/x86/mm/pgtable.c | 7 +++++++ + include/asm-generic/tlb.h | 7 ++++++- + mm/memory.c | 1 + + 4 files changed, 15 insertions(+), 2 deletions(-) + +commit 521e573fc77d1783c1d4636dfbb4617a922f043d +Merge: 032f626 f807619 +Author: Brad Spengler +Date: Fri Apr 12 19:29:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f80761993b85df96fc142dfc3a317cadc0f8eae5 +Author: Brad Spengler +Date: Fri Apr 12 19:28:21 2013 -0400 + + Update to pax-linux-3.8.7-test19.patch: + - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld + - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) + - fixed the structleak plugin to compile for gcc 4.5-4.6 as well + + Makefile | 2 +- + arch/x86/xen/enlighten.c | 6 +++--- + tools/gcc/structleak_plugin.c | 5 +++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 +Merge: a3a770e 89886f5 +Author: Brad Spengler +Date: Fri Apr 12 18:38:40 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89886f561cc0d1c42a99624ec8c3704711088155 +Merge: 9123489 531ec28 +Author: Brad Spengler +Date: Fri Apr 12 18:38:30 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a3a770e18578841e4fbe2aa0831a22811b4812cf +Author: Brad Spengler +Date: Thu Apr 11 20:46:20 2013 -0400 + + Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" + Will be fixed with the next PaX patch + + This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 +Author: Konrad Rzeszutek Wilk +Date: Fri Mar 29 10:20:56 2013 -0400 + + Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 + + xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. + + Occassionaly on a DL380 G4 the guest would crash quite early with this: + + (XEN) d244:v0: unhandled page fault (ec=0003) + (XEN) Pagetable walk from ffffffff84dc7000: + (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 + (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d + (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def + (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 + (XEN) domain_crash_sync called from entry.S + (XEN) Domain 244 (vcpu#0) crashed on cpu#3: + (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- + (XEN) CPU: 3 + (XEN) RIP: e033:[] + (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest + (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f + (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 + + The offending code shows it to be a loop writting the value zero + (%rax) in the %rdi (the L4 provided by Xen) register: + + 0: 44 00 00 add %r8b,(%rax) + 3: 31 c0 xor %eax,%eax + 5: b9 40 00 00 00 mov $0x40,%ecx + a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) + 11: 00 00 + 13: ff c9 dec %ecx + 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction + 18: 48 89 47 08 mov %rax,0x8(%rdi) + 1c: 48 89 47 10 mov %rax,0x10(%rdi) + + which fails. xen_setup_kernel_pagetable recycles some of the Xen's + page-table entries when it has switched over to its Linux page-tables. + + Right before try to clear the page, we make a hypercall to change + it from _RO to _RW and that works (otherwise we would hit an BUG()). + And the _RW flag is set for that page: + (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 + + The error code is 3, so PFEC_page_present and PFEC_write_access, so page is + present (correct), and we tried to write to the page, but a violation + occurred. The one theory is that the the page entries in hardware + (which are cached) are not up to date with what we just set. Especially + as we have just done an CR3 write and flushed the multicalls. + + This patch does solve the problem by flusing out the TLB page + entry after changing it from _RO to _RW and we don't hit this + issue anymore. + + Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO + 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] + Reported-and-Tested-by: Saar Maoz + Signed-off-by: Konrad Rzeszutek Wilk + + arch/x86/xen/mmu.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 +Author: Namhyung Kim +Date: Mon Apr 1 21:46:23 2013 +0900 + + Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 + + tracing: Fix double free when function profile init failed + + On the failure path, stat->start and stat->pages will refer same page. + So it'll attempt to free the same page again and get kernel panic. + + Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org + + Cc: Frederic Weisbecker + Cc: Namhyung Kim + Cc: stable@vger.kernel.org + Signed-off-by: Namhyung Kim + Signed-off-by: Steven Rostedt + + kernel/trace/ftrace.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb +Author: Neil Horman +Date: Tue Apr 9 23:19:00 2013 +0000 + + Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 + + e100: Add dma mapping error check + + e100 uses pci_map_single, but fails to check for a dma mapping error after its + use, resulting in a stack trace: + + [ 46.656594] ------------[ cut here ]------------ + [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() + [ 46.657004] Hardware name: To Be Filled By O.E.M. + [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map + error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] + [ 46.657004] Modules linked in: + [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus + snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc + e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp + k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd + sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit + drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core + sata_promise crc_itu_t + [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 + [ 46.657004] Call Trace: + [ 46.657004] [] warn_slowpath_common+0x70/0xa0 + [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 + [ 46.657004] [] check_unmap+0x47b/0x950 + [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 + [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] + [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] + [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] + [ 46.657004] [] ? net_rx_action+0xa1/0x370 + [ 46.657004] [] net_rx_action+0x172/0x370 + [ 46.657004] [] __do_softirq+0xef/0x3d0 + [ 46.657004] [] call_softirq+0x1c/0x30 + [ 46.657004] [] do_softirq+0x85/0xc0 + [ 46.657004] [] irq_exit+0xd5/0xe0 + [ 46.657004] [] do_IRQ+0x56/0xc0 + [ 46.657004] [] common_interrupt+0x72/0x72 + [ 46.657004] [] ? + _raw_spin_unlock_irqrestore+0x3b/0x70 + [ 46.657004] [] __slab_free+0x58/0x38b + [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 + [ 46.657004] [] ? kmem_cache_free+0x97/0x320 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] kmem_cache_free+0x312/0x320 + [ 46.657004] [] sock_destroy_inode+0x34/0x40 + [ 46.657004] [] destroy_inode+0x38/0x60 + [ 46.657004] [] evict+0x10e/0x1a0 + [ 46.657004] [] iput+0xf5/0x180 + [ 46.657004] [] dput+0x248/0x310 + [ 46.657004] [] __fput+0x171/0x240 + [ 46.657004] [] ____fput+0xe/0x10 + [ 46.657004] [] task_work_run+0xac/0xe0 + [ 46.657004] [] do_exit+0x26d/0xc30 + [ 46.657004] [] ? finish_task_switch+0x7c/0x120 + [ 46.657004] [] ? retint_swapgs+0x13/0x1b + [ 46.657004] [] do_group_exit+0x49/0xc0 + [ 46.657004] [] sys_exit_group+0x14/0x20 + [ 46.657004] [] system_call_fastpath+0x16/0x1b + [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- + [ 46.657004] Mapped at: + [ 46.657004] [] debug_dma_map_page+0x91/0x140 + [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] + [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] + [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] + [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 + + Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the + dma_mapping_error check in the obvious place + + This was reported previously here: + http://article.gmane.org/gmane.linux.network/257893 + + But nobody stepped up and fixed it. + + CC: Josh Boyer + CC: e1000-devel@lists.sourceforge.net + Signed-off-by: Neil Horman + Reported-by: Michal Jaegermann + Tested-by: Aaron Brown + Signed-off-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- + 1 files changed, 25 insertions(+), 11 deletions(-) + +commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 +Author: Trond Myklebust +Date: Wed Apr 10 12:44:18 2013 -0400 + + Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 + + NFSv4: Doh! Typo in the fix to nfs41_walk_client_list + + Make sure that we set the status to 0 on success. Missed in testing + because it never appears when doing multiple mounts to _different_ + servers. + + Signed-off-by: Trond Myklebust + Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + fs/nfs/nfs4client.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea +Author: Yuval Mintz +Date: Wed Apr 10 13:34:39 2013 +0300 + + Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b + + bnx2x: Prevent null pointer dereference in AFEX mode + + The cnic module is responsible for initializing various bnx2x structs + via callbacks provided by the bnx2x module. + One such struct is the queue object for the FCoE queue. + + If a device is working in AFEX mode and its configuration allows FCoE yet + the cnic module is not loaded, it's very likely a null pointer dereference + will occur, as the bnx2x will erroneously access the FCoE's queue object. + + Prevent said access until cnic properly registers itself. + + Signed-off-by: Yuval Mintz + Signed-off-by: Ariel Elior + Signed-off-by: Eilon Greenstein + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 2908830232725db624aaa052f7ad38d1f98bf541 +Author: Wei Yongjun +Date: Tue Apr 9 14:16:04 2013 +0800 + + Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc + + can: gw: use kmem_cache_free() instead of kfree() + + Memory allocated by kmem_cache_alloc() should be freed using + kmem_cache_free(), not kfree(). + + Cc: linux-stable # >= v3.2 + Signed-off-by: Wei Yongjun + Acked-by: Oliver Hartkopp + Signed-off-by: Marc Kleine-Budde + + net/can/gw.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit d40b572e845a5fb561e3c4a80cc306cd38888a4e +Author: Christoph Paasch +Date: Sun Apr 7 04:53:15 2013 +0000 + + Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd + + ipv6/tcp: Stop processing ICMPv6 redirect messages + + Tetja Rediske found that if the host receives an ICMPv6 redirect message + after sending a SYN+ACK, the connection will be reset. + + He bisected it down to 093d04d (ipv6: Change skb->data before using + icmpv6_notify() to propagate redirect), but the origin of the bug comes + from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error + handlers.). The bug simply did not trigger prior to 093d04d, because + skb->data did not point to the inner IP header and thus icmpv6_notify + did not call the correct err_handler. + + This patch adds the missing "goto out;" in tcp_v6_err. After receiving + an ICMPv6 Redirect, we should not continue processing the ICMP in + tcp_v6_err, as this may trigger the removal of request-socks or setting + sk_err(_soft). + + Reported-by: Tetja Rediske + Signed-off-by: Christoph Paasch + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c7d5c2524456ef3ea9194840e7a9a75069a46824 +Author: Brad Spengler +Date: Wed Apr 10 20:32:54 2013 -0400 + + - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit acac2380fd97acee4367d2aa24c74322dcf1d22b +Author: Trond Myklebust +Date: Fri Apr 5 16:11:11 2013 -0400 + + Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc + + NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + It is unsafe to use list_for_each_entry_safe() here, because + when we drop the nn->nfs_client_lock, we pin the _current_ list + entry and ensure that it stays in the list, but we don't do the + same for the _next_ list entry. Use of list_for_each_entry() is + therefore the correct thing to do. + + Also fix the refcounting in nfs41_walk_client_list(). + + Finally, ensure that the nfs_client has finished being initialised + and, in the case of NFSv4.1, that the session is set up. + + Signed-off-by: Trond Myklebust + Cc: Chuck Lever + Cc: Bryan Schumaker + Cc: stable@vger.kernel.org [>= 3.7] + + fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- + 1 files changed, 28 insertions(+), 16 deletions(-) + +commit a6cf5f387b882ac0ce655b75f623f86c075517be +Author: Chuck Lever +Date: Fri Mar 22 12:52:59 2013 -0400 + + Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e + + SUNRPC: Remove extra xprt_put() + + While testing error cases where rpc_new_client() fails, I saw + some oopses. + + If rpc_new_client() fails, it already invokes xprt_put(). Thus + __rpc_clone_client() does not need to invoke it again. + + Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" + Fri Sep 14, 2012. + + Signed-off-by: Chuck Lever + Cc: stable@vger.kernel.org [>=3.7] + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 +Author: Trond Myklebust +Date: Fri Apr 5 14:13:21 2013 -0400 + + Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 + + SUNRPC: Fix a potential memory leak in rpc_new_client + + If the call to rpciod_up() fails, we currently leak a reference to the + struct rpc_xprt. + As part of the fix, we also remove the redundant check for xprt!=NULL. + This is already taken care of by the callers. + + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 7 ++----- + 1 files changed, 2 insertions(+), 5 deletions(-) + +commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac +Author: Brad Spengler +Date: Wed Apr 10 19:16:05 2013 -0400 + + From https://lkml.org/lkml/2013/4/8/469: + [PATCH] rtnetlink: call nlmsg_parse() with correct header length + + net/core/rtnetlink.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9529169b8c405874fd543b785f53c74fa0501c2a +Author: Christopher Harvey +Date: Fri Apr 5 10:51:15 2013 -0400 + + Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 + + drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. + + This change properly enables the "requester" in G200ER cards that is + responsible for getting pixels out of memory and clocking them out to + the screen. + + Signed-off-by: Christopher Harvey + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- + 1 files changed, 3 insertions(+), 10 deletions(-) + +commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a +Author: Al Viro +Date: Thu Mar 28 13:30:23 2013 -0400 + + Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee + + ecryptfs: close rmmod race + + Signed-off-by: Al Viro + + fs/ecryptfs/miscdev.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b +Author: Brad Spengler +Date: Wed Apr 10 19:03:45 2013 -0400 + + Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 + + arch/ia64/kernel/palinfo.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 83280e384ae3ceadad30369ced111dc7d4b46085 +Author: Andrey Vagin +Date: Tue Apr 9 17:33:29 2013 +0400 + + Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 + + mnt: release locks on error path in do_loopback + + do_loopback calls lock_mount(path) and forget to unlock_mount + if clone_mnt or copy_mnt fails. + + [ 77.661566] ================================================ + [ 77.662939] [ BUG: lock held when returning to user space! ] + [ 77.664104] 3.9.0-rc5+ #17 Not tainted + [ 77.664982] ------------------------------------------------ + [ 77.666488] mount/514 is leaving the kernel with locks still held! + [ 77.668027] 2 locks held by mount/514: + [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 + [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 + + Signed-off-by: Andrey Vagin + Signed-off-by: Al Viro + + fs/namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 679e536b9d9536d804f049fe942367a596253e6d +Author: Alex Williamson +Date: Tue Mar 26 11:33:16 2013 -0600 + + Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c + + vfio-pci: Fix possible integer overflow + + The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both + of which are unsigned. We attempt to bounds check these, but fail to + account for the case where start is a very large number, allowing + start + count to wrap back into the valid range. Bounds check both + start and start + count. + + Reported-by: Dan Carpenter + Signed-off-by: Alex Williamson + + drivers/vfio/pci/vfio_pci.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 +Author: Brad Spengler +Date: Wed Apr 10 18:48:45 2013 -0400 + + Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b5261a6384ee42499b29495aaae40b271e77d394 +Author: Brad Spengler +Date: Tue Apr 9 17:30:45 2013 -0400 + + some undefined behavior fixups + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_ip.c | 10 +++++----- + grsecurity/gracl_segv.c | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 +Author: Brad Spengler +Date: Tue Apr 9 17:28:54 2013 -0400 + + don't whine about denied ipv6 when it's not enabled + + grsecurity/gracl_ip.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 +Merge: 97bca88 9123489 +Author: Brad Spengler +Date: Tue Apr 9 17:18:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9123489428c58668a89f316db6619739cbdd2c2a +Author: Brad Spengler +Date: Tue Apr 9 17:17:46 2013 -0400 + + Update to pax-linux-3.8.6-test18.patch: + - new size overflow plugin from Emese to work around a gcc optimization + resulting in an intentional overflow, reported by Carlos Carvalho + (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) + + tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- + 1 files changed, 66 insertions(+), 2 deletions(-) + +commit 97bca8889e0f1e853f16b7026c39c6729a8587ab +Merge: 675a41e e9d6073 +Author: Brad Spengler +Date: Mon Apr 8 21:32:59 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/us3_cpufreq.c + +commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef +Author: Brad Spengler +Date: Mon Apr 8 21:19:03 2013 -0400 + + Update to pax-linux-3.8.6-test17.patch: + - fixed ia64/ppc/sparc compilation by spender + - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) + + arch/ia64/include/asm/uaccess.h | 2 - + arch/powerpc/include/asm/uaccess.h | 2 - + arch/sparc/include/asm/uaccess.h | 7 ---- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- + tools/gcc/structleak_plugin.c | 15 ++++---- + 6 files changed, 28 insertions(+), 69 deletions(-) + +commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b +Author: Brad Spengler +Date: Sun Apr 7 12:00:50 2013 -0400 + + fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5a216624a06429488f24ce47db093da042f90e48 +Author: Brad Spengler +Date: Sat Apr 6 13:22:24 2013 -0400 + + fix typo + + arch/sparc/kernel/us3_cpufreq.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit e476ca18d21788898cd3acd1b57049971a2fb70f +Author: Brad Spengler +Date: Sat Apr 6 13:16:13 2013 -0400 + + properly fix cpufreq_driver for ultrasparc III with constification + + arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ + 1 files changed, 17 insertions(+), 18 deletions(-) + +commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae +Author: Brad Spengler +Date: Sat Apr 6 12:58:48 2013 -0400 + + mark prom_sparc_ops __initconst + + arch/sparc/kernel/prom_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 +Author: Brad Spengler +Date: Sat Apr 6 12:53:16 2013 -0400 + + fix ia64/powerpc/sparc compilation + + arch/ia64/include/asm/uaccess.h | 2 -- + arch/powerpc/include/asm/uaccess.h | 2 -- + arch/sparc/include/asm/uaccess.h | 7 ------- + 3 files changed, 0 insertions(+), 11 deletions(-) + +commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 +Author: Johannes Berg +Date: Tue Mar 19 20:26:57 2013 +0100 + + Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d + + cfg80211: fix wdev tracing crash + + Arend reported a crash in tracing if the driver returns an + ERR_PTR() value from the add_virtual_intf() callback. This + is due to the tracing then still attempting to dereference + the "pointer", fix this by using IS_ERR_OR_NULL(). + + Reported-by: Arend van Spriel + Tested-by: Arend van Spriel + Signed-off-by: Johannes Berg + + net/wireless/trace.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd +Author: Johannes Berg +Date: Mon Mar 25 11:51:14 2013 +0100 + + Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b + + mac80211: fix remain-on-channel cancel crash + + If a ROC item is canceled just as it expires, the work + struct may be scheduled while it is running (and waiting + for the mutex). This results in it being run after being + freed, which obviously crashes. + + To fix this don't free it when aborting is requested but + instead mark it as "to be freed", which makes the work a + no-op and allows freeing it outside. + + Cc: stable@vger.kernel.org [3.6+] + Reported-by: Jouni Malinen + Tested-by: Jouni Malinen + Signed-off-by: Johannes Berg + + net/mac80211/cfg.c | 6 ++++-- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/offchannel.c | 23 +++++++++++++++++------ + 3 files changed, 23 insertions(+), 9 deletions(-) + +commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 +Author: Stone Piao +Date: Fri Mar 29 19:21:21 2013 -0700 + + Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f + + mwifiex: limit channel number not to overflow memory + + Limit the channel number in scan request, or the driver scan + config structure memory will be overflowed. + + Cc: # 3.5+ + Signed-off-by: Stone Piao + Signed-off-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 207c411512bdaf0e4271f93ecac6ca26588da36f +Author: Gao feng +Date: Thu Mar 21 19:48:41 2013 +0000 + + Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe + + netfilter: reset nf_trace in nf_reset + + We forgot to clear the nf_trace of sk_buff in nf_reset, + When we use veth device, this nf_trace information will + be leaked from one net namespace to another net namespace. + + Signed-off-by: Gao feng + Signed-off-by: Pablo Neira Ayuso + + include/linux/skbuff.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f +Author: Wei Yongjun +Date: Fri Mar 22 01:28:18 2013 +0000 + + Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c + + netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_queue_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit a79feb7d3251eca577d83d7f69eee2b961ab2924 +Author: Pablo Neira Ayuso +Date: Sat Mar 23 16:57:59 2013 +0100 + + Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 + + netfilter: nfnetlink_acct: return -EINVAL if object name is empty + + If user-space tries to create accounting object with an empty + name, then return -EINVAL. + + Reported-by: Michael Zintakis + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_acct.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 +Author: Matthias Schiffer +Date: Sat Mar 30 10:23:12 2013 +0000 + + Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 + + netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths + + The bitmask used for the prefix mangling was being calculated + incorrectly, leading to the wrong part of the address being replaced + when the prefix length wasn't a multiple of 32. + + Signed-off-by: Matthias Schiffer + Signed-off-by: Pablo Neira Ayuso + + net/ipv6/netfilter/ip6t_NPT.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e +Author: Veaceslav Falico +Date: Wed Apr 3 05:46:33 2013 +0000 + + Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d + + bonding: remove sysfs before removing devices + + We have a race condition if we try to rmmod bonding and simultaneously add + a bond master through sysfs. In bonding_exit() we first remove the devices + (through rtnl_link_unregister() ) and only after that we remove the sysfs. + If we manage to add a device through sysfs after that the devices were + removed - we'll end up with that device/sysfs structure and with the module + unloaded. + + Fix this by first removing the sysfs and only after that calling + rtnl_link_unregister(). + + Signed-off-by: Veaceslav Falico + Signed-off-by: David S. Miller + + drivers/net/bonding/bond_main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d12cae44a9d12441d81c489178803237219d403d +Author: Eric W. Biederman +Date: Wed Apr 3 16:14:47 2013 +0000 + + Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 + + af_unix: If we don't care about credentials coallesce all messages + + It was reported that the following LSB test case failed + https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we + were not coallescing unix stream messages when the application was + expecting us to. + + The problem was that the first send was before the socket was accepted + and thus sock->sk_socket was NULL in maybe_add_creds, and the second + send after the socket was accepted had a non-NULL value for sk->socket + and thus we could tell the credentials were not needed so we did not + bother. + + The unnecessary credentials on the first message cause + unix_stream_recvmsg to start verifying that all messages had the same + credentials before coallescing and then the coallescing failed because + the second message had no credentials. + + Ignoring credentials when we don't care in unix_stream_recvmsg fixes a + long standing pessimization which would fail to coallesce messages when + reading from a unix stream socket if the senders were different even if + we did not care about their credentials. + + I have tested this and verified that the in the LSB test case mentioned + above that the messages do coallesce now, while the were failing to + coallesce without this change. + + Reported-by: Karel Srot + Reported-by: Ding Tianhong + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf +Author: Eric W. Biederman +Date: Wed Apr 3 16:13:35 2013 +0000 + + Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 + + Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" + + This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. + + The problem that the above patch was meant to address is that af_unix + messages are not being coallesced because we are sending unnecesarry + credentials. Not sending credentials in maybe_add_creds totally + breaks unconnected unix domain sockets that wish to send credentails + to other sockets. + + In practice this break some versions of udev because they receive a + message and the sending uid is bogus so they drop the message. + + Reported-by: Sven Joachim + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 +Author: Wei Yongjun +Date: Wed Mar 20 21:31:42 2013 +0000 + + Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e + + lantiq_etop: use free_netdev(netdev) instead of kfree() + + Freeing netdev without free_netdev() leads to net, tx leaks. + And it may lead to dereferencing freed pointer. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f +Author: Cong Wang +Date: Fri Mar 22 19:14:07 2013 +0000 + + Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb + + 8021q: fix a potential use-after-free + + vlan_vid_del() could possibly free ->vlan_info after a RCU grace + period, however, we may still refer to the freed memory area + by 'grp' pointer. Found by code inspection. + + This patch moves vlan_vid_del() as behind as possible. + + Cc: Patrick McHardy + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/8021q/vlan.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit fff29c277024a39845d4b535083c8dafc21b45d9 +Author: Hong zhi guo +Date: Sat Mar 23 02:27:50 2013 +0000 + + Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 + + bridge: fix crash when set mac address of br interface + + When I tried to set mac address of a bridge interface to a mac + address which already learned on this bridge, I got system hang. + + The cause is straight forward: function br_fdb_change_mac_address + calls fdb_insert with NULL source nbp. Then an fdb lookup is + performed. If an fdb entry is found and it's local, it's OK. But + if it's not local, source is dereferenced for printk without NULL + check. + + Signed-off-by: Hong Zhiguo + Signed-off-by: David S. Miller + + net/bridge/br_fdb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 +Author: Kumar Amit Mehta +Date: Sat Mar 23 20:10:25 2013 +0000 + + Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a + + bnx2x: fix assignment of signed expression to unsigned variable + + fix for incorrect assignment of signed expression to unsigned variable. + + Signed-off-by: Kumar Amit Mehta + Acked-by: Dmitry Kravkov + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e +Author: dingtianhong +Date: Mon Mar 25 17:02:04 2013 +0000 + + Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 + + af_unix: dont send SCM_CREDENTIAL when dest socket is NULL + + SCM_SCREDENTIALS should apply to write() syscalls only either source or destination + socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, + and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). + + Origionally-authored-by: Karel Srot + Signed-off-by: Ding Tianhong + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b964e1e61f0f0ccaa380be3342f956c604054bdc +Author: Eric W. Biederman +Date: Thu Mar 21 02:30:41 2013 -0700 + + Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 + + yama: Better permission check for ptraceme + + Change the permission check for yama_ptrace_ptracee to the standard + ptrace permission check, testing if the traceer has CAP_SYS_PTRACE + in the tracees user namespace. + + Reviewed-by: Kees Cook + Signed-off-by: "Eric W. Biederman" + + security/yama/yama_lsm.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit b94e71c7b6abe75989edff18aca2781233fa143b +Author: Stanislav Kinsbursky +Date: Mon Apr 1 11:40:51 2013 +0400 + + Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d + + ipc: set msg back to -EAGAIN if copy wasn't performed + + Make sure that msg pointer is set back to error value in case of + MSG_COPY flag is set and desired message to copy wasn't found. This + garantees that msg is either a error pointer or a copy address. + + Otherwise the last message in queue will be freed without unlinking from + the queue (which leads to memory corruption) and the dummy allocated + copy won't be released. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: Linus Torvalds + + ipc/msg.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 +Author: Jan Kara +Date: Fri Mar 29 15:39:16 2013 +0100 + + Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 + + reiserfs: Fix warning and inode leak when deleting inode with xattrs + + After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs + started failing to delete xattrs from inode. This was due to a buggy + test for '.' and '..' in fill_with_dentries() which resulted in passing + '.' and '..' entries to lookup_one_len() in some cases. That returned + error and so we failed to iterate over all xattrs of and inode. + + Fix the test in fill_with_dentries() along the lines of the one in + lookup_one_len(). + + Reported-by: Pawel Zawora + CC: stable@vger.kernel.org + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9f07957378e0f55abb81da8e23b124a608fbe1cc +Author: Paul Bolle +Date: Wed Apr 3 12:24:45 2013 +0100 + + Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 + + ARM: 7690/1: mm: fix CONFIG_LPAE typos + + CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix + up the two typos under arch/arm/. + + The fix to head.S is slightly scary, but this is just for setting up + an early io-mapping for the serial port when running on a big-endian, + LPAE system. Since these systems don't exist in the wild (at least, I + have no access to one outside of kvmtool, which doesn't provide a serial + port suitable for earlyprintk), then we can revisit the code later if it + causes any problems. + + Signed-off-by: Paul Bolle + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/setup.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 984ba346b2d8f158473e9723ba145031368431ed +Author: Catalin Marinas +Date: Tue Mar 26 23:35:04 2013 +0100 + + Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb + + ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) + + On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down + all use of the old entries. This patch implements the erratum workaround + which consists of: + + 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. + 2. Send IPI to the CPUs that are running the same mm (and ASID) as the + one being invalidated (or all the online CPUs for global pages). + 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception + return code already). + + Signed-off-by: Catalin Marinas + Signed-off-by: Russell King + + Conflicts: + + arch/arm/include/asm/tlbflush.h + arch/arm/kernel/smp_tlb.c + arch/arm/mm/context.c + + arch/arm/Kconfig | 10 +++++ + arch/arm/include/asm/highmem.h | 7 ++++ + arch/arm/include/asm/mmu_context.h | 2 + + arch/arm/include/asm/tlbflush.h | 15 ++++++++ + arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ + arch/arm/mm/context.c | 6 ++- + 6 files changed, 104 insertions(+), 2 deletions(-) + +commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 +Author: Jan Stancek +Date: Thu Apr 4 11:35:10 2013 -0700 + + Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c + + mm: prevent mmap_cache race in find_vma() + + find_vma() can be called by multiple threads with read lock + held on mm->mmap_sem and any of them can update mm->mmap_cache. + Prevent compiler from re-fetching mm->mmap_cache, because other + readers could update it in the meantime: + + thread 1 thread 2 + | + find_vma() | find_vma() + struct vm_area_struct *vma = NULL; | + vma = mm->mmap_cache; | + if (!(vma && vma->vm_end > addr | + && vma->vm_start <= addr)) { | + | mm->mmap_cache = vma; + return vma; | + ^^ compiler may optimize this | + local variable out and re-read | + mm->mmap_cache | + + This issue can be reproduced with gcc-4.8.0-1 on s390x by running + mallocstress testcase from LTP, which triggers: + + kernel BUG at mm/rmap.c:1088! + Call Trace: + ([<000003d100c57000>] 0x3d100c57000) + [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 + [<000000000023baae>] handle_pte_fault+0x41a/0xac8 + [<000000000023d832>] handle_mm_fault+0x17a/0x268 + [<000000000060507a>] do_protection_exception+0x1e2/0x394 + [<0000000000603a04>] pgm_check_handler+0x138/0x13c + [<000003fffcf1f07a>] 0x3fffcf1f07a + Last Breaking-Event-Address: + [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 + + Thanks to Jakub Jelinek for his insight on gcc and helping to + track this down. + + Signed-off-by: Jan Stancek + Acked-by: David Rientjes + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + mm/mmap.c | 2 +- + mm/nommu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 53f5096daa14967938bc154e6c41f9119863fb36 +Merge: e988d7c 0a45285 +Author: Brad Spengler +Date: Fri Apr 5 17:32:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/ethernet/broadcom/tg3.c + +commit 0a452855444d02502df6eb21ef3083cf303f71e1 +Merge: 0277fa1 00cfbb8 +Author: Brad Spengler +Date: Fri Apr 5 17:31:15 2013 -0400 + + Update to pax-linux-3.8.6-test16.patch: + - fixed some attribute leakage into userland headers, patch by Mathias Krause + - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/intel_display.c + +commit e988d7c8d946c816a2cb97f0d38048a1584966b8 +Merge: baec40e 0277fa1 +Author: Brad Spengler +Date: Wed Apr 3 22:05:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0277fa123b486cf11420967e4568d7653e225fd3 +Author: Brad Spengler +Date: Wed Apr 3 22:04:48 2013 -0400 + + Update to pax-linux-3.8.5-test15.patch: + - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) + - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) + + drivers/media/pci/cx88/cx88-video.c | 6 +++--- + include/net/net_namespace.h | 4 ++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +commit baec40e6708fd5ae2000cad6c70c5980c998b91c +Author: Brad Spengler +Date: Tue Apr 2 19:50:32 2013 -0400 + + fix compilation as reported on forums for gcc versions lacking plugin + support + + include/net/net_namespace.h | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 +Merge: 6b69c35 0db9d15 +Author: Brad Spengler +Date: Tue Apr 2 17:47:27 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0db9d156826bdd50510086fde837648a3dfd370e +Author: Brad Spengler +Date: Tue Apr 2 17:46:05 2013 -0400 + + Update to pax-linux-3.8.5-test14.patch: + - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table + + arch/x86/include/asm/uaccess_64.h | 6 +- + include/linux/moduleloader.h | 4 +- + tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- + 3 files changed, 61 insertions(+), 47 deletions(-) + +commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d +Author: Brad Spengler +Date: Tue Apr 2 17:35:06 2013 -0400 + + remove duplicate compiler.h + + include/linux/sysrq.h | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 01e1d503fd2220adaaec0b92ea19441bdff73555 +Author: Brad Spengler +Date: Fri Mar 29 19:53:50 2013 -0400 + + fix intentional_overflow marking on sys_sendto + + include/linux/syscalls.h | 2 +- + net/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit cd5ff114d958470f471c63775278e8c05e774630 +Author: Brad Spengler +Date: Fri Mar 29 18:46:16 2013 -0400 + + fix size_overflow false positive + + kernel/futex_compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 295ba16cc53df2375261accbedd6575ea327770a +Merge: 18340f1 278a989 +Author: Brad Spengler +Date: Fri Mar 29 17:36:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/exec.c + include/linux/thread_info.h + +commit 278a989c831d62193c7b3d119fe2302babd45d12 +Author: Brad Spengler +Date: Fri Mar 29 17:34:34 2013 -0400 + + Resync with pax-linux-3.8.5-test13.patch + + arch/arm/include/asm/pgtable.h | 3 ++- + arch/arm/lib/delay.c | 1 + + fs/exec.c | 8 ++++---- + include/linux/compiler.h | 1 + + include/linux/proc_fs.h | 2 +- + include/linux/thread_info.h | 6 +++--- + include/linux/zlib.h | 3 ++- + init/main.c | 4 ++-- + kernel/user_namespace.c | 2 +- + lib/list_debug.c | 4 ++-- + mm/slab.c | 1 + + mm/slob.c | 1 + + mm/slub.c | 1 + + net/core/sysctl_net_core.c | 3 +-- + tools/gcc/constify_plugin.c | 1 + + 15 files changed, 24 insertions(+), 17 deletions(-) + +commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 +Merge: 05f01ae e8cfeae +Author: Brad Spengler +Date: Fri Mar 29 17:30:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 +Merge: b461cb7 aa4cfde +Author: Brad Spengler +Date: Fri Mar 29 17:30:44 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/i915_gem_execbuffer.c + fs/nfsd/vfs.c + +commit 05f01ae4c3479541586a2387f916a6620889c479 +Author: Brad Spengler +Date: Fri Mar 29 17:05:39 2013 -0400 + + Another infoleak, up to 128 bytes on the stack in __sys_recvmsg + takes user-provided length, copies up to that amount in a sockaddr_storage + struct on the stack, then takes an upper-bounded-only user-provided length + and copies the sockaddr_storage struct back out to userland, complete with + uninitialized data + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eea6ade59490784e83e08ec67322288fcf14cb31 +Author: Brad Spengler +Date: Thu Mar 28 23:07:37 2013 -0400 + + return a proper error, otherwise we could be accessing uninitialized data + (previous define was a positive value) + + drivers/usb/storage/realtek_cr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e +Merge: c3dc9a6 b461cb7 +Author: Brad Spengler +Date: Thu Mar 28 20:54:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b461cb7b1d85490430ef7896c247794af72c3749 +Author: Brad Spengler +Date: Thu Mar 28 20:54:11 2013 -0400 + + Add structleak plugin + + tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 270 insertions(+), 0 deletions(-) + +commit c3dc9a6ef10782894bb11fd088fd712db44d8062 +Author: Brad Spengler +Date: Thu Mar 28 20:53:22 2013 -0400 + + Enable structleak by default for the security auto-config + + security/Kconfig | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e +Merge: d8503a3 74bec16 +Author: Brad Spengler +Date: Thu Mar 28 20:47:10 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 74bec16b657147a5575b1f14f4423a717ba317a6 +Author: Brad Spengler +Date: Thu Mar 28 20:46:13 2013 -0400 + + Update to pax-linux-3.8.4-test13.patch: + - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) + - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland + + Makefile | 5 +++- + arch/x86/include/asm/compat.h | 2 +- + arch/x86/mm/fault.c | 3 +- + fs/binfmt_elf.c | 2 +- + include/linux/compiler.h | 42 ++++++++++++++-------------------------- + security/Kconfig | 16 +++++++++++++++ + tools/gcc/Makefile | 2 + + tools/gcc/constify_plugin.c | 7 +++++- + 8 files changed, 47 insertions(+), 32 deletions(-) + +commit d8503a3a35d68b9ba1615d29335aef3f70d51465 +Author: Brad Spengler +Date: Thu Mar 28 20:02:40 2013 -0400 + + Fix 8-byte stack infoleak in ia32_rt_sigpending + User controls length, kernel only performs check on the upper bound, will + fill in any amount less than sizeof(sigset_t) via a copy_to_user under + KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t + regardless of whether the sigset_t content copied into it has been initialized + or not + + arch/x86/ia32/sys_ia32.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b +Author: Brad Spengler +Date: Tue Mar 26 21:05:05 2013 -0400 + + commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 + Author: J. Bruce Fields + Date: Tue Mar 26 14:11:13 2013 -0400 + + nfsd4: reject "negative" acl lengths + + Since we only enforce an upper bound, not a lower bound, a "negative" + length can get through here. + + The symptom seen was a warning when we attempt to a kmalloc with an + excessive size. + + Reported-by: Toralf Förster + Signed-off-by: J. Bruce Fields + + fs/nfsd/nfs4xdr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 +Author: Jeff Layton +Date: Mon Mar 11 09:52:19 2013 -0400 + + Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 + + cifs: ignore everything in SPNEGO blob after mechTypes + + We've had several reports of people attempting to mount Windows 8 shares + and getting failures with a return code of -EINVAL. The default sec= + mode changed recently to sec=ntlmssp. With that, we expect and parse a + SPNEGO blob from the server in the NEGOTIATE reply. + + The current decode_negTokenInit function first parses all of the + mechTypes and then tries to parse the rest of the negTokenInit reply. + The parser however currently expects a mechListMIC or nothing to follow the + mechTypes, but Windows 8 puts a mechToken field there instead to carry + some info for the new NegoEx stuff. + + In practice, we don't do anything with the fields after the mechTypes + anyway so I don't see any real benefit in continuing to parse them. + This patch just has the kernel ignore the fields after the mechTypes. + We'll probably need to reinstate some of this if we ever want to support + NegoEx. + + Reported-by: Jason Burgess + Reported-by: Yan Li + Signed-off-by: Jeff Layton + Cc: + Signed-off-by: Steve French + + fs/cifs/asn1.c | 53 +++++------------------------------------------------ + 1 files changed, 5 insertions(+), 48 deletions(-) + +commit 0b1c6223105a05d5a84e39a5e951868e37610e1c +Merge: 93ff726 0deb54c +Author: Brad Spengler +Date: Mon Mar 25 18:35:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 +Author: Brad Spengler +Date: Mon Mar 25 18:35:05 2013 -0400 + + fix typo + + arch/x86/mm/ioremap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 +Merge: be9f8b8 f95e53a +Author: Brad Spengler +Date: Mon Mar 25 18:30:06 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f95e53abadb6e4665866e4502ff9f518514193e1 +Author: Brad Spengler +Date: Mon Mar 25 18:29:25 2013 -0400 + + Update to pax-linux-3.8.4-test12.patch: + + - fixed perf compilation reported by Michael Tremer + - fixed USERCOPY reports triggered by SCTP, reported by mcp + - last fix for aslr gap accounting, promise (thanks to spender) + + arch/x86/mm/ioremap.c | 3 +++ + fs/binfmt_elf.c | 5 ++--- + mm/mmap.c | 2 +- + net/sctp/socket.c | 19 +++++++++++++++---- + tools/perf/util/include/linux/compiler.h | 8 ++++++++ + 5 files changed, 29 insertions(+), 8 deletions(-) + +commit be9f8b82b0d8a21d7515fb6e44a907623381c5df +Author: Brad Spengler +Date: Mon Mar 25 16:48:34 2013 -0400 + + From: Al Viro + To: Brad Spengler + Cc: Linus Torvalds + + Umm... I see what you are describing, and AFAICS you are correct; let me + see if I am misreading your analysis: + * vfsmount_lock may act fair; A holding it shared, with B spinning + on attempt to take it exclusive may lead to C spinning on attempt to take + it shared. + * path_is_under() tries get rename_lock while holding vfsmount_lock + shared. + * d_path() et.al. try to take vfsmount_lock shared, while holding + rename_lock. + + All true and yes, it's a bug (I'd probably classify it as a livelock, but + that doesn't make any real difference). There are three possible solutions, + AFAICS: + 1) two-liner in path_is_under() replacing the use of vfsmount_lock + with that of namespace_sem; trivial, but results in function unexpectedly + blocking. The current callers are fine with that, but it's a trouble + waiting to happen. + 2) replace write_seqlock() in prepend_path() callers with + read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike + is_subdir() we need more than just ->d_parent not pointing to something + freed - we also care about ->d_name.len being in sync with ->d_name.name. + It probably can be worked around, but... + + 3) declare that rename_lock nests inside vfsmount_lock and let + the callers of prepend_path() take vfsmount_lock(). I'd probably prefer + that one... + + Nest rename_lock inside vfsmount_lock + + ... lest we get livelocks between path_is_under() and d_path() and friends. + + [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing + the issue ] + + Spotted-by: Brad Spengler + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/dcache.c | 16 +++++++++++----- + grsecurity/gracl.c | 20 ++++++++++---------- + 2 files changed, 21 insertions(+), 15 deletions(-) + +commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee +Author: Linus Torvalds +Date: Fri Mar 22 11:44:04 2013 -0700 + + Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 + + vfs,proc: guarantee unique inodes in /proc + + Dave Jones found another /proc issue with his Trinity tool: thanks to + the namespace model, we can have multiple /proc dentries that point to + the same inode, aliasing directories in /proc//net/ for example. + + This ends up being a total disaster, because it acts like hardlinked + directories, and causes locking problems. We rely on the topological + sort of the inodes pointed to by dentries, and if we have aliased + directories, that odering becomes unreliable. + + In short: don't do this. Multiple dentries with the same (directory) + inode is just a bad idea, and the namespace code should never have + exposed things this way. But we're kind of stuck with it. + + This solves things by just always allocating a new inode during /proc + dentry lookup, instead of using "iget_locked()" to look up existing + inodes by superblock and number. That actually simplies the code a bit, + at the cost of potentially doing more inode [de]allocations. + + That said, the inode lookup wasn't free either (and did a lot of locking + of inodes), so it is probably not that noticeable. We could easily keep + the old lookup model for non-directory entries, but rather than try to + be excessively clever this just implements the minimal and simplest + workaround for the problem. + + Reported-and-tested-by: Dave Jones + Analyzed-by: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/inode.c + + fs/proc/inode.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb +Author: Vladimir Davydov +Date: Fri Mar 22 15:04:51 2013 -0700 + + Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 + + mqueue: sys_mq_open: do not call mnt_drop_write() if read-only + + mnt_drop_write() must be called only if mnt_want_write() succeeded, + otherwise the mnt_writers counter will diverge. + + mnt_writers counters are used to check if remounting FS as read-only is + OK, so after an extra mnt_drop_write() call, it would be impossible to + remount mqueue FS as read-only. Besides, on umount a warning would be + printed like this one: + + ===================================== + [ BUG: bad unlock balance detected! ] + 3.9.0-rc3 #5 Not tainted + ------------------------------------- + a.out/12486 is trying to release lock (sb_writers) at: + mnt_drop_write+0x1f/0x30 + but there are no more locks to release! + + Signed-off-by: Vladimir Davydov + Cc: Doug Ledford + Cc: KOSAKI Motohiro + Cc: "Eric W. Biederman" + Cc: Al Viro + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/mqueue.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e +Author: Brad Spengler +Date: Sat Mar 23 13:02:32 2013 -0400 + + Don't use constify plugin if not enabled in config, + reported by Alexey Vlasov + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afb82e020593249ac394e9859397c3e0ef5341c +Author: Brad Spengler +Date: Sat Mar 23 12:50:13 2013 -0400 + + oded 0day #2 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 20 + + drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 +Author: Brad Spengler +Date: Sat Mar 23 12:15:50 2013 -0400 + + oded 0day #1 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 18 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 +Author: Brad Spengler +Date: Sat Mar 23 12:13:12 2013 -0400 + + remove warning on accessing this /proc entry, HIDESYM already caught the infoleak + + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 44cb11a9470f72157601d0ad4d572d111f90f504 +Author: Brad Spengler +Date: Fri Mar 22 18:11:42 2013 -0400 + + use VM_DONTDUMP + + fs/binfmt_elf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb +Author: Brad Spengler +Date: Fri Mar 22 17:53:09 2013 -0400 + + fix recent RLIMIT_AS changes (due to vm_flags typo) + + Conflicts: + + fs/binfmt_elf.c + + fs/binfmt_elf.c | 2 +- + mm/mmap.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit fd5f0d92b0fbec02029dad124501a9c80e527a32 +Author: Brad Spengler +Date: Fri Mar 22 17:08:48 2013 -0400 + + complete_walk drops rcu-walk mode, no need for our own dropping + method outside of generic_permission + + fs/namei.c | 30 ------------------------------ + 1 files changed, 0 insertions(+), 30 deletions(-) + +commit b49ab1c73edb6442eec609b26bba4d850b3111b6 +Merge: 5e9a707 783ade9 +Author: Brad Spengler +Date: Thu Mar 21 21:56:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 +Author: Brad Spengler +Date: Thu Mar 21 21:55:31 2013 -0400 + + Update to pax-linux-3.8.3-test11.patch: + - rewrote the ASLR gap accounting code once again + - fixed ptrace compat bug found by the size overflow plugin + + fs/binfmt_elf.c | 25 ++++++++++++------------- + fs/exec.c | 7 ++----- + include/linux/compat.h | 2 +- + include/linux/mm.h | 5 +++++ + include/linux/mm_types.h | 2 +- + kernel/ptrace.c | 2 +- + mm/mmap.c | 15 ++++++++++----- + 7 files changed, 32 insertions(+), 26 deletions(-) + +commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a +Author: Brad Spengler +Date: Thu Mar 21 19:37:33 2013 -0400 + + Make the constify plugin usage actually depend on the introduced config option + (it was still forced on) + + tools/gcc/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1974b4f58d9d729c80ac1987785446115304a54c +Author: Brad Spengler +Date: Thu Mar 21 16:12:38 2013 -0400 + + fix failed merge + + arch/arm/mm/fault.c | 15 +++------------ + 1 files changed, 3 insertions(+), 12 deletions(-) + +commit 675a8ab4a8fe8315df348735a37a302a7535224c +Author: Brad Spengler +Date: Wed Mar 20 23:36:14 2013 -0400 + + From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 + From: Kees Cook + Date: Sun, 10 Mar 2013 20:09:31 +0000 + Subject: drm/i915: bounds check execbuffer relocation count + + It is possible to wrap the counter used to allocate the buffer for + relocation copies. This could lead to heap writing overflows. + + CVE-2013-0913 + + Signed-off-by: Kees Cook + Reported-by: Pinkie Pie + Cc: stable@vger.kernel.org + + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 +Author: Andy Honig +Date: Wed Feb 20 14:48:10 2013 -0800 + + Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 + + KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) + + There is a potential use after free issue with the handling of + MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable + memory such as frame buffers then KVM might continue to write to that + address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins + the page in memory so it's unlikely to cause an issue, but if the user + space component re-purposes the memory previously used for the guest, then + the guest will be able to corrupt that memory. + + Tested: Tested against kvmclock unit test + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/include/asm/kvm_host.h | 4 +- + arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +commit 0bcac31b57c381001feb69fd6ec8069e61e03432 +Author: Andy Honig +Date: Mon Mar 11 09:34:52 2013 -0700 + + Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 + + KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) + + If the guest sets the GPA of the time_page so that the request to update the + time straddles a page then KVM will write onto an incorrect page. The + write is done byusing kmap atomic to get a pointer to the page for the time + structure and then performing a memcpy to that page starting at an offset + that the guest controls. Well behaved guests always provide a 32-byte aligned + address, however a malicious guest could use this to corrupt host kernel + memory. + + Tested: Tested against kvmclock unit test. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/kvm/x86.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 695c59887e4ec10b0b695ab4f645d1226c433be0 +Author: Andy Honig +Date: Wed Feb 20 14:49:16 2013 -0800 + + Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 + + KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) + + If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows + that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate + that request. ioapic_read_indirect contains an + ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in + non-debug builds. In recent kernels this allows a guest to cause a kernel + oops by reading invalid memory. In older kernels (pre-3.3) this allows a + guest to read from large ranges of host memory. + + Tested: tested against apic unit tests. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + virt/kvm/ioapic.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e +Merge: aec3cd4 c522e3a +Author: Brad Spengler +Date: Wed Mar 20 19:38:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 +Merge: c57d855 405acc3 +Author: Brad Spengler +Date: Wed Mar 20 19:38:11 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 +Author: Brad Spengler +Date: Tue Mar 19 19:56:04 2013 -0400 + + include linux/compiler.h + + include/linux/zlib.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e +Author: Brad Spengler +Date: Tue Mar 19 18:42:20 2013 -0400 + + fix missing sock_release() + + net/irda/af_irda.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit dd65c05cd24faf8946d4941434a553ee285c35a3 +Author: Brad Spengler +Date: Tue Mar 19 18:36:17 2013 -0400 + + fix mpt fusion infoleak + + drivers/message/fusion/mptbase.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit e297b4f150b769efdc4c547d3caf1e3c0f24735f +Author: Brad Spengler +Date: Tue Mar 19 18:33:45 2013 -0400 + + Fix size_overflow false positive reported by slashbeast + + include/linux/zlib.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be +Author: Brad Spengler +Date: Tue Mar 19 17:35:36 2013 -0400 + + fix up failed merge + + arch/arm/mm/fault.c | 9 ++------- + 1 files changed, 2 insertions(+), 7 deletions(-) + +commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd +Author: Brad Spengler +Date: Tue Mar 19 17:34:36 2013 -0400 + + update documentation on consequences of building without gcc plugin support + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 +Author: Brad Spengler +Date: Tue Mar 19 17:18:13 2013 -0400 + + fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit f00195c633f91cfbd8c1f530d2c371b713026e20 +Author: Brad Spengler +Date: Mon Mar 18 22:27:33 2013 -0400 + + Fix compile error reported by KDE on the forums + + kernel/user_namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 +Merge: 0949569 c57d855 +Author: Brad Spengler +Date: Mon Mar 18 22:20:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + arch/x86/mm/fault.c + fs/exec.c + +commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 +Author: Brad Spengler +Date: Mon Mar 18 21:22:03 2013 -0400 + + Update to pax-linux-3.8.2-test9.patch: + arm changes from spender + - removed userland access to the vectors page + - removed obsolete sigreturn trampoline handling + - added emulation for __kuser_get_tls + - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) + - fixed recent sysfs/power_supply attr breakage reported by Steven Allen + - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) + - changed debian packager rules to include the compiler plugins, from Tyler Coumbes + - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) + - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values + and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. + + arch/arm/kernel/process.c | 5 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/traps.c | 7 - + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 23 +- + arch/arm/mm/mmu.c | 2 +- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/desc.h | 2 +- + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/io.h | 8 +- + arch/x86/include/asm/paravirt.h | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- + arch/x86/kernel/setup_percpu.c | 2 +- + arch/x86/mm/fault.c | 4 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/physaddr.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/lguest/page_tables.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/power/power_supply_core.c | 1 + + drivers/usb/core/message.c | 2 +- + fs/befs/endian.h | 4 +- + fs/binfmt_elf.c | 5 +- + fs/exec.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/ufs/swab.h | 4 +- + include/linux/compat.h | 4 +- + include/linux/completion.h | 6 +- + include/linux/cpumask.h | 12 +- + include/linux/ctype.h | 2 +- + include/linux/err.h | 4 +- + include/linux/math64.h | 6 +- + include/linux/sched.h | 2 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/uapi/linux/byteorder/little_endian.h | 4 +- + include/uapi/linux/swab.h | 6 +- + kernel/sched/core.c | 6 +- + kernel/signal.c | 3 + + kernel/time.c | 2 +- + kernel/timer.c | 2 +- + lib/div64.c | 4 +- + mm/page-writeback.c | 2 +- + net/socket.c | 2 + + scripts/package/builddeb | 1 + + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- + tools/gcc/size_overflow_plugin.c | 1072 ++-- + 53 files changed, 6227 insertions(+), 3951 deletions(-) + +commit 09495691bb31f11ec14d9127429f9a0f3f716f22 +Author: Brad Spengler +Date: Sun Mar 17 20:51:50 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit deb85b00d0f9f886e264e116313f298401ec5c59 +Author: Brad Spengler +Date: Sun Mar 17 20:03:33 2013 -0400 + + Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task + with a subject applied to it with RES_CPU. Otherwise, the limit will only + begin to be applied at fork time. + + Thanks to Bjornar Ness for the report. + + grsecurity/gracl.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 2126421f123513f604ceef2b23ba9ed516de7e58 +Author: Brad Spengler +Date: Sat Mar 16 22:07:43 2013 -0400 + + Move inode auditing prior to our refcnt dropping + + fs/namei.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 +Author: Brad Spengler +Date: Sat Mar 16 22:00:30 2013 -0400 + + Drop reference on completed path walked in RCU mode or when violating + the chroot fchdir check inside a chroot -- possible culprit for a reported + vfsmount_lock hang during unmount + + fs/namei.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 +Author: Brad Spengler +Date: Sat Mar 16 16:43:45 2013 -0400 + + add user_arg_ptr back to exec.c + + fs/exec.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 +Author: Brad Spengler +Date: Sat Mar 16 11:22:36 2013 -0400 + + Don't globally include compat.h -- with the new X32 support it + changes some definitions involving ELF binaries resulting in invalid + coredumps, as reported by KDE on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 + Thanks to the PaX Team for debugging + + fs/exec.c | 3 +++ + grsecurity/grsec_exec.c | 13 +++++++++++++ + include/linux/grsecurity.h | 15 --------------- + 3 files changed, 16 insertions(+), 15 deletions(-) + +commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a +Author: Brad Spengler +Date: Thu Mar 14 20:59:26 2013 -0400 + + Add peer information to /proc/net/unix from Kenan Kalajdzic: + http://marc.info/?l=linux-netdev&m=126745636809191&w=2 + + We use a "P" prefix to the inode number instead of "peer=". This + additional information can be used, for instance, to find what processes + are connected to MySQL's unix domain socket. + + net/unix/af_unix.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +commit 1cd623d11a462d151ea8a5cace4521e1724911a3 +Author: Oliver Neukum +Date: Tue Mar 12 14:52:42 2013 +0100 + + Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa + + USB: cdc-wdm: fix buffer overflow + + The buffer for responses must not overflow. + If this would happen, set a flag, drop the data and return + an error after user space has read all remaining data. + + Signed-off-by: Oliver Neukum + CC: stable@kernel.org + Signed-off-by: Greg Kroah-Hartman + + drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- + 1 files changed, 20 insertions(+), 3 deletions(-) + +commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc +Merge: 9cdf9bc db4cb92 +Author: Brad Spengler +Date: Thu Mar 14 20:23:14 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/keys/compat.c + +commit db4cb924546e3fec3a59f78d056f48176eaf7100 +Author: Brad Spengler +Date: Thu Mar 14 20:22:24 2013 -0400 + + Update to pax-linux-3.8.2-test8.patch + + arch/arm/include/asm/cache.h | 2 ++ + arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- + arch/arm/mach-omap2/omap_device.c | 4 ++-- + arch/arm/mach-omap2/omap_device.h | 4 ++-- + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + 5 files changed, 19 insertions(+), 15 deletions(-) + +commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae +Merge: 3c865f9 1a45c31 +Author: Brad Spengler +Date: Thu Mar 14 20:20:54 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/arm/include/asm/delay.h + arch/arm/include/asm/pgtable.h + arch/arm/lib/delay.c + security/keys/compat.c + +commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 +Author: Al Viro +Date: Tue Mar 12 02:59:49 2013 +0000 + + Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 + + vfs: fix pipe counter breakage + + If you open a pipe for neither read nor write, the pipe code will not + add any usage counters to the pipe, causing the 'struct pipe_inode_info" + to be potentially released early. + + That doesn't normally matter, since you cannot actually use the pipe, + but the pipe release code - particularly fasync handling - still expects + the actual pipe infrastructure to all be there. And rather than adding + NULL pointer checks, let's just disallow this case, the same way we + already do for the named pipe ("fifo") case. + + This is ancient going back to pre-2.4 days, and until trinity, nobody + naver noticed. + + Reported-by: Dave Jones + Signed-off-by: Linus Torvalds + + fs/pipe.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 +Author: Mathieu Desnoyers +Date: Mon Feb 25 10:20:36 2013 -0500 + + Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 + + Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys + + Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to + compat_process_vm_rw() shows that the compatibility code requires an + explicit "access_ok()" check before calling + compat_rw_copy_check_uvector(). The same difference seems to appear when + we compare fs/read_write.c:do_readv_writev() to + fs/compat.c:compat_do_readv_writev(). + + This subtle difference between the compat and non-compat requirements + should probably be debated, as it seems to be error-prone. In fact, + there are two others sites that use this function in the Linux kernel, + and they both seem to get it wrong: + + Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() + also ends up calling compat_rw_copy_check_uvector() through + aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to + be missing. Same situation for + security/keys/compat.c:compat_keyctl_instantiate_key_iov(). + + I propose that we add the access_ok() check directly into + compat_rw_copy_check_uvector(), so callers don't have to worry about it, + and it therefore makes the compat call code similar to its non-compat + counterpart. Place the access_ok() check in the same location where + copy_from_user() can trigger a -EFAULT error in the non-compat code, so + the ABI behaviors are alike on both compat and non-compat. + + While we are here, fix compat_do_readv_writev() so it checks for + compat_rw_copy_check_uvector() negative return values. + + And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error + handling. + + Acked-by: Linus Torvalds + Acked-by: Al Viro + Signed-off-by: Mathieu Desnoyers + Signed-off-by: Linus Torvalds + + Conflicts: + + security/keys/compat.c + + fs/compat.c | 15 +++++++-------- + mm/process_vm_access.c | 8 -------- + security/keys/compat.c | 3 ++- + 3 files changed, 9 insertions(+), 17 deletions(-) + +commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 +Author: Brad Spengler +Date: Mon Mar 11 18:38:38 2013 -0400 + + Fix leak of signal handler addresses across execve, found by Emese Revfy + + kernel/signal.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 79b130c4b11c7940daf2b33d653a17666331c634 +Merge: 6480ce9 3c865f9 +Author: Brad Spengler +Date: Sun Mar 10 20:04:03 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d +Author: Brad Spengler +Date: Sun Mar 10 20:03:12 2013 -0400 + + Update to pax-linux-3.8.2-test7.patch: + - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) + - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) + + fs/binfmt_elf.c | 3 ++- + fs/exec.c | 3 +++ + include/linux/mm_types.h | 2 +- + init/main.c | 4 ++-- + mm/mmap.c | 2 +- + mm/page_alloc.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 11 +++++++---- + 7 files changed, 18 insertions(+), 11 deletions(-) + +commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 +Merge: 4a5305e 25b3569 +Author: Brad Spengler +Date: Sun Mar 10 10:41:16 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 25b356980568bed9958315bb5a551fdc610055ed +Author: Brad Spengler +Date: Sun Mar 10 10:40:48 2013 -0400 + + Update to pax-linux-3.8.2-test6.patch: + - fixed a KERNEXEC false positive on arm reported by Gu1 + - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) + - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) + - added fix from spender for some namespace breakage reported by zakalwe + - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot + + Documentation/kernel-parameters.txt | 5 +++++ + arch/arm/kernel/patch.c | 2 ++ + arch/x86/kernel/sys_i386_32.c | 5 +++-- + drivers/acpi/blacklist.c | 2 +- + drivers/video/aty/mach64_cursor.c | 1 + + init/main.c | 4 ---- + mm/page_alloc.c | 27 +++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 2 +- + security/Kconfig | 5 +++++ + tools/gcc/latent_entropy_plugin.c | 7 +++++-- + 10 files changed, 50 insertions(+), 10 deletions(-) + +commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f +Author: Brad Spengler +Date: Sat Mar 9 11:19:06 2013 -0500 + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause , + Stephen Hemminger + Subject: [PATCH 1/3] bridge: fix mdb info leaks + Date: Sat, 9 Mar 2013 16:52:19 +0100 + + The bridging code discloses heap and stack bytes via the RTM_GETMDB + netlink interface and via the notify messages send to group RTNLGRP_MDB + afer a successful add/del. + + Fix both cases by initializing all unset members/padding bytes with + memset(0). + + Cc: Stephen Hemminger + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices + Date: Sat, 9 Mar 2013 16:52:20 +0100 + + Initialize the mac address buffer with 0 as the driver specific function + will probably not fill the whole buffer. In fact, all in-kernel drivers + fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible + bytes. Therefore we currently leak 26 bytes of stack memory to userland + via the netlink interface. + + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks + Date: Sat, 9 Mar 2013 16:52:21 +0100 + + The dcb netlink interface leaks stack memory in various places: + * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, + * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., + * the same is true for CEE -- no in-kernel driver fills the whole + struct, + + Prevent all of the above stack info leaks by properly initializing the + buffers/structures involved. + + Signed-off-by: Mathias Krause + + net/bridge/br_mdb.c | 4 ++++ + net/core/rtnetlink.c | 1 + + net/dcb/dcbnl.c | 8 ++++++++ + 3 files changed, 13 insertions(+), 0 deletions(-) + +commit 601dd446f896e3a362f706943df18a68d50420a1 +Author: Brad Spengler +Date: Sat Mar 9 09:35:25 2013 -0500 + + add open/close wrappers in __patch_text() as reported by Gu1 on IRC + + arch/arm/kernel/patch.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ae39966fd85a493e9079b357e3faa62245a41222 +Author: Peter Hurley +Date: Fri Mar 8 12:43:27 2013 -0800 + + Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 + + ipc: don't allocate a copy larger than max + + When MSG_COPY is set, a duplicate message must be allocated for the copy + before locking the queue. However, the copy could not be larger than was + sent which is limited to msg_ctlmax. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msg.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 61240e99650ea3e540a03a3e994349c5086f166b +Author: Peter Hurley +Date: Fri Mar 8 12:43:26 2013 -0800 + + Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 + + ipc: fix potential oops when src msg > 4k w/ MSG_COPY + + If the src msg is > 4k, then dest->next points to the + next allocated segment; resetting it just prior to dereferencing + is bad. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msgutil.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 51727f602a267f34fb2e0dc9557f1714028d51a2 +Author: Brad Spengler +Date: Fri Mar 8 22:14:06 2013 -0500 + + add missing 'else' in recent constify fixups + + net/ipv4/ip_fragment.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a38c1a640729b3d8e584d1ab98e908c221bc12cf +Merge: 1580bb3 47c3f47 +Author: Brad Spengler +Date: Fri Mar 8 18:18:37 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe +Author: Brad Spengler +Date: Fri Mar 8 18:17:22 2013 -0500 + + Update to pax-linux-3.8.2-test5.patch: + - fixed some fallout after the last round of constification changes, reported by several people + + arch/arm/common/gic.c | 4 ++-- + arch/arm/include/asm/hardware/gic.h | 3 ++- + arch/x86/include/asm/nmi.h | 2 +- + arch/x86/kernel/nmi.c | 2 +- + arch/x86/pci/irq.c | 2 +- + drivers/base/power/domain.c | 4 ++-- + drivers/cpufreq/cpufreq_governor.c | 4 ++-- + drivers/mfd/twl4030-irq.c | 1 + + drivers/video/vesafb.c | 7 +++++-- + include/linux/irq.h | 1 + + include/linux/pm_domain.h | 2 +- + kernel/sched/core.c | 4 ++++ + lib/Kconfig.debug | 4 ++-- + net/core/sysctl_net_core.c | 2 +- + net/decnet/af_decnet.c | 1 + + net/ipv4/devinet.c | 2 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/route.c | 2 +- + net/ipv4/sysctl_net_ipv4.c | 2 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- + net/ipv6/reassembly.c | 2 +- + scripts/sortextable.h | 6 +++--- + 22 files changed, 36 insertions(+), 25 deletions(-) + +commit 1580bb38b4db0bf2a46316599815e8b234edad81 +Author: Brad Spengler +Date: Thu Mar 7 22:02:59 2013 -0500 + + add an additional open/close wrapper + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 21622672d28d58e0d93a805cd1f9650a894a752a +Author: Brad Spengler +Date: Thu Mar 7 21:58:24 2013 -0500 + + fix oops at shutdown with new constify code + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec +Author: Brad Spengler +Date: Thu Mar 7 21:18:44 2013 -0500 + + Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally + it currently conflicts with some lock debugging options, so made as an + option to allow for debugging when necessary + + Makefile | 2 -- + lib/Kconfig.debug | 6 +++--- + security/Kconfig | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +commit 0885b00b8373a1597b69c38032a0c9eee279303b +Author: Brad Spengler +Date: Thu Mar 7 20:55:19 2013 -0500 + + disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c8a2617165e7127a54f293cbf57d22d50dd83abd +Author: Brad Spengler +Date: Thu Mar 7 20:30:41 2013 -0500 + + Fix error: + drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object + with cast and proper kernexec accessors + + drivers/video/vesafb.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 +Author: Brad Spengler +Date: Thu Mar 7 20:20:28 2013 -0500 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 +Author: Brad Spengler +Date: Thu Mar 7 20:12:17 2013 -0500 + + fix compilation error -- no reason for task_pid_nr to not take a const task ptr + + include/linux/sched.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f +Author: Kees Cook +Date: Mon Feb 25 21:32:25 2013 +0000 + + Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 + + proc connector: reject unprivileged listener bumps + + While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible + for an unprivileged user to turn off notifications for all listeners by + sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as + required for a multicast bind. + + Signed-off-by: Kees Cook + Cc: Evgeniy Polyakov + Cc: Matt Helsley + Cc: stable@vger.kernel.org + Acked-by: Evgeniy Polyakov + Acked-by: Matt Helsley + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit ac6014ded57101e3e608941555ff507e20c1ece3 +Author: Dan Carpenter +Date: Tue Feb 26 19:15:02 2013 +0000 + + Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a + + irda: small read beyond end of array in debug code + + charset comes from skb->data. It's a number in the 0-255 range. + If we have debugging turned on then this could cause a read beyond + the end of the array. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/irda/iriap.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe +Author: Guenter Roeck +Date: Wed Feb 27 10:57:31 2013 +0000 + + Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 + + net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS + + Building sctp may fail with: + + In function ‘copy_from_user’, + inlined from ‘sctp_getsockopt_assoc_stats’ at + net/sctp/socket.c:5656:20: + arch/x86/include/asm/uaccess_32.h:211:26: error: call to + ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() + buffer size is not provably correct + + if built with W=1 due to a missing parameter size validation + before the call to copy_from_user. + + Signed-off-by: Guenter Roeck + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c +Author: Guillaume Nault +Date: Fri Mar 1 05:02:02 2013 +0000 + + Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a + + l2tp: Restore socket refcount when sendmsg succeeds + + The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket + reference counter after successful transmissions. Any successful + sendmsg() call from userspace will then increase the reference counter + forever, thus preventing the kernel's session and tunnel data from + being freed later on. + + The problem only happens when writing directly on L2TP sockets. + PPP sockets attached to L2TP are unaffected as the PPP subsystem + uses pppol2tp_xmit() which symmetrically increase/decrease reference + counters. + + This patch adds the missing call to sock_put() before returning from + pppol2tp_sendmsg(). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 98a9a5f981f5deda4059a255c1196886f2f27e2f +Author: Cong Wang +Date: Sun Mar 3 16:18:11 2013 +0000 + + Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 + + rds: limit the size allocated by rds_message_alloc() + + Dave Jones reported the following bug: + + "When fed mangled socket data, rds will trust what userspace gives it, + and tries to allocate enormous amounts of memory larger than what + kmalloc can satisfy." + + WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() + Hardware name: GA-MA78GM-S2H + Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s + Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 + Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + ---[ end trace eed6ae990d018c8b ]--- + + Reported-by: Dave Jones + Cc: Dave Jones + Cc: David S. Miller + Cc: Venkat Venkatsubra + Signed-off-by: Cong Wang + Acked-by: Venkat Venkatsubra + Signed-off-by: David S. Miller + + net/rds/message.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 +Author: Cong Wang +Date: Sun Mar 3 16:28:27 2013 +0000 + + Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e + + sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE + + Don't definite its own MAX_KMALLOC_SIZE, use the one + defined in mm. + + Cc: Vlad Yasevich + Cc: Sridhar Samudrala + Cc: Neil Horman + Cc: David S. Miller + Signed-off-by: Cong Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + net/sctp/ssnmap.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit 4295a024e812f903fc580c81de5e81cc149503fa +Author: Brad Spengler +Date: Thu Mar 7 17:57:49 2013 -0500 + + Upstream commit: https://lkml.org/lkml/2013/3/6/535 + + security/keys/process_keys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 33edd486a9899a145a15586d7134636b0300aaee +Merge: 4eeeaf3 a2a2094 +Author: Brad Spengler +Date: Thu Mar 7 17:53:00 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/include/asm/domain.h + +commit a2a20947f5e1332e474160a39af520738b3c8c19 +Author: Brad Spengler +Date: Thu Mar 7 17:51:04 2013 -0500 + + Update to pax-linux-3.8.2-test4.patch: + fixed arm compilation problems reported by Michael Tremer + - the constify plugin got smarter that enabled, with some additional patching, + the elimination of about half the static function pointers on amd64/allmod + (up from about 18%), depending on the kernel config it can be even more (70%) + + Documentation/dontdiff | 2 + + arch/arm/include/asm/domain.h | 1 + + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/nmi.h | 4 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 2 +- + arch/x86/kernel/apic/io_apic.c | 10 +- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/cpu/perf_event.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/i8259.c | 6 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/nmi.c | 6 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 2 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/base/bus.c | 4 +- + drivers/base/node.c | 2 +- + drivers/base/syscore.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 4 +- + drivers/char/random.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 ++- + drivers/cpufreq/cpufreq.c | 7 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpu/drm/drm_drv.c | 2 +- + drivers/gpu/drm/drm_ioc32.c | 9 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/intel_display.c | 26 ++- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/iommu/iommu.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/mfd/twl4030-irq.c | 8 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/macvlan.c | 16 +- + drivers/net/vxlan.c | 2 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 6 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/usb/storage/usb.h | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 4 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 ++- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 4 +- + drivers/video/uvesafb.c | 14 +- + fs/exec.c | 6 +- + fs/ext4/super.c | 2 +- + fs/jfs/super.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/proc/proc_sysctl.c | 18 +- + include/drm/drmP.h | 12 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 2 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fscache.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/hwmon-sysfs.h | 5 +- + include/linux/iommu.h | 2 +- + include/linux/irq.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kobject.h | 1 + + include/linux/kobject_ns.h | 2 +- + include/linux/list.h | 14 +- + include/linux/mod_devicetable.h | 2 +- + include/linux/module.h | 5 +- + include/linux/net.h | 2 +- + include/linux/netfilter.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/rculist.h | 16 ++ + include/linux/sched.h | 2 +- + include/linux/sock_diag.h | 2 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 1 + + include/linux/xattr.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/ip.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/net_namespace.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/xfrm.h | 4 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + kernel/kmod.c | 2 +- + kernel/ksysfs.c | 2 +- + kernel/module.c | 4 +- + kernel/pid_namespace.c | 2 +- + kernel/rcutree_plugin.h | 2 +- + kernel/sched/core.c | 39 ++-- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 2 +- + kernel/sysctl.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 2 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 57 ++++- + lib/swiotlb.c | 2 +- + mm/hugetlb.c | 16 +- + mm/memory-failure.c | 2 +- + mm/slab_common.c | 2 +- + net/9p/mod.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 11 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 15 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 12 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/ip_fragment.c | 9 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/route.c | 14 +- + net/ipv4/sysctl_net_ipv4.c | 43 ++-- + net/ipv6/addrconf.c | 4 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 6 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- + net/ipv6/reassembly.c | 11 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/phonet/sysctl.c | 2 +- + net/rds/rds.h | 2 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/sysctl.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/unix/sysctl_net_unix.c | 2 +- + net/xfrm/xfrm_policy.c | 11 +- + net/xfrm/xfrm_state.c | 29 ++- + net/xfrm/xfrm_sysctl.c | 2 +- + security/apparmor/lsm.c | 2 +- + security/keys/key.c | 18 +- + security/yama/yama_lsm.c | 22 +- + tools/gcc/Makefile | 4 +- + tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ + tools/gcc/size_overflow_plugin.c | 7 +- + 248 files changed, 994 insertions(+), 668 deletions(-) + +commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b +Author: Brad Spengler +Date: Wed Mar 6 12:58:21 2013 -0500 + + Make slab_state __read_only, it's only written to during init + + mm/slab_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a +Author: Brad Spengler +Date: Wed Mar 6 12:31:35 2013 -0500 + + Make two new helper functions: + gr_is_global_root() and gr_is_global_nonroot() + + grsecurity/gracl.c | 10 +++++----- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_link.c | 4 ++-- + grsecurity/grsec_sig.c | 10 +++++----- + grsecurity/grsec_tpe.c | 6 +++--- + include/linux/uidgid.h | 2 ++ + 6 files changed, 18 insertions(+), 16 deletions(-) + +commit d45d88eddd4998b280b1e5b5384289ee11ca7088 +Author: Brad Spengler +Date: Wed Mar 6 12:14:41 2013 -0500 + + convert remaining task->pid to task_pid_nr(task) + + grsecurity/gracl.c | 22 +++++++++++----------- + grsecurity/gracl_shm.c | 2 +- + grsecurity/grsec_chroot.c | 4 ++-- + grsecurity/grsec_sig.c | 4 ++-- + 4 files changed, 16 insertions(+), 16 deletions(-) + +commit c877f2ece03ee2232dd281c1977ae59507297124 +Author: Brad Spengler +Date: Tue Mar 5 17:29:54 2013 -0500 + + compat-log is only used anymore by vm86-on-64bit and allows unlimited + spamming of the kernel log buffer (and since it includes the changable + process name, can avoid syslog log deduplication) + Turn it off by default + + fs/compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7c1964c4b7276889d7967bee70e46918cdca1b14 +Author: Brad Spengler +Date: Mon Mar 4 17:19:10 2013 -0500 + + fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP + is enabled, introduced with recent userns support + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 +Author: Brad Spengler +Date: Sun Mar 3 18:46:12 2013 -0500 + + Prevent TOMOYO from auto-loading modules by unprivileged users + (Only reachable if TOMOYO is actually used) + + security/tomoyo/mount.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 79e142f9455b398759ff9d93d4963a21b98dddda +Author: Brad Spengler +Date: Sun Mar 3 18:28:45 2013 -0500 + + For now, don't permit any special access to /proc in a user namespace + Later we can go back and allow a userns-uid0 special access to a /proc + with a non-global pid namespace + + fs/proc/base.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8b91fb393049ce5f3c0a86f62247409853fd9700 +Merge: d931eb8 603ef05 +Author: Brad Spengler +Date: Sun Mar 3 17:42:09 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b +Author: Brad Spengler +Date: Sun Mar 3 17:41:31 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/mach-omap2/wd_timer.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b4c9ce81fdd7839a150c97873c710c479e788280 +Author: Brad Spengler +Date: Sun Mar 3 17:39:53 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d931eb81ab3da46896268fd61373a6aa7bbea930 +Merge: bfa7f44 5948f93 +Author: Brad Spengler +Date: Sun Mar 3 17:34:36 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 +Merge: ab30472 19b00d2 +Author: Brad Spengler +Date: Sun Mar 3 17:34:08 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 +Author: Brad Spengler +Date: Sun Mar 3 15:12:12 2013 -0500 + + Initial support for user namespaces, as we previously didn't allow + the option to be enabled at all. + + RBAC will act on the global uids/gids only, so all uids/gids in user + namespaces will be converted + + Because Eric Biederman is insulted that I didn't support his + backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN + check in for user namespaces, so this is generally irrelevant. + + fs/exec.c | 6 +- + fs/proc/base.c | 2 +- + fs/proc/proc_net.c | 4 +- + grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- + grsecurity/gracl_cap.c | 4 +- + grsecurity/gracl_ip.c | 16 +++--- + grsecurity/gracl_segv.c | 12 +++- + grsecurity/gracl_shm.c | 4 +- + grsecurity/grsec_disabled.c | 10 ++-- + grsecurity/grsec_fifo.c | 6 +- + grsecurity/grsec_init.c | 24 ++++---- + grsecurity/grsec_log.c | 3 - + grsecurity/grsec_tpe.c | 6 +- + include/linux/grinternal.h | 12 ++-- + include/linux/grsecurity.h | 12 ++-- + include/linux/uidgid.h | 3 + + init/Kconfig | 2 - + ipc/shm.c | 2 +- + kernel/cred.c | 5 +- + kernel/kallsyms.c | 2 +- + kernel/kmod.c | 6 +- + kernel/sys.c | 12 ++-- + 22 files changed, 166 insertions(+), 115 deletions(-) + +commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff +Author: Linus Torvalds +Date: Wed Feb 27 08:36:04 2013 -0800 + + Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 + + mm: do not grow the stack vma just because of an overrun on preceding vma + + The stack vma is designed to grow automatically (marked with VM_GROWSUP + or VM_GROWSDOWN depending on architecture) when an access is made beyond + the existing boundary. However, particularly if you have not limited + your stack at all ("ulimit -s unlimited"), this can cause the stack to + grow even if the access was really just one past *another* segment. + + And that's wrong, especially since we first grow the segment, but then + immediately later enforce the stack guard page on the last page of the + segment. So _despite_ first growing the stack segment as a result of + the access, the kernel will then make the access cause a SIGSEGV anyway! + + So do the same logic as the guard page check does, and consider an + access to within one page of the next segment to be a bad access, rather + than growing the stack to abut the next segment. + + Reported-and-tested-by: Heiko Carstens + Signed-off-by: Linus Torvalds + + mm/mmap.c | 27 +++++++++++++++++++++++++++ + 1 files changed, 27 insertions(+), 0 deletions(-) + +commit 5596211af754867ca825f58e6e0300a8439950fe +Author: H. Peter Anvin +Date: Wed Feb 27 12:46:40 2013 -0800 + + Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c + + x86: Make sure we can boot in the case the BDA contains pure garbage + + On non-BIOS platforms it is possible that the BIOS data area contains + garbage instead of being zeroed or something equivalent (firmware + people: we are talking of 1.5K here, so please do the sane thing.) + + We need on the order of 20-30K of low memory in order to boot, which + may grow up to < 64K in the future. We probably want to avoid the + lowest of the low memory. At the same time, it seems extremely + unlikely that a legitimate EBDA would ever reach down to the 128K + (which would require it to be over half a megabyte in size.) Thus, + pick 128K as the cutoff for "this is insane, ignore." We may still + end up reserving a bunch of extra memory on the low megabyte, but that + is not really a major issue these days. In the worst case we lose + 512K of RAM. + + This code really should be merged with trim_bios_range() in + arch/x86/kernel/setup.c, but that is a bigger patch for a later merge + window. + + Reported-by: Darren Hart + Signed-off-by: H. Peter Anvin + Cc: Matt Fleming + Cc: + Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org + + arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- + 1 files changed, 34 insertions(+), 19 deletions(-) + +commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea +Author: Wei Yongjun +Date: Wed Feb 27 17:05:46 2013 -0800 + + Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 + + memstick: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Maxim Levitsky + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/memstick/host/r592.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 +Author: Xi Wang +Date: Wed Feb 27 17:05:21 2013 -0800 + + Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 + + sysctl: fix null checking in bin_dn_node_address() + + The null check of `strchr() + 1' is broken, which is always non-null, + leading to OOB read. Instead, check the result of strchr(). + + Signed-off-by: Xi Wang + Cc: "Eric W. Biederman" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sysctl_binary.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 7ca96db0817416fd40761e7437d1939fc0731380 +Author: Tejun Heo +Date: Wed Feb 27 17:03:34 2013 -0800 + + Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 + + idr: fix a subtle bug in idr_get_next() + + The iteration logic of idr_get_next() is borrowed mostly verbatim from + idr_for_each(). It walks down the tree looking for the slot matching + the current ID. If the matching slot is not found, the ID is + incremented by the distance of single slot at the given level and + repeats. + + The implementation assumes that during the whole iteration id is aligned + to the layer boundaries of the level closest to the leaf, which is true + for all iterations starting from zero or an existing element and thus is + fine for idr_for_each(). + + However, idr_get_next() may be given any point and if the starting id + hits in the middle of a non-existent layer, increment to the next layer + will end up skipping the same offset into it. For example, an IDR with + IDs filled between [64, 127] would look like the following. + + [ 0 64 ... ] + /----/ | + | | + NULL [ 64 ... 127 ] + + If idr_get_next() is called with 63 as the starting point, it will try + to follow down the pointer from 0. As it is NULL, it will then try to + proceed to the next slot in the same level by adding the slot distance + at that level which is 64 - making the next try 127. It goes around the + loop and finds and returns 127 skipping [64, 126]. + + Note that this bug also triggers in idr_for_each_entry() loop which + deletes during iteration as deletions can make layers go away leaving + the iteration with unaligned ID into missing layers. + + Fix it by ensuring proceeding to the next slot doesn't carry over the + unaligned offset - ie. use round_up(id + 1, slot_distance) instead of + id += slot_distance. + + Signed-off-by: Tejun Heo + Reported-by: David Teigland + Cc: KAMEZAWA Hiroyuki + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/idr.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 745362f28034f54242ba2e64eaa7374ab9869613 +Author: Brad Spengler +Date: Fri Mar 1 20:31:42 2013 -0500 + + Fix dentry use-after-free after failed complete_walk() with RBAC enabled + Many thanks to zakalwe from #grsecurity for the report and debugging help + + fs/namei.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit b53b3b14330920c6f7cfb74c8508a3026e1be620 +Author: Brad Spengler +Date: Thu Feb 28 18:29:26 2013 -0500 + + Fix bad git merge + + fs/namespace.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede +Merge: 1cce1dd ab30472 +Author: Brad Spengler +Date: Thu Feb 28 17:45:14 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/core/sock_diag.c + +commit ab3047280e1dfb43f1b301a296123757b4ac4f6e +Merge: 4b61d21 4c91a0e +Author: Brad Spengler +Date: Thu Feb 28 17:43:56 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 +Author: Brad Spengler +Date: Wed Feb 27 22:20:22 2013 -0500 + + add compiler.h to sysrq.h to fix compilation problem reported by micu on forums + + include/linux/sysrq.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 +Author: Brad Spengler +Date: Wed Feb 27 17:52:31 2013 -0500 + + declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel + + kernel/printk.c | 12 +++++++----- + 1 files changed, 7 insertions(+), 5 deletions(-) + +commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 +Author: Brad Spengler +Date: Wed Feb 27 17:23:46 2013 -0500 + + Fix upstream vulnerability from addition of a /dev/kmsg device + while neglecting to add the same set of existing permission checks + from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. + A temporary workaround without this patch would be to + chmod 0600 /dev/kmsg (and is likely a good idea anyway). + + Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek + Initially reported to Redhat bugzilla by Christian Kujau: + https://bugzilla.redhat.com/show_bug.cgi?id=903192 + + kernel/printk.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 66c04806f5660988c3cb4855e60de294e77e3d0e +Author: David Howells +Date: Thu Feb 21 12:00:25 2013 +0000 + + Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f + + KEYS: Revert one application of "Fix unreachable code" patch + + A patch to fix some unreachable code in search_my_process_keyrings() got + applied twice by two different routes upstream as commits e67eab39bee2 + and b010520ab3d2 (both "fix unreachable code"). + + Unfortunately, the second application removed something it shouldn't + have and this wasn't detected by GIT. This is due to the patch not + having sufficient lines of context to distinguish the two places of + application. + + The effect of this is relatively minor: inside the kernel, the keyring + search routines may search multiple keyrings and then prioritise the + errors if no keys or negative keys are found in any of them. With the + extra deletion, the presence of a negative key in the thread keyring + (causing ENOKEY) is incorrectly overridden by an error searching the + process keyring. + + So revert the second application of the patch. + + Signed-off-by: David Howells + Cc: Jiri Kosina + Cc: Andrew Morton + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + security/keys/process_keys.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 954b0c8a95b08c09c3d15ec38106ce403bf714da +Author: Wei Yongjun +Date: Thu Feb 21 16:42:43 2013 -0800 + + Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a + + configfs: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Joel Becker + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/configfs/dir.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 +Author: Nicolas Pitre +Date: Sun Feb 24 20:06:09 2013 -0500 + + Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 + + tty vt: fix character insertion overflow + + Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on + command line edition") broke insert_char() in multiple ways. Then + commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") + partially fixed it. However, the buffer being moved is still too large + and overflowing beyond the end of the current line, corrupting existing + characters on the next line. + + Example test case: + + echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" + + Expected result: + + ab c + de + + Current result: + + ab c + e + + Needless to say that this is very annoying when inserting words in the + middle of paragraphs with certain text editors. + + Signed-off-by: Nicolas Pitre + Cc: Jean-François Moine + Cc: Greg Kroah-Hartman + Cc: + Signed-off-by: Linus Torvalds + + drivers/tty/vt/vt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6cda35071669b4aabde081bd039e0ffea36f997a +Author: Robin Holt +Date: Fri Feb 22 16:35:34 2013 -0800 + + Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 + + mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result of a + filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + Additionally, the list traversal in __mmu_notifier_release() is not + protected by the by the mmu_notifier_mm->hlist_lock which can result in + callouts to the ->release() notifier from both mmu_notifier_unregister() + and __mmu_notifier_release(). + + -stable suggestions: + + The stable trees prior to 3.7.y need commits 21a92735f660 and + 70400303ce0c cherry-picked in that order prior to cherry-picking this + commit. The 3.7.y tree already has those two commits. + + Signed-off-by: Robin Holt + Cc: Andrea Arcangeli + Cc: Wanpeng Li + Cc: Xiao Guangrong + Cc: Avi Kivity + Cc: Hugh Dickins + Cc: Marcelo Tosatti + Cc: Sagi Grimberg + Cc: Haggai Eran + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- + 1 files changed, 42 insertions(+), 40 deletions(-) + +commit bf5167ed78ba6131c6874887f714bda50c2cab83 +Author: Mike Galbraith +Date: Mon Jan 28 12:19:25 2013 +0100 + + Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 + + sched: Fix select_idle_sibling() bouncing cow syndrome + + If the previous CPU is cache affine and idle, select it. + + The current implementation simply traverses the sd_llc domain, + taking the first idle CPU encountered, which walks buddy pairs + hand in hand over the package, inflicting excruciating pain. + + 1 tbench pair (worst case) in a 10 core + SMT package: + + pre 15.22 MB/sec 1 procs + post 252.01 MB/sec 1 procs + + Signed-off-by: Mike Galbraith + Cc: Peter Zijlstra + Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net + Signed-off-by: Ingo Molnar + + kernel/sched/fair.c | 21 +++++++-------------- + 1 files changed, 7 insertions(+), 14 deletions(-) + +commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c +Author: Eric W. Biederman +Date: Fri Dec 28 18:58:39 2012 -0800 + + Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f + + userns: Avoid recursion in put_user_ns + + When freeing a deeply nested user namespace free_user_ns calls + put_user_ns on it's parent which may in turn call free_user_ns again. + When -fno-optimize-sibling-calls is passed to gcc one stack frame per + user namespace is left on the stack, potentially overflowing the + kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls + so we can't count on gcc to optimize this code. + + Remove struct kref and use a plain atomic_t. Making the code more + flexible and easier to comprehend. Make the loop in free_user_ns + explict to guarantee that the stack does not overflow with + CONFIG_FRAME_POINTER enabled. + + I have tested this fix with a simple program that uses unshare to + create a deeply nested user namespace structure and then calls exit. + With 1000 nesteuser namespaces before this change running my test + program causes the kernel to die a horrible death. With 10,000,000 + nested user namespaces after this change my test program runs to + completion and causes no harm. + + Acked-by: Serge Hallyn + Pointed-out-by: Vasily Kulikov + Signed-off-by: "Eric W. Biederman" + + include/linux/user_namespace.h | 10 +++++----- + kernel/user.c | 4 +--- + kernel/user_namespace.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 16 deletions(-) + +commit 81501c7106ccc186c94806f4db954626295b5ebe +Author: Brad Spengler +Date: Tue Feb 26 17:12:30 2013 -0500 + + Pass the same flags to kern_path_create as the original function + + fs/namei.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a677c8eee35afe48868f92c7d6745bfe809cd481 +Author: Al Viro +Date: Fri Feb 22 22:45:42 2013 -0500 + + Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 + + get rid of unprotected dereferencing of mnt->mnt_ns + + It's safe only under namespace_sem or vfsmount_lock; all places + in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use + current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in + there). + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/namespace.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit 89298124d0c96dc34a60377e7a1308f8f532ff75 +Author: Greg Thelen +Date: Fri Feb 22 16:36:01 2013 -0800 + + Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 + + tmpfs: fix use-after-free of mempolicy object + + The tmpfs remount logic preserves filesystem mempolicy if the mpol=M + option is not specified in the remount request. A new policy can be + specified if mpol=M is given. + + Before this patch remounting an mpol bound tmpfs without specifying + mpol= mount option in the remount request would set the filesystem's + mempolicy object to a freed mempolicy object. + + To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: + # mkdir /tmp/x + + # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 + + # mount -o remount,size=200M nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 + # note ? garbage in mpol=... output above + + # dd if=/dev/zero of=/tmp/x/f count=1 + # panic here + + Panic: + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [< (null)>] (null) + [...] + Oops: 0010 [#1] SMP DEBUG_PAGEALLOC + Call Trace: + mpol_shared_policy_init+0xa5/0x160 + shmem_get_inode+0x209/0x270 + shmem_mknod+0x3e/0xf0 + shmem_create+0x18/0x20 + vfs_create+0xb5/0x130 + do_last+0x9a1/0xea0 + path_openat+0xb3/0x4d0 + do_filp_open+0x42/0xa0 + do_sys_open+0xfe/0x1e0 + compat_sys_open+0x1b/0x20 + cstar_dispatch+0x7/0x1f + + Non-debug kernels will not crash immediately because referencing the + dangling mpol will not cause a fault. Instead the filesystem will + reference a freed mempolicy object, which will cause unpredictable + behavior. + + The problem boils down to a dropped mpol reference below if + shmem_parse_options() does not allocate a new mpol: + + config = *sbinfo + shmem_parse_options(data, &config, true) + mpol_put(sbinfo->mpol) + sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ + + This patch avoids the crash by not releasing the mempolicy if + shmem_parse_options() doesn't create a new mpol. + + How far back does this issue go? I see it in both 2.6.36 and 3.3. I did + not look back further. + + Signed-off-by: Greg Thelen + Acked-by: Hugh Dickins + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/shmem.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 +Author: Brad Spengler +Date: Sat Feb 23 11:08:05 2013 -0500 + + Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY + with a family greater or equal then AF_MAX -- the array size of + sock_diag_handlers[]. The current code does not test for this + condition therefore is vulnerable to an out-of-bound access opening + doors for a privilege escalation. + + Signed-off-by: Mathias Krause + + The sock_diag_lock_handler() and sock_diag_unlock_handler() actually + make the code less readable. Get rid of them and make the lock usage + and access to sock_diag_handlers[] clear on the first sight. + + Signed-off-by: Mathias Krause + + net/core/sock_diag.c | 27 ++++++++++----------------- + 1 files changed, 10 insertions(+), 17 deletions(-) + +commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 +Author: Brad Spengler +Date: Sat Feb 23 10:58:52 2013 -0500 + + Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined + + arch/arm/include/asm/domain.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7b729586eb81f344fdedf0942fab0acc738a6725 +Author: Brad Spengler +Date: Fri Feb 22 19:02:51 2013 -0500 + + Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. + + kernel/fork.c | 17 +++++++++++++++++ + 1 files changed, 17 insertions(+), 0 deletions(-) + +commit fadc560d0c486af88da83177735f5515e88acdcc +Author: Brad Spengler +Date: Thu Feb 21 23:06:48 2013 -0500 + + put is_hugetlbfs_mnt inside ifdefs + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8252176922d405484f986eb2cc350b7cd3ae586e +Author: Brad Spengler +Date: Thu Feb 21 23:02:07 2013 -0500 + + remove unused label + + kernel/module.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit dad4a980f0b625059e215d13da728aa7fd02a374 +Author: Brad Spengler +Date: Thu Feb 21 23:00:52 2013 -0500 + + compile fix + + fs/open.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 +Author: Brad Spengler +Date: Thu Feb 21 22:57:49 2013 -0500 + + remove kmalloc_array_error for the same reasons as kcalloc_error + + include/linux/slab.h | 9 --------- + 1 files changed, 0 insertions(+), 9 deletions(-) + +commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a +Author: Brad Spengler +Date: Thu Feb 21 22:49:35 2013 -0500 + + Initial port of grsecurity for Linux 3.8 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 10 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 14 +- + arch/arm/include/asm/cache.h | 2 + + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 27 +- + arch/arm/mm/mmap.c | 6 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 3 +- + arch/ia64/mm/hugetlbpage.c | 3 +- + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 3 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 19 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 6 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 3 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 3 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + crypto/ablkcipher.c | 12 +- + crypto/aead.c | 9 +- + crypto/ahash.c | 2 +- + crypto/blkcipher.c | 6 +- + crypto/crypto_user.c | 38 +- + crypto/pcompress.c | 3 +- + crypto/rng.c | 2 +- + crypto/shash.c | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 5 + + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 6 + + fs/btrfs/inode.c | 10 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 18 + + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 155 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 5 + + fs/fs_struct.c | 26 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 269 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1021 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4017 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 384 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 299 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 357 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 174 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 329 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 ++ + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 257 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 66 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/vermagic.h | 9 +- + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 5 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 109 +- + kernel/exit.c | 10 +- + kernel/fork.c | 24 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 80 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 38 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 62 +- + mm/mprotect.c | 8 + + mm/page_alloc.c | 6 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev.c | 9 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 4 +- + net/sctp/proc.c | 3 +- + net/socket.c | 62 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 19 + + security/Kconfig | 320 ++- + security/apparmor/lsm.c | 2 +- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/yama/Kconfig | 2 +- + tools/gcc/Makefile | 2 +- + 286 files changed, 15083 insertions(+), 2067 deletions(-) + +commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 +Author: Brad Spengler +Date: Wed Feb 20 21:00:42 2013 -0500 + + Initial import of pax-linux-3.8-test3.patch + + Documentation/dontdiff | 43 +- + Documentation/kernel-parameters.txt | 7 + + Makefile | 97 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 10 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 +++- + arch/arm/include/asm/cache.h | 3 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/delay.h | 8 +- + arch/arm/include/asm/domain.h | 32 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 4 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 10 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 20 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 14 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/fault.c | 78 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 186 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 28 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 13 +- + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/hugetlbpage.c | 2 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 6 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/uaccess.h | 142 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 8 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 +++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 4 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 31 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + + arch/x86/crypto/sha1_ssse3_asm.S | 3 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 12 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 ++- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 65 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/io.h | 13 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/page_64_types.h | 2 +- + arch/x86/include/asm/paravirt.h | 44 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 110 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 6 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 29 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 512 +++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head32.c | 4 +- + arch/x86/kernel/head_32.S | 237 ++- + arch/x86/kernel/head_64.S | 158 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 10 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes-opt.c | 12 +- + arch/x86/kernel/kprobes.c | 30 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 11 + + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 14 +- + arch/x86/kernel/setup_percpu.c | 27 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 247 ++ + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 47 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 68 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 ++- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 555 +++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 92 +- + arch/x86/mm/init_32.c | 122 +- + arch/x86/mm/init_64.c | 48 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 12 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_driver.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 18 +- + drivers/block/loop.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 8 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm.c | 2 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_generic.c | 2 +- + drivers/cpufreq/cpufreq.c | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 20 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 4 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 6 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 9 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 2 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/ramster/tmem.c | 54 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/udlfb.c | 32 +- + drivers/video/uvesafb.c | 39 +- + drivers/video/vesafb.c | 51 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 604 ++++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/relocation.c | 2 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 4 +- + fs/exec.c | 356 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/vfs.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/udf/misc.c | 2 +- + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 ++ + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 5 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 1 + + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 72 +- + include/linux/cpu.h | 2 +- + include/linux/crypto.h | 6 +- + include/linux/decompress/mm.h | 2 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 3 + + include/linux/mm.h | 91 +- + include/linux/mm_types.h | 22 +- + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 4 +- + include/linux/module.h | 55 +- + include/linux/moduleloader.h | 18 +- + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/random.h | 5 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 64 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/clnt.h | 8 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sysrq.h | 2 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/gro_cells.h | 6 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 6 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/structs.h | 4 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 4 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 24 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 78 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 2 +- + kernel/kprobes.c | 8 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 333 ++- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 6 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 72 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 18 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 2 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/softirq.c | 16 +- + kernel/srcu.c | 6 +- + kernel/stop_machine.c | 2 +- + kernel/sys.c | 12 +- + kernel/sysctl.c | 37 +- + kernel/sysctl_binary.c | 14 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 6 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/list_debug.c | 89 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 54 + + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 18 +- + mm/memory.c | 404 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 573 +++- + mm/mprotect.c | 138 +- + mm/mremap.c | 44 +- + mm/nommu.c | 11 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 14 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 104 +- + mm/slab.h | 5 +- + mm/slab_common.c | 9 +- + mm/slob.c | 200 +- + mm/slub.c | 98 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/rtnetlink.c | 2 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 2 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv6/addrconf.c | 2 +- + net/ipv6/ip6_gre.c | 2 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/raw.c | 19 +- + net/ipv6/udp.c | 8 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 4 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 10 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 2 +- + net/sctp/protocol.c | 8 +- + net/sctp/socket.c | 2 + + net/socket.c | 34 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 16 +- + net/xfrm/xfrm_state.c | 4 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/pnmtologo.c | 6 +- + security/Kconfig | 654 ++++- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 43 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 359 +++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 +++ + tools/gcc/latent_entropy_plugin.c | 321 ++ + tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/perf/util/include/asm/alternative-asm.h | 3 + + virt/kvm/kvm_main.c | 32 +- + 1311 files changed, 26668 insertions(+), 6394 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c +Merge: c3ccfb2 777e08c +Author: Brad Spengler +Date: Sun Sep 8 19:49:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 +Author: Brad Spengler +Date: Sun Sep 8 19:47:32 2013 -0400 + + Update to pax-linux-3.10.11-test26.patch: + - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger + - fixed an uninitialized read in splice, reported by hunger + + fs/splice.c | 1 + + include/linux/syscalls.h | 14 +- + tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- + 3 files changed, 247 insertions(+), 194 deletions(-) + +commit 5c3161364270c842d901789faac731f79a9f9cd6 +Merge: cf9c476 85cdabb +Author: Brad Spengler +Date: Sun Sep 8 19:24:25 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c3ccfb29794a03413095422100ce90d40ef7df0f +Author: Jakob Bornecrantz +Date: Thu Aug 29 02:32:53 2013 +0200 + + Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f + + drm/vmwgfx: Split GMR2_REMAP commands if they are to large + + This fixes the piglit test texturing/max-texture-size + causing the VM to die due to a too large SVGA command. + + Signed-off-by: Jakob Bornecrantz + Reviewed-by: Biran Paul + Reviewed-by: Zack Rusin + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- + 1 files changed, 39 insertions(+), 19 deletions(-) + +commit d260badf708d6aa16c44f56f54727532dcae826e +Author: Daniel Borkmann +Date: Tue Sep 3 19:29:12 2013 +0200 + + Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df + + net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv + + In tcp_v6_do_rcv() code, when processing pkt options, we soley work + on our skb clone opt_skb that we've created earlier before entering + tcp_rcv_established() on our way. However, only in condition ... + + if (np->rxopt.bits.rxtclass) + np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); + + ... we work on skb itself. As we extract every other information out + of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can + already be released by tcp_rcv_established() earlier on. When we try + to access it in ipv6_hdr(), we will dereference freed skb. + + [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for + IP_PKTOPTIONS") ] + + Signed-off-by: Daniel Borkmann + Cc: Eric Dumazet + Acked-by: Eric Dumazet + Acked-by: Jiri Benc + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 +Author: Dan Carpenter +Date: Thu Aug 29 11:47:00 2013 +0300 + + Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 + + mISDN: return -EINVAL on error in dsp_control_req() + + If skb->len is too short then we should return an error. Otherwise we + read beyond the end of skb->data for several bytes. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/mISDN/dsp_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af +Author: Brad Spengler +Date: Thu Sep 5 19:36:23 2013 -0400 + + fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB + + grsecurity/Kconfig | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit da68dbcd96c617923a0aedb177d36b2701f9c858 +Author: Brad Spengler +Date: Thu Sep 5 19:17:02 2013 -0400 + + Allow the deny_new_usb sysctl to be toggled off by a user with + CAP_SYS_ADMIN. This allows for more inventive uses of the feature + that would be impossible otherwise (like toggling it while the screen is + locked, etc) + + grsecurity/grsec_sysctl.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit ce0e893adc830ee110f97071cc17e661fb35ae3d +Author: Brad Spengler +Date: Thu Sep 5 18:41:49 2013 -0400 + + Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what + GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for + users who know they want the functionality but don't want to bother + with modifying init scripts + + Also eliminate reset_security_ops() as a ROP target when + SECURITY_SELINUX_DISABLE is disabled as it's the only user + + grsecurity/Kconfig | 17 ++++++++++++++++- + grsecurity/grsec_init.c | 3 +++ + grsecurity/grsec_sysctl.c | 2 +- + security/security.c | 4 ++++ + 4 files changed, 24 insertions(+), 2 deletions(-) + +commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd +Merge: 7ee3899 cf9c476 +Author: Brad Spengler +Date: Sun Sep 1 13:56:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cf9c47690fa0f3da590de766ea8c6a543984ee3c +Author: Brad Spengler +Date: Sun Sep 1 13:56:16 2013 -0400 + + Update to pax-linux-3.10.10-test25.patch: + - fixed a few more REFCOUNT false positives, by Mathias Krause + - got inet_getid and ipv6_select_ident rid of the cmpxchg loop + + block/blk-cgroup.c | 4 ++-- + drivers/video/hyperv_fb.c | 4 ++-- + fs/namespace.c | 4 ++-- + include/net/inetpeer.h | 13 +++++-------- + kernel/trace/trace_clock.c | 4 ++-- + net/ipv6/output_core.c | 15 ++++++--------- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- + 7 files changed, 21 insertions(+), 27 deletions(-) + +commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa +Merge: fd0338c 2bdeae7 +Author: Brad Spengler +Date: Sat Aug 31 22:07:38 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 +Author: Brad Spengler +Date: Sat Aug 31 22:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test24.patch: + - fixed a REFCOUNT false positive, by Mathias Krause + - fixed a bunch more after a quick audit of atomic_inc_return users + + drivers/acpi/apei/ghes.c | 4 ++-- + drivers/ata/libata-core.c | 4 ++-- + drivers/ata/libata-scsi.c | 2 +- + drivers/ata/libata.h | 2 +- + drivers/block/drbd/drbd_nl.c | 4 ++-- + drivers/crypto/hifn_795x.c | 4 ++-- + drivers/edac/edac_device.c | 4 ++-- + drivers/edac/edac_pci.c | 4 ++-- + drivers/firewire/core-card.c | 4 ++-- + drivers/hv/hv_balloon.c | 18 +++++++++--------- + drivers/infiniband/hw/mlx4/mad.c | 2 +- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/input/misc/ims-pcu.c | 4 ++-- + drivers/input/serio/serio_raw.c | 4 ++-- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/radio/radio-maxiradio.c | 2 +- + drivers/media/radio/radio-shark.c | 2 +- + drivers/media/radio/radio-shark2.c | 2 +- + drivers/media/radio/radio-si476x.c | 2 +- + drivers/media/rc/rc-main.c | 4 ++-- + drivers/media/v4l2-core/v4l2-device.c | 4 ++-- + drivers/net/usb/sierra_net.c | 4 ++-- + drivers/pci/hotplug/pciehp_hpc.c | 4 +--- + drivers/regulator/core.c | 4 ++-- + drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ + drivers/staging/android/timed_output.c | 6 +++--- + drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- + drivers/staging/media/solo6x10/solo6x10.h | 2 +- + drivers/target/sbp/sbp_target.c | 4 ++-- + drivers/tty/hvc/hvsi.c | 12 ++++++------ + drivers/tty/hvc/hvsi_lib.c | 6 +++--- + drivers/tty/serial/ioc4_serial.c | 6 +++--- + drivers/tty/serial/msm_serial.c | 4 ++-- + drivers/usb/misc/appledisplay.c | 4 ++-- + fs/afs/inode.c | 4 ++-- + fs/btrfs/delayed-inode.c | 6 +++--- + fs/btrfs/delayed-inode.h | 4 ++-- + fs/fscache/cookie.c | 4 ++-- + include/media/v4l2-device.h | 2 +- + net/ceph/messenger.c | 4 ++-- + net/core/netpoll.c | 4 ++-- + net/xfrm/xfrm_state.c | 4 ++-- + security/selinux/avc.c | 6 +++--- + 43 files changed, 93 insertions(+), 95 deletions(-) + +commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 +Merge: 1bdf7ec 85099d2 +Author: Brad Spengler +Date: Sat Aug 31 21:07:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed +Author: Brad Spengler +Date: Sat Aug 31 21:06:55 2013 -0400 + + Update to pax-linux-3.10.10-test23.patch: + - added the necessary atomic_unchecked_t conversion for mips + - audited and fixed arm and sparc for proper atomic_unchecked_t usage + + arch/arm/kvm/arm.c | 8 ++++---- + arch/arm/mm/context.c | 10 +++++----- + arch/mips/kernel/irq.c | 6 +++--- + arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ + arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- + arch/sparc/kernel/smp_64.c | 12 ++++++------ + arch/sparc/kernel/traps_64.c | 14 +++++++------- + arch/sparc/mm/init_64.c | 10 +++++----- + 8 files changed, 45 insertions(+), 45 deletions(-) + +commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 +Merge: 995a168 38ee86c +Author: Brad Spengler +Date: Fri Aug 30 19:23:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 38ee86c05df0f8db582df8776b9f23f317d42bbb +Author: Brad Spengler +Date: Fri Aug 30 19:23:11 2013 -0400 + + Update to pax-linux-3.10.10-test22.patch: + - fixed !REFCOUNT/mips compilation, by Corey Minyard + - fixed a few more format strings + + arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- + drivers/md/bcache/super.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- + drivers/pci/hotplug/pciehp_hpc.c | 2 +- + drivers/platform/x86/wmi.c | 2 +- + drivers/scsi/sd.c | 2 +- + drivers/vfio/vfio.c | 4 ++-- + fs/ntfs/super.c | 6 +++--- + include/linux/workqueue.h | 6 +++--- + net/mac80211/main.c | 2 +- + sound/pci/hda/hda_codec.c | 8 ++------ + 11 files changed, 32 insertions(+), 25 deletions(-) + +commit 995a16841e2097c3a9dfc652e856469679c4a0ba +Author: Brad Spengler +Date: Fri Aug 30 17:11:11 2013 -0400 + + fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast + + grsecurity/grsec_sysctl.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 +Merge: be2497c 1052971 +Author: Brad Spengler +Date: Thu Aug 29 20:44:29 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + include/linux/sched.h + +commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 +Merge: e902dad 8bf3379 +Author: Brad Spengler +Date: Thu Aug 29 20:39:50 2013 -0400 + + Update to pax-linux-3.10.10-test21.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 +Merge: 081c22b e902dad +Author: Brad Spengler +Date: Wed Aug 28 20:52:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 +Author: Brad Spengler +Date: Wed Aug 28 20:51:21 2013 -0400 + + Update to pax-linux-3.10.9-test21.patch: + - removed unnecessary type cast in do_PrefetchAbort, noticed by spender + - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov + - fixed a REFCOUNT false positive in UHID + - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) + Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout + (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): + - icmpv6_filter: no memory corruption, probably just some logical error in the caller + - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) + - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) + - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now + - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless + - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network + + arch/arm/mm/fault.c | 2 +- + arch/mips/kernel/traps.c | 2 -- + drivers/hid/uhid.c | 6 +++--- + drivers/isdn/gigaset/usb-gigaset.c | 2 +- + drivers/isdn/i4l/isdn_common.c | 2 ++ + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + drivers/usb/dwc3/gadget.c | 2 -- + net/ieee802154/6lowpan.c | 2 +- + net/ipv6/raw.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- + 10 files changed, 14 insertions(+), 16 deletions(-) + +commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 +Author: Brad Spengler +Date: Wed Aug 28 20:42:39 2013 -0400 + + add export of gr_handle_new_usb() + + grsecurity/grsec_usb.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 +Author: Brad Spengler +Date: Wed Aug 28 19:24:47 2013 -0400 + + Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit + Kees' recent findings are motivation enough to publish it + + drivers/usb/core/hub.c | 5 +++++ + grsecurity/Kconfig | 20 ++++++++++++++++++++ + grsecurity/Makefile | 3 ++- + grsecurity/grsec_init.c | 1 + + grsecurity/grsec_sysctl.c | 11 +++++++++++ + grsecurity/grsec_usb.c | 13 +++++++++++++ + include/linux/grinternal.h | 1 + + include/linux/grsecurity.h | 2 ++ + 8 files changed, 55 insertions(+), 1 deletions(-) + +commit 8044382257ec75a03f3d784ce048ef14e94b90ca +Author: Kees Cook +Date: Wed Aug 14 09:35:07 2013 -0700 + + HID: zeroplus: validate output report details + + The zeroplus HID driver was not checking the size of allocated values + in fields it used. A HID device could send a malicious output report + that would cause the driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 + ... + [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2889 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-zpff.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f +Author: Kees Cook +Date: Wed Aug 14 14:36:15 2013 -0700 + + HID: provide a helper for validating hid reports + + Many drivers need to validate the characteristics of their HID report + during initialization to avoid misusing the reports. This adds a common + helper to perform validation of the report, its field count, and the + value count within the fields. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 +++ + 2 files changed, 54 insertions(+), 0 deletions(-) + +commit 270ba9096ddecdc3cf6c4d76e6892184820116be +Author: Kees Cook +Date: Wed Aug 14 09:14:34 2013 -0700 + + HID: steelseries: validate output report details + + A HID device could send a malicious output report that would cause the + steelseries HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 + ... + [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + + CVE-2013-2891 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-steelseries.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 +Author: Kees Cook +Date: Wed Aug 14 08:49:21 2013 -0700 + + HID: pantherlord: validate output report details + + A HID device could send a malicious output report that would cause the + pantherlord HID driver to write beyond the output report allocation + during initialization, causing a heap overflow: + + [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 + ... + [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2892 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 60115e8108e508060815bce5ef9504233c81898c +Author: Kees Cook +Date: Tue Aug 13 16:49:01 2013 -0700 + + HID: LG: validate HID output report details + + A HID device could send a malicious output report that would cause the + lg, lg3, and lg4 HID drivers to write beyond the output report allocation + during an event, causing a heap overflow: + + [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 + ... + [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + + Additionally, while lg2 did correctly validate the report details, it was + cleaned up and shortened. + + CVE-2013-2893 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f +Author: Kees Cook +Date: Thu Aug 15 23:21:23 2013 -0700 + + HID: lenovo-tpkbd: validate output report details + + A HID device could send a malicious output report that would cause the + lenovo-tpkbd HID driver to write just beyond the output report allocation + during initialization, causing a heap overflow: + + [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 + ... + [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2894 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 38627769bb2b9a550e251b2caf1babda7566fb4a +Author: Kees Cook +Date: Thu Aug 15 23:45:03 2013 -0700 + + HID: logitech-dj: validate output report details + + A HID device could send a malicious output report that would cause the + logitech-dj HID driver to leak kernel memory contents to the device, or + trigger a NULL dereference during initialization: + + [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b + ... + [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + + CVE-2013-2895 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 +Author: Kees Cook +Date: Fri Aug 16 00:18:15 2013 -0700 + + HID: ntrig: validate feature report details + + A HID device could send a malicious feature report that would cause the + ntrig HID driver to trigger a NULL dereference during initialization: + + [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 + ... + [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + + CVE-2013-2896 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-ntrig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 +Author: Kees Cook +Date: Fri Aug 16 00:11:32 2013 -0700 + + HID: multitouch: validate feature report details + + When working on report indexes, always validate that they are in bounds. + Without this, a HID device could report a malicious feature report that + could trick the driver into a heap overflow: + + [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 + ... + [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + + CVE-2013-2897 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 files changed, 20 insertions(+), 5 deletions(-) + +commit 813f51e0881e4ea6d221da828b1cced02ad9694d +Author: Kees Cook +Date: Fri Aug 16 08:12:45 2013 -0700 + + HID: sensor-hub: validate feature report details + + A HID device could send a malicious feature report that would cause the + sensor-hub HID driver to read past the end of heap allocation, leaking + kernel memory contents to the caller. + + CVE-2013-2898 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c +Author: Kees Cook +Date: Fri Aug 16 08:05:10 2013 -0700 + + HID: picolcd_core: validate output report details + + A HID device could send a malicious output report that would cause the + picolcd HID driver to trigger a NULL dereference during attr file writing. + + CVE-2013-2899 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-picolcd_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 95e3cfb5a995dabe45b98cafb77e59d074de151f +Author: Kees Cook +Date: Fri Aug 16 08:09:54 2013 -0700 + + HID: check for NULL field when setting values + + Defensively check that the field to be worked on is not NULL. + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + + drivers/hid/hid-core.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 96a55ce1b2f3af376c400a02059174e79ce4399c +Author: Brad Spengler +Date: Wed Aug 28 18:09:18 2013 -0400 + + http://marc.info/?l=linux-input&m=137772180514608&q=raw + + From: Kees Cook + + The "Report ID" field of a HID report is used to build indexes of + reports. The kernel's index of these is limited to 256 entries, so any + malicious device that sets a Report ID greater than 255 will trigger + memory corruption on the host: + + [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 + [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + + CVE-2013-2888 + + Signed-off-by: Kees Cook + Cc: stable@kernel.org + --- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +commit eb1106eef5f17bfda833ca3cf89e315919173257 +Author: Dan Carpenter +Date: Fri Aug 9 12:52:31 2013 +0300 + + Upstream commit: 909bd5926d474e275599094acad986af79671ac9 + + Hostap: copying wrong data prism2_ioctl_giwaplist() + + We want the data stored in "addr" and "qual", but the extra ampersands + mean we are copying stack data instead. + + Signed-off-by: Dan Carpenter + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 +Author: Brad Spengler +Date: Wed Aug 28 17:01:21 2013 -0400 + + fix typo in ipv6 backport + + net/ipv6/addrconf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 +Author: Andy Lutomirski +Date: Thu Aug 22 11:39:15 2013 -0700 + + Upstream commit: d661684cf6820331feae71146c35da83d794467e + + net: Check the correct namespace when spoofing pid over SCM_RIGHTS + + This is a security bug. + + The follow-up will fix nsproxy to discourage this type of issue from + happening again. + + Cc: stable@vger.kernel.org + Signed-off-by: Andy Lutomirski + Reviewed-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/core/scm.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 +Author: Hannes Frederic Sowa +Date: Fri Aug 16 13:02:27 2013 +0200 + + Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 + + ipv6: remove max_addresses check from ipv6_create_tempaddr + + Because of the max_addresses check attackers were able to disable privacy + extensions on an interface by creating enough autoconfigured addresses: + + + + But the check is not actually needed: max_addresses protects the + kernel to install too many ipv6 addresses on an interface and guards + addrconf_prefix_rcv to install further addresses as soon as this limit + is reached. We only generate temporary addresses in direct response of + a new address showing up. As soon as we filled up the maximum number of + addresses of an interface, we stop installing more addresses and thus + also stop generating more temp addresses. + + Even if the attacker tries to generate a lot of temporary addresses + by announcing a prefix and removing it again (lifetime == 0) we won't + install more temp addresses, because the temporary addresses do count + to the maximum number of addresses, thus we would stop installing new + autoconfigured addresses when the limit is reached. + + This patch fixes CVE-2013-0343 (but other layer-2 attacks are still + possible). + + Thanks to Ding Tianhong to bring this topic up again. + + Cc: Ding Tianhong + Cc: George Kargiotakis + Cc: P J P + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Acked-by: Ding Tianhong + Signed-off-by: David S. Miller + + Conflicts: + + net/ipv6/addrconf.c + + net/ipv6/addrconf.c | 10 ++++------ + 1 files changed, 4 insertions(+), 6 deletions(-) + +commit 8333e0981469a226a47d0142ff31090a48db95a4 +Author: David Vrabel +Date: Thu Aug 15 13:21:06 2013 +0100 + + Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 + + xen/events: initialize local per-cpu mask for all possible events + + The sizeof() argument in init_evtchn_cpu_bindings() is incorrect + resulting in only the first 64 (or 32 in 32-bit guests) ports having + their bindings being initialized to VCPU 0. + + In most cases this does not cause a problem as request_irq() will set + the irq affinity which will set the correct local per-cpu mask. + However, if the request_irq() is called on a VCPU other than 0, there + is a window between the unmasking of the event and the affinity being + set were an event may be lost because it is not locally unmasked on + any VCPU. If request_irq() is called on VCPU 0 then local irqs are + disabled during the window and the race does not occur. + + Fix this by initializing all NR_EVENT_CHANNEL bits in the local + per-cpu masks. + + Signed-off-by: David Vrabel + Signed-off-by: Konrad Rzeszutek Wilk + CC: stable@vger.kernel.org + + drivers/xen/events.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2a9a83768433937a2b7a97001ba1627156c0efed +Author: Roland Dreier +Date: Mon Aug 5 17:55:01 2013 -0700 + + Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 + + [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal + + There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances + leads to one process writing data into the address space of some other + random unrelated process if the ioctl is interrupted by a signal. + What happens is the following: + + - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the + underlying SCSI command will transfer data from the SCSI device to + the buffer provided in the ioctl) + + - Before the command finishes, a signal is sent to the process waiting + in the ioctl. This will end up waking up the sg_ioctl() code: + + result = wait_event_interruptible(sfp->read_wait, + (srp_done(sfp, srp) || sdp->detached)); + + but neither srp_done() nor sdp->detached is true, so we end up just + setting srp->orphan and returning to userspace: + + srp->orphan = 1; + write_unlock_irq(&sfp->rq_list_lock); + return result; /* -ERESTARTSYS because signal hit process */ + + At this point the original process is done with the ioctl and + blithely goes ahead handling the signal, reissuing the ioctl, etc. + + - Eventually, the SCSI command issued by the first ioctl finishes and + ends up in sg_rq_end_io(). At the end of that function, we run through: + + write_lock_irqsave(&sfp->rq_list_lock, iflags); + if (unlikely(srp->orphan)) { + if (sfp->keep_orphan) + srp->sg_io_owned = 0; + else + done = 0; + } + srp->done = done; + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (likely(done)) { + /* Now wake up any sg_read() that is waiting for this + * packet. + */ + wake_up_interruptible(&sfp->read_wait); + kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); + kref_put(&sfp->f_ref, sg_remove_sfp); + } else { + INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); + schedule_work(&srp->ew.work); + } + + Since srp->orphan *is* set, we set done to 0 (assuming the + userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN + ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() + to run in a workqueue. + + - In workqueue context we go through sg_rq_end_io_usercontext() -> + sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> + bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). + + The key point here is that we are doing copy_to_user() on a + workqueue -- that is, we're on a kernel thread with current->mm + equal to whatever random previous user process was scheduled before + this kernel thread. So we end up copying whatever data the SCSI + command returned to the virtual address of the buffer passed into + the original ioctl, but it's quite likely we do this copying into a + different address space! + + As suggested by James Bottomley , + add a check for current->mm (which is NULL if we're on a kernel thread + without a real userspace address space) in bio_uncopy_user(), and skip + the copy if we're on a kernel thread. + + There's no reason that I can think of for any caller of bio_uncopy_user() + to want to do copying on a kernel thread with a random active userspace + address space. + + Huge thanks to Costa Sapuntzakis for the + original pointer to this bug in the sg code. + + Signed-off-by: Roland Dreier + Tested-by: David Milburn + Cc: Jens Axboe + Cc: + Signed-off-by: James Bottomley + + fs/bio.c | 20 +++++++++++++++----- + 1 files changed, 15 insertions(+), 5 deletions(-) + +commit e6fe57dee152671afd618d6bc8cbf23155be6c34 +Merge: cdc8f7d f2095a4 +Author: Brad Spengler +Date: Tue Aug 27 18:13:35 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + security/Kconfig + +commit f2095a4787f7d332e5919f0bd00f8de6021ad612 +Author: Brad Spengler +Date: Tue Aug 27 18:08:23 2013 -0400 + + Update to pax-linux-3.10.9-test20.patch: + - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy + - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard + - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard + - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do + - added REFCOUNT support for mips, by Corey Minyard + - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) + - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) + + arch/arm/mm/fault.c | 11 +- + arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- + arch/mips/kernel/traps.c | 14 +- + arch/x86/include/asm/tlbflush.h | 4 + + arch/x86/include/asm/uaccess_64.h | 2 +- + fs/ntfs/file.c | 2 +- + kernel/events/internal.h | 4 +- + kernel/events/uprobes.c | 2 +- + kernel/futex.c | 2 +- + mm/filemap.c | 8 +- + security/Kconfig | 2 +- + tools/gcc/kernexec_plugin.c | 18 +- + tools/gcc/latent_entropy_plugin.c | 26 +- + tools/gcc/size_overflow_plugin.c | 3 +- + 14 files changed, 750 insertions(+), 70 deletions(-) + +commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 +Merge: 5a9ae57 745975e +Author: Brad Spengler +Date: Mon Aug 26 20:27:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 745975e3b3b74b64e00e85778f9a22714d1274f2 +Author: Brad Spengler +Date: Mon Aug 26 20:26:33 2013 -0400 + + Fix compilation when UDEREF is enabled and KERNEXEC is disabled, + as reported by fabled on the forums: + http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 + + arch/arm/include/asm/pgtable.h | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 +Merge: 486ec00 f68df21 +Author: Brad Spengler +Date: Tue Aug 20 20:15:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 +Author: Brad Spengler +Date: Tue Aug 20 20:14:50 2013 -0400 + + Update to pax-linux-3.10.9-test18.patch: + - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) + - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) + - forward port to 3.10.9 + + arch/x86/kernel/entry_64.S | 18 +++++++++--------- + arch/x86/kernel/i386_ksyms_32.c | 4 ++++ + arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ + 3 files changed, 17 insertions(+), 9 deletions(-) + +commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f +Merge: f47a293 d8fed0e +Author: Brad Spengler +Date: Tue Aug 20 20:12:47 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 +Merge: f6ace8e 0a4b6d4 +Author: Brad Spengler +Date: Tue Aug 20 20:12:33 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit f47a293a1440da2a3e2c239d43d636e37ca74f10 +Merge: f1e8ec7 f6ace8e +Author: Brad Spengler +Date: Tue Aug 20 18:20:05 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/kernel/perf_event.c + include/linux/sched.h + +commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 +Merge: b4fa847 6f54059 +Author: Brad Spengler +Date: Tue Aug 20 18:18:02 2013 -0400 + + Update to pax-linux-3.10.8-test18.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/sys_x86_64.c + arch/x86/mm/mmap.c + include/linux/sched.h + +commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca +Merge: 6f88011 b4fa847 +Author: Brad Spengler +Date: Tue Aug 20 18:05:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 +Author: Brad Spengler +Date: Tue Aug 20 18:04:14 2013 -0400 + + Update to pax-linux-3.10.7-test18.patch: + - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) + - fixed a UDEREF resume regression due to the constification of clone_pgd_mask + - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause + + arch/arm/kernel/process.c | 2 +- + arch/x86/include/asm/processor.h | 25 ++----------------------- + arch/x86/kernel/cpu/common.c | 4 ++++ + arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/staging/zcache/tmem.c | 4 ++-- + drivers/staging/zcache/tmem.h | 6 ++---- + 6 files changed, 47 insertions(+), 30 deletions(-) + +commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f +Author: Brad Spengler +Date: Mon Aug 19 22:10:04 2013 -0400 + + fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) + as reported by pipacs + + arch/x86/kernel/smpboot.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 +Merge: 6eba999 5de93c8 +Author: Brad Spengler +Date: Sun Aug 18 22:03:19 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db +Author: Brad Spengler +Date: Sun Aug 18 22:02:47 2013 -0400 + + Update to pax-linux-3.10.7-test15.patch: + - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) + - fixed some new REFCOUNT false positives, caught by inspection + + arch/x86/kernel/cpu/common.c | 5 +++-- + arch/x86/kernel/entry_64.S | 11 +++++++---- + fs/ceph/super.c | 4 ++-- + mm/backing-dev.c | 4 ++-- + 4 files changed, 14 insertions(+), 10 deletions(-) + +commit 94c119587c76723c1072237b98fff9886ccb7689 +Author: Brad Spengler +Date: Sun Aug 18 20:49:39 2013 -0400 + + fix pipacs' DEMORGAN typo + + arch/x86/include/asm/tlbflush.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 +Merge: df347f6 64a293e +Author: Brad Spengler +Date: Sun Aug 18 18:13:04 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 +Author: Brad Spengler +Date: Sun Aug 18 18:12:37 2013 -0400 + + Update to pax-linux-3.10.7-test14.patch: + - fixed compile error introduced by the previous PCID change + - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) + + arch/x86/include/asm/tlbflush.h | 2 +- + kernel/posix-timers.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 +Merge: d8efbc5 e11b314 +Author: Brad Spengler +Date: Sun Aug 18 08:15:00 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e11b314734c5b7317f5468be75305ad812e78c2b +Author: Brad Spengler +Date: Sun Aug 18 08:14:26 2013 -0400 + + Update to pax-linux-3.10.7-test13.patch: + - always enable the use of PCID and INVPCID when available in the CPU + - kvm guest kernels can use these features even if the host kernel lacks UDEREF + + arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- + arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- + 2 files changed, 70 insertions(+), 47 deletions(-) + +commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 +Author: Brad Spengler +Date: Sat Aug 17 12:00:20 2013 -0400 + + make kallsyms_lookup_size_offset available to approved source files + + include/linux/kallsyms.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 6c8feffa95ce2db280160015027b52bb41a344c8 +Merge: dbf6930 0bb1c2b +Author: Brad Spengler +Date: Sat Aug 17 11:57:50 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 +Author: Brad Spengler +Date: Sat Aug 17 11:56:43 2013 -0400 + + Update to pax-linux-3.10.7-test12.patch: + - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause + - fixed some arm compile problems + + arch/x86/include/asm/tlbflush.h | 2 +- + drivers/clocksource/bcm_kona_timer.c | 2 +- + kernel/signal.c | 4 ++++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +commit dbf69305ad4f8a037aae95af90f9201f556dcb48 +Author: Brad Spengler +Date: Sat Aug 17 11:18:09 2013 -0400 + + allow use of kallsyms_lookup_name to approved source files + + include/linux/kallsyms.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 +Merge: 68bd16f f562e3e +Author: Brad Spengler +Date: Sat Aug 17 10:35:02 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f562e3ef7737ea8d80431a722479b36a12504ace +Author: Brad Spengler +Date: Sat Aug 17 10:34:51 2013 -0400 + + add uderef_64.c + + arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 files changed, 37 insertions(+), 0 deletions(-) + +commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 +Author: Asbjoern Sloth Toennesen +Date: Mon Aug 12 16:30:09 2013 +0000 + + Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 + + rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header + + Fix the iproute2 command `bridge vlan show`, after switching from + rtgenmsg to ifinfomsg. + + Let's start with a little history: + + Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in + the 3.9 merge window. + In the kernel commit 6cbdceeb, he added attribute support to + bridge GETLINK requests sent with rtgenmsg. + + Mar 6th: Vlad got this iproute2 reference implementation of the bridge + vlan netlink interface accepted (iproute2 9eff0e5c) + + Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) + http://patchwork.ozlabs.org/patch/239602/ + http://marc.info/?t=136680900700007 + + Apr 28th: Linus released 3.9 + + Apr 30th: Stephen released iproute2 3.9.0 + + The `bridge vlan show` command haven't been working since the switch to + ifinfomsg, or in a released version of iproute2. Since the kernel side + only supports rtgenmsg, which iproute2 switched away from just prior to + the iproute2 3.9.0 release. + + I haven't been able to find any documentation, about neither rtgenmsg + nor ifinfomsg, and in which situation to use which, but kernel commit + 88c5b5ce seams to suggest that ifinfomsg should be used. + + Fixing this in kernel will break compatibility, but I doubt that anybody + have been using it due to this bug in the user space reference + implementation, at least not without noticing this bug. That said the + functionality is still fully functional in 3.9, when reversing iproute2 + commit 63338dca. + + This could also be fixed in iproute2, but thats an ugly patch that would + reintroduce rtgenmsg in iproute2, and from searching in netdev it seams + like rtgenmsg usage is discouraged. I'm assuming that the only reason + that Vlad implemented the kernel side to use rtgenmsg, was because + iproute2 was using it at the time. + + Signed-off-by: Asbjoern Sloth Toennesen + Reviewed-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/core/rtnetlink.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8c7bc5bafddddff55ed4687203a977e96f72540a +Author: Johannes Berg +Date: Tue Aug 13 09:04:05 2013 +0200 + + Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db + + genetlink: fix family dump race + + When dumping generic netlink families, only the first dump call + is locked with genl_lock(), which protects the list of families, + and thus subsequent calls can access the data without locking, + racing against family addition/removal. This can cause a crash. + Fix it - the locking needs to be conditional because the first + time around it's already locked. + + A similar bug was reported to me on an old kernel (3.4.47) but + the exact scenario that happened there is no longer possible, + on those kernels the first round wasn't locked either. Looking + at the current code I found the race described above, which had + also existed on the old kernel. + + Cc: stable@vger.kernel.org + Reported-by: Andrei Otcheretianski + Signed-off-by: Johannes Berg + Signed-off-by: David S. Miller + + net/netlink/genetlink.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb +Author: Daniel Borkmann +Date: Fri Aug 9 16:25:21 2013 +0200 + + Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e + + net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption + + Probably this one is quite unlikely to be triggered, but it's more safe + to do the call_rcu() at the end after we have dropped the reference on + the asoc and freed sctp packet chunks. The reason why is because in + sctp_transport_destroy_rcu() the transport is being kfree()'d, and if + we're unlucky enough we could run into corrupted pointers. Probably + that's more of theoretical nature, but it's safer to have this simple fix. + + Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings + for deferred call_rcu's"). I also did the 8c98653f regression test and + it's fine that way. + + Signed-off-by: Daniel Borkmann + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/transport.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3925eab5483946fd746575a46f97bee9d566bb77 +Author: Stephane Grosjean +Date: Fri Aug 9 11:44:06 2013 +0200 + + Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e + + can: pcan_usb: fix wrong memcpy() bytes length + + Fix possibly wrong memcpy() bytes length since some CAN records received from + PCAN-USB could define a DLC field in range [9..15]. + In that case, the real DLC value MUST be used to move forward the record pointer + but, only 8 bytes max. MUST be copied into the data field of the struct + can_frame object of the skb given to the network core. + + Cc: linux-stable + Signed-off-by: Stephane Grosjean + Signed-off-by: Marc Kleine-Budde + Signed-off-by: David S. Miller + + drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c1ac6642baae4a400d1f87115024d1bb1ef53598 +Author: Linus Lüssing +Date: Tue Aug 6 20:21:15 2013 +0200 + + Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 + + batman-adv: fix potential kernel paging errors for unicast transmissions + + There are several functions which might reallocate skb data. Currently + some places keep reusing their old ethhdr pointer regardless of whether + they became invalid after such a reallocation or not. This potentially + leads to kernel paging errors. + + This patch fixes these by refetching the ethdr pointer after the + potential reallocations. + + Signed-off-by: Linus Lüssing + Signed-off-by: Marek Lindner + Signed-off-by: Antonio Quartulli + + net/batman-adv/bridge_loop_avoidance.c | 2 ++ + net/batman-adv/gateway_client.c | 13 ++++++++++++- + net/batman-adv/gateway_client.h | 3 +-- + net/batman-adv/soft-interface.c | 9 ++++++++- + net/batman-adv/unicast.c | 13 ++++++++++--- + 5 files changed, 33 insertions(+), 7 deletions(-) + +commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb +Author: Yuchung Cheng +Date: Fri Aug 9 17:21:27 2013 -0700 + + Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 + + netfilter: nf_conntrack: fix tcp_in_window for Fast Open + + Currently the conntrack checks if the ending sequence of a packet + falls within the observed receive window. However it does so even + if it has not observe any packet from the remote yet and uses an + uninitialized receive window (td_maxwin). + + If a connection uses Fast Open to send a SYN-data packet which is + dropped afterward in the network. The subsequent SYNs retransmits + will all fail this check and be discarded, leading to a connection + timeout. This is because the SYN retransmit does not contain data + payload so + + end == initial sequence number (isn) + 1 + sender->td_end == isn + syn_data_len + receiver->td_maxwin == 0 + + The fix is to only apply this check after td_maxwin is initialized. + + Reported-by: Michael Chan + Signed-off-by: Yuchung Cheng + Acked-by: Eric Dumazet + Acked-by: Jozsef Kadlecsik + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec +Author: Dan Carpenter +Date: Thu Aug 1 12:36:57 2013 +0300 + + Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 + + netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message + + These structs have a "_pad" member. Also the "phw" structs have an 8 + byte "hw_addr[]" array but sometimes only the first 6 bytes are + initialized. + + Signed-off-by: Dan Carpenter + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_log.c | 6 +++++- + net/netfilter/nfnetlink_queue_core.c | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:46:46 2013 +0200 + + Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 + + netfilter: xt_TCPOPTSTRIP: fix possible off by one access + + Fix a possible off by one access since optlen() + touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. + + This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen + that stores the TCP header length, to save some cycles. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +commit 4634def261cf5f635bc60afe8a6ad436b3ec151e +Author: Pablo Neira Ayuso +Date: Thu Jul 25 10:37:49 2013 +0200 + + Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd + + netfilter: xt_TCPMSS: fix handling of malformed TCP header and options + + Make sure the packet has enough room for the TCP header and + that it is not malformed. + + While at it, store tcph->doff*4 in a variable, as it is used + several times. + + This patch also fixes a possible off by one in case of malformed + TCP options. + + Reported-by: Julian Anastasov + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ + 1 files changed, 16 insertions(+), 12 deletions(-) + +commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 +Author: Dave Jones +Date: Fri Aug 9 11:16:34 2013 -0700 + + Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e + + 8139cp: Fix skb leak in rx_status_loop failure path. + + Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 + ("8139cp: Add dma_mapping_error checking") + + Signed-off-by: Dave Jones + Signed-off-by: David S. Miller + + drivers/net/ethernet/realtek/8139cp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 227b279491a0bbcc70ca3654f34903282c378600 +Author: Timo Teräs +Date: Tue Aug 6 13:45:43 2013 +0300 + + Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b + + ip_gre: fix ipgre_header to return correct offset + + Fix ipgre_header() (header_ops->create) to return the correct + amount of bytes pushed. Most callers of dev_hard_header() seem + to care only if it was success, but af_packet.c uses it as + offset to the skb to copy from userspace only once. In practice + this fixes packet socket sendto()/sendmsg() to gre tunnels. + + Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 + ("GRE: Refactor GRE tunneling code.") + + Cc: Pravin B Shelar + Signed-off-by: Timo Teräs + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb +Author: Eric Dumazet +Date: Mon Aug 5 11:18:49 2013 -0700 + + Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 + + fib_trie: remove potential out of bound access + + AddressSanitizer [1] dynamic checker pointed a potential + out of bound access in leaf_walk_rcu() + + We could allocate one more slot in tnode_new() to leave the prefetch() + in-place but it looks not worth the pain. + + Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") + + [1] : + https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel + + Reported-by: Andrey Konovalov + Signed-off-by: Eric Dumazet + Cc: Dmitry Vyukov + Signed-off-by: David S. Miller + + net/ipv4/fib_trie.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 +Author: Daniel Borkmann +Date: Mon Aug 5 12:49:35 2013 +0200 + + Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 + + net: esp{4,6}: fix potential MTU calculation overflows + + Commit 91657eafb ("xfrm: take net hdr len into account for esp payload + size calculation") introduced a possible interger overflow in + esp{4,6}_get_mtu() handlers in case of x->props.mode equals + XFRM_MODE_TUNNEL. Thus, the following expression will overflow + + unsigned int net_adj; + ... + + net_adj = 0; + ... + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - + net_adj) & ~(align - 1)) + (net_adj - 2); + + where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned + context. Fix it by simply removing brackets as those operations here + do not need to have special precedence. + + Signed-off-by: Daniel Borkmann + Cc: Benjamin Poirier + Cc: Steffen Klassert + Acked-by: Benjamin Poirier + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit f02bce292d1c2fe610be509c96593e70b3de387b +Author: Julia Lawall +Date: Mon Aug 5 16:47:38 2013 +0200 + + Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 + + net/vmw_vsock/af_vsock.c: drop unneeded semicolon + + Drop the semicolon at the end of the list_for_each_entry loop header. + + Signed-off-by: Julia Lawall + Signed-off-by: David S. Miller + + net/vmw_vsock/af_vsock.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 +Author: Tiger Yang +Date: Tue Aug 13 16:00:58 2013 -0700 + + Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 + + ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page + + Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as + the struct file pointer, it finally result in a null pointer dereference + in ocfs2_duplicate_clusters_by_page. + + This patch replace file pointer with inode pointer in + cow_duplicate_clusters to fix this issue. + + [jeff.liu@oracle.com: rebased patch against linux-next tree] + Signed-off-by: Tiger Yang + Signed-off-by: Jie Liu + Cc: Joel Becker + Cc: Mark Fasheh + Acked-by: Tao Ma + Tested-by: David Weber + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/ocfs2/aops.c | 2 +- + fs/ocfs2/file.c | 6 ++-- + fs/ocfs2/move_extents.c | 2 +- + fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- + fs/ocfs2/refcounttree.h | 6 ++-- + 5 files changed, 16 insertions(+), 53 deletions(-) + +commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 +Author: Dan Carpenter +Date: Thu Aug 15 15:52:57 2013 +0300 + + Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e + + tun: signedness bug in tun_get_user() + + The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is + not totally correct. Because "len" and "sizeof()" are size_t type, that + means they are never less than zero. + + Signed-off-by: Dan Carpenter + Acked-by: Michael S. Tsirkin + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 26ad267ddda451919357965a0cf271ca24d1bcf2 +Author: Weiping Pan +Date: Tue Aug 13 21:46:56 2013 +0800 + + Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 + + tun: compare with 0 instead of total_len + + Since we set "len = total_len" in the beginning of tun_get_user(), + so we should compare the new len with 0, instead of total_len, + or the if statement always returns false. + + Signed-off-by: Weiping Pan + Signed-off-by: David S. Miller + + drivers/net/tun.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 +Author: Guenter Roeck +Date: Fri Aug 16 20:50:55 2013 -0700 + + Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 + + s390: Fix broken build + + Fix this build error: + + In file included from fs/exec.c:61:0: + arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' + arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] + arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': + arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' + + Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range + invalidation corner cases"). + + Cc: Greg Kroah-Hartman + Cc: stable@vger.kernel.org + Signed-off-by: Guenter Roeck + [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] + Signed-off-by: Linus Torvalds + + arch/s390/include/asm/tlb.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4e57312c2de2a25ddb181d129dafbc0251062c33 +Author: Linus Torvalds +Date: Thu Aug 15 11:42:25 2013 -0700 + + Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce + + Fix TLB gather virtual address range invalidation corner cases + + Ben Tebulin reported: + + "Since v3.7.2 on two independent machines a very specific Git + repository fails in 9/10 cases on git-fsck due to an SHA1/memory + failures. This only occurs on a very specific repository and can be + reproduced stably on two independent laptops. Git mailing list ran + out of ideas and for me this looks like some very exotic kernel issue" + + and bisected the failure to the backport of commit 53a59fc67f97 ("mm: + limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). + + That commit itself is not actually buggy, but what it does is to make it + much more likely to hit the partial TLB invalidation case, since it + introduces a new case in tlb_next_batch() that previously only ever + happened when running out of memory. + + The real bug is that the TLB gather virtual memory range setup is subtly + buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: + enable tlb flush range in generic mmu_gather"), and the range handling + was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB + range flushed when __tlb_remove_page() runs out of slots"), but that fix + was not complete. + + The problem with the TLB gather virtual address range is that it isn't + set up by the initial tlb_gather_mmu() initialization (which didn't get + the TLB range information), but it is set up ad-hoc later by the + functions that actually flush the TLB. And so any such case that forgot + to update the TLB range entries would potentially miss TLB invalidates. + + Rather than try to figure out exactly which particular ad-hoc range + setup was missing (I personally suspect it's the hugetlb case in + zap_huge_pmd(), which didn't have the same logic as zap_pte_range() + did), this patch just gets rid of the problem at the source: make the + TLB range information available to tlb_gather_mmu(), and initialize it + when initializing all the other tlb gather fields. + + This makes the patch larger, but conceptually much simpler. And the end + result is much more understandable; even if you want to play games with + partial ranges when invalidating the TLB contents in chunks, now the + range information is always there, and anybody who doesn't want to + bother with it won't introduce subtle bugs. + + Ben verified that this fixes his problem. + + Reported-bisected-and-tested-by: Ben Tebulin + Build-testing-by: Stephen Rothwell + Build-testing-by: Richard Weinberger + Reviewed-by: Michal Hocko + Acked-by: Peter Zijlstra + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + arch/arm/include/asm/tlb.h | 7 +++++-- + arch/arm64/include/asm/tlb.h | 7 +++++-- + arch/ia64/include/asm/tlb.h | 9 ++++++--- + arch/s390/include/asm/tlb.h | 8 ++++++-- + arch/sh/include/asm/tlb.h | 6 ++++-- + arch/um/include/asm/tlb.h | 6 ++++-- + fs/exec.c | 4 ++-- + include/asm-generic/tlb.h | 2 +- + mm/hugetlb.c | 2 +- + mm/memory.c | 36 +++++++++++++++++++++--------------- + mm/mmap.c | 4 ++-- + 11 files changed, 57 insertions(+), 34 deletions(-) + +commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 +Merge: 5568c80 ffceabf +Author: Brad Spengler +Date: Sat Aug 17 09:11:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ffceabfcc65c60109ba5fca694d78d4dc7047809 +Author: Brad Spengler +Date: Sat Aug 17 09:10:44 2013 -0400 + + Update to pax-linux-3.10.7-test11.patch: + - simplified some arm code + - disabled preemption when calling show_regs, reported by Corey Minyard + - added PCID based support for UDEREF on amd64 (blog will have more details) + - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc + - nopcid turns it off + - by default a strong form of UDEREF is used under PCID + - pax_weakuderef switches to the older, less secure UDEREF + - fixed several bugs that would also have manifested under SMAP + - INVPCID is used when available (Haswell) + - added a few more return insn instrumentation in new amd64 crypto code + + Documentation/kernel-parameters.txt | 7 + + arch/arm/include/asm/uaccess.h | 3 + + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ + arch/x86/crypto/sha256-avx-asm.S | 2 + + arch/x86/crypto/sha256-avx2-asm.S | 2 + + arch/x86/crypto/sha256-ssse3-asm.S | 2 + + arch/x86/crypto/sha512-avx-asm.S | 2 + + arch/x86/crypto/sha512-avx2-asm.S | 2 + + arch/x86/crypto/sha512-ssse3-asm.S | 2 + + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ + arch/x86/ia32/ia32_signal.c | 2 +- + arch/x86/ia32/ia32entry.S | 24 ++++- + arch/x86/include/asm/cpufeature.h | 3 +- + arch/x86/include/asm/fpu-internal.h | 2 + + arch/x86/include/asm/futex.h | 4 + + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- + arch/x86/include/asm/pgtable.h | 10 +- + arch/x86/include/asm/processor.h | 15 +++- + arch/x86/include/asm/segment.h | 5 +- + arch/x86/include/asm/smap.h | 64 +++++++++++- + arch/x86/include/asm/tlbflush.h | 63 +++++++++-- + arch/x86/include/asm/uaccess.h | 18 +++- + arch/x86/include/asm/xsave.h | 4 + + arch/x86/kernel/cpu/common.c | 38 +++++++ + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- + arch/x86/kernel/head_32.S | 2 +- + arch/x86/kernel/head_64.S | 8 +- + arch/x86/kernel/process_64.c | 5 + + arch/x86/kernel/setup.c | 8 +- + arch/x86/kernel/signal.c | 4 +- + arch/x86/kernel/smpboot.c | 15 ++- + arch/x86/lib/copy_user_64.S | 50 +-------- + arch/x86/lib/copy_user_nocache_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 11 ++- + arch/x86/lib/memcpy_64.S | 4 +- + arch/x86/lib/memmove_64.S | 2 +- + arch/x86/lib/memset_64.S | 4 +- + arch/x86/lib/usercopy_64.c | 5 +- + arch/x86/mm/Makefile | 4 + + arch/x86/mm/fault.c | 29 ++++-- + arch/x86/mm/init.c | 7 +- + arch/x86/mm/init_64.c | 9 ++- + arch/x86/mm/pageattr.c | 2 +- + arch/x86/mm/pgtable.c | 3 + + arch/x86/platform/efi/efi_32.c | 2 +- + arch/x86/platform/efi/efi_64.c | 2 +- + arch/x86/realmode/rm/trampoline_64.S | 1 + + fs/exec.c | 2 + + include/asm-generic/uaccess.h | 8 ++ + include/linux/compat.h | 1 + + include/linux/preempt.h | 19 +++ + include/linux/signal.h | 1 + + include/linux/smp.h | 2 + + init/main.c | 14 ++- + kernel/signal.c | 16 +++ + security/Kconfig | 5 + + tools/lib/lk/Makefile | 2 +- + tools/perf/Makefile | 2 +- + 64 files changed, 673 insertions(+), 136 deletions(-) + +commit 5568c8059e78d6d002815409df4e90c83b3b08a8 +Author: Brad Spengler +Date: Sat Aug 17 08:58:34 2013 -0400 + + Fix two harmless compiler warnings + + arch/arm/kernel/process.c | 4 ++-- + fs/exec.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 +Author: Brad Spengler +Date: Fri Aug 16 22:55:24 2013 -0400 + + Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b + + arch/arm/kernel/perf_event.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit 3637bc893b57a227b01852fe34685ab237285b10 +Author: Stephen Boyd +Date: Wed Aug 7 16:18:08 2013 -0700 + + Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb + + perf/arm: Fix armpmu_map_hw_event() + + Fix constraint check in armpmu_map_hw_event(). + + Reported-and-tested-by: Vince Weaver + Cc: + Signed-off-by: Ingo Molnar + Signed-off-by: Linus Torvalds + + arch/arm/kernel/perf_event.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 11802e1f961a088c39af58d1c1b14d861eedfb35 +Author: Brad Spengler +Date: Fri Aug 16 22:53:30 2013 -0400 + + More ARM backports + + arch/arm/kernel/entry-armv.S | 3 ++- + arch/arm/kernel/fiq.c | 8 ++------ + 2 files changed, 4 insertions(+), 7 deletions(-) + +commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea +Author: Brad Spengler +Date: Fri Aug 16 22:46:01 2013 -0400 + + Fix HIDESYM compatibility with kprobes, as reported by feandil at: + http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 + + include/linux/kallsyms.h | 2 +- + kernel/kprobes.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletions(-) + +commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 +Author: yonghua zheng +Date: Tue Aug 13 16:01:03 2013 -0700 + + fs/proc/task_mmu.c: fix buffer overflow in add_page_map() + + Recently we met quite a lot of random kernel panic issues after enabling + CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something + to do with following bug in pagemap: + + In struct pagemapread: + + struct pagemapread { + int pos, len; + pagemap_entry_t *buffer; + bool v2; + }; + + pos is number of PM_ENTRY_BYTES in buffer, but len is the size of + buffer, it is a mistake to compare pos and len in add_page_map() for + checking buffer is full or not, and this can lead to buffer overflow and + random kernel panic issue. + + Correct len to be total number of PM_ENTRY_BYTES in buffer. + + [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] + Signed-off-by: Yonghua Zheng + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/task_mmu.c + + fs/proc/task_mmu.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit 0a3dac834746de241c10d4978bf61b4f146ba89d +Merge: dc19474 e12de30 +Author: Brad Spengler +Date: Fri Aug 16 17:39:01 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 +Author: Brad Spengler +Date: Fri Aug 16 17:34:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch: + - Emese fixed a size overflow false positive reported by Sven Vermeulen + - fixed some arm compile problems reported by spender + - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard + eventually we'll have full REFCOUNT support on mips + + arch/arm/kernel/process.c | 5 ++- + arch/arm/mm/Kconfig | 2 +- + arch/arm/mm/fault.c | 3 ++ + arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ + mm/internal.h | 2 +- + 5 files changed, 65 insertions(+), 4 deletions(-) + +commit dc19474d0ea6ea3c939544ae5f906067b1784a10 +Merge: 51b78c0 82266f9 +Author: Brad Spengler +Date: Thu Aug 15 21:47:37 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 82266f90a3f87ab5017329fb539aebf94c42253a +Author: Brad Spengler +Date: Thu Aug 15 21:14:47 2013 -0400 + + Update to pax-linux-3.10.7-test9.patch + + arch/arm/kernel/process.c | 6 ++---- + 1 files changed, 2 insertions(+), 4 deletions(-) + +commit 51b78c06d1f41614f593cd36456b4af559e9d7fa +Merge: e32d904 cb77ead +Author: Brad Spengler +Date: Thu Aug 15 20:53:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit cb77ead0eccb5abb75f7e437a3725d0254558ccd +Merge: 13675b8 519be45 +Author: Brad Spengler +Date: Thu Aug 15 20:50:47 2013 -0400 + + Update to pax-linux-3.10.7-test8.patch + + Merge branch 'linux-3.10.y' into pax-test + +commit e32d904b87292288e74e2637b900fd1115687b8e +Author: Brad Spengler +Date: Sat Aug 10 09:41:40 2013 -0400 + + propagate the threadstack offset through to the topdown/bottomup allocators + on sparc64 hugepages + + arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c +Author: Oleg Nesterov +Date: Thu Aug 8 18:55:32 2013 +0200 + + Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 + + another local DoS found in reaction to the one I reported, + we don't allow unpriv user ns use so this doesn't matter much to us + + userns: limit the maximum depth of user_namespace->parent chain + + Ensure that user_namespace->parent chain can't grow too much. + Currently we use the hardroded 32 as limit. + + Reported-by: Andy Lutomirski + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + include/linux/user_namespace.h | 1 + + kernel/user_namespace.c | 4 ++++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit 223ac007ef18bf3a5095ba0a56675c1f16200149 +Merge: 1c92de4 13675b8 +Author: Brad Spengler +Date: Thu Aug 8 20:45:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 13675b848cf02bffd26924b2b84d927095bc253d +Author: Brad Spengler +Date: Thu Aug 8 20:43:52 2013 -0400 + + Update to pax-linux-3.10.5-test8.patch: + - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) + - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard + - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard + + arch/arm/include/asm/pgtable-2level.h | 4 +++- + arch/arm/mm/proc-v7-2level.S | 3 --- + arch/mips/mm/fault.c | 8 ++++++++ + arch/x86/include/asm/processor.h | 3 ++- + include/linux/math64.h | 2 +- + security/Kconfig | 2 -- + 6 files changed, 14 insertions(+), 8 deletions(-) + +commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 +Merge: e65aa3d 1660f49 +Author: Brad Spengler +Date: Mon Aug 5 18:50:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 1660f496848b8400d263f7920989dae15e72185a +Merge: 7f91ba1 dc51cd2 +Author: Brad Spengler +Date: Mon Aug 5 18:50:12 2013 -0400 + + Update to pax-linux-3.10.5-test7.patch + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + arch/x86/kernel/head_64.S + mm/mempolicy.c + +commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 +Author: Brad Spengler +Date: Mon Aug 5 17:58:42 2013 -0400 + + Disable RANDKSTACK for a VirtualBox host as mentioned on the + gentoo-hardened bugzilla: + https://bugs.gentoo.org/show_bug.cgi?id=382793 + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 +Author: Dan Carpenter +Date: Tue Jul 30 13:23:39 2013 +0300 + + Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 + + net_sched: info leak in atm_tc_dump_class() + + The "pvc" struct has a hole after pvc.sap_family which is not cleared. + + Signed-off-by: Dan Carpenter + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/sched/sch_atm.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 50d20ebce56b6e0b9622685930e007e46c7c04bb +Author: Daniel Borkmann +Date: Fri Aug 2 11:32:43 2013 +0200 + + Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 + + net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails + + Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa + resource that was allocated via inet_alloc_ifa() unfreed when returning + the function with -EINVAL. Thus, free it first via inet_free_ifa(). + + Signed-off-by: Daniel Borkmann + Reviewed-by: Jiri Pirko + Signed-off-by: David S. Miller + + net/ipv4/devinet.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 +Author: Himanshu Madhani +Date: Fri Aug 2 23:15:56 2013 -0400 + + Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 + + qlcnic: Free up memory in error path. + + Signed-off-by: Himanshu Madhani + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a +Author: Shahed Shaikh +Date: Fri Aug 2 23:15:54 2013 -0400 + + Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f + + qlcnic: Fix MAC address filter issue on 82xx adapter + + Driver was passing the address of a pointer instead of + the pointer itself. + + Signed-off-by: Shahed Shaikh + Signed-off-by: David S. Miller + + drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 +Author: Brad Spengler +Date: Mon Aug 5 17:26:40 2013 -0400 + + Move user namespace capability check to shared create_user_ns code so we + cover unshare() as well. + + Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to + user namespaces! + + kernel/fork.c | 17 ----------------- + kernel/user_namespace.c | 24 ++++++++++++++++++++++-- + 2 files changed, 22 insertions(+), 19 deletions(-) + +commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 +Author: Brad Spengler +Date: Mon Aug 5 16:05:41 2013 -0400 + + silence a warning on older gcc + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b8966a5d577e9220fbc63306eee978f819f24e2e +Author: Brad Spengler +Date: Sat Aug 3 08:31:08 2013 -0400 + + we only care about mmaps of the beginning of an ELF, filter out + all others as suggested by pipacs + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb +Author: Brad Spengler +Date: Fri Aug 2 23:54:51 2013 -0400 + + add include + + grsecurity/grsec_log.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 +Author: Brad Spengler +Date: Fri Aug 2 23:49:13 2013 -0400 + + fix compilation + + include/linux/grinternal.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1704c23fdc55b68f512dc9927940e72237f3f43e +Author: Brad Spengler +Date: Fri Aug 2 23:34:35 2013 -0400 + + Improve PaX reporting (tells when anon mapping is stack or heap) + Remove textrel logging option, combine into rwx logging option + Enhance RWX logging option to display when PT_GNU_STACK-enabled library + is loaded under an MPROTECTed binary + Enhance RWX mprotect logging to display stack/heap instead of just + anon mapping + + fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ + fs/exec.c | 4 ++++ + grsecurity/Kconfig | 21 +++++---------------- + grsecurity/grsec_init.c | 4 ---- + grsecurity/grsec_log.c | 14 ++++++++++++++ + grsecurity/grsec_pax.c | 19 ++++++++++++++----- + grsecurity/grsec_sysctl.c | 9 --------- + include/linux/binfmts.h | 1 + + include/linux/grinternal.h | 2 +- + include/linux/grmsg.h | 3 ++- + include/linux/grsecurity.h | 3 ++- + mm/mmap.c | 7 +++++++ + mm/mprotect.c | 2 +- + 13 files changed, 88 insertions(+), 38 deletions(-) + +commit faf81c100c8565524e21c9af780a0ad2ce3fd925 +Author: Brad Spengler +Date: Thu Aug 1 18:52:02 2013 -0400 + + add missing #define + + grsecurity/gracl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 +Author: Brad Spengler +Date: Thu Aug 1 18:43:53 2013 -0400 + + fix compilation for !COMPAT as reported on the forums + + grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- + 1 files changed, 97 insertions(+), 98 deletions(-) + +commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c +Merge: 65019c9 7f91ba1 +Author: Brad Spengler +Date: Wed Jul 31 17:47:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 65019c9bd05f860437071cbf00e2027fd2d68615 +Author: Brad Spengler +Date: Wed Jul 31 17:47:20 2013 -0400 + + Revert "revert recent PaX change that causes boot failures with 32bit userland" + + This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 +Author: Brad Spengler +Date: Wed Jul 31 17:46:00 2013 -0400 + + Update to pax-linux-3.10.4-test7.patch: + - added a few more missing format strings + - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable + - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time + - fixed a UDEREF/i386 regression, __get_user_8 would always fail + + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/dumpstack.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/reboot_fixups_32.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/lib/getuser.S | 4 +- + arch/x86/xen/smp.c | 2 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- + drivers/video/backlight/backlight.c | 2 +- + drivers/video/backlight/lcd.c | 2 +- + fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- + fs/exec.c | 50 +++++++++++++-------------- + include/linux/sched.h | 2 + + 14 files changed, 88 insertions(+), 47 deletions(-) + +commit 043130da54cb7cc8dc44e0ce889d426e889a0532 +Author: Brad Spengler +Date: Wed Jul 31 16:26:58 2013 -0400 + + compile fix for !COMPAT as mentioned on forums + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ed0a195abd4e41c2449a020a53a19c74dc866d78 +Author: Brad Spengler +Date: Tue Jul 30 22:33:14 2013 -0400 + + perform compat conversion of rlimit infinity + + grsecurity/gracl_compat.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 +Author: Brad Spengler +Date: Tue Jul 30 22:21:40 2013 -0400 + + remove debugging + + grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- + 1 files changed, 11 insertions(+), 33 deletions(-) + +commit e75b3f504692b97960a7530ad0855d91441d79c0 +Author: Brad Spengler +Date: Tue Jul 30 22:20:32 2013 -0400 + + eliminate compat_dev_t + + include/linux/gracl_compat.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e5abbaf95313066a724e1a843d4fc902a9a6450e +Author: Brad Spengler +Date: Tue Jul 30 22:13:22 2013 -0400 + + fix compat rlimit size + + grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- + include/linux/gracl_compat.h | 4 +- + 2 files changed, 49 insertions(+), 23 deletions(-) + +commit 877d6c2f8b3518ff39601084560bb33c58d35a1f +Author: Brad Spengler +Date: Tue Jul 30 21:20:18 2013 -0400 + + compile fix + + grsecurity/gracl.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 +Author: Brad Spengler +Date: Tue Jul 30 21:14:29 2013 -0400 + + copy correct pointer size in new compat code + + grsecurity/gracl.c | 8 ++++---- + grsecurity/gracl_compat.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 23278a1ee1c7738dd1e7005241394d32b82196e4 +Author: Brad Spengler +Date: Tue Jul 30 19:48:58 2013 -0400 + + revert recent PaX change that causes boot failures with 32bit userland + + arch/x86/include/asm/processor.h | 4 ++-- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +commit ec27f71a813656fea8ab37faecb2b485fe99d08e +Merge: 3a11bcf 05f0a61 +Author: Brad Spengler +Date: Tue Jul 30 19:42:21 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 +Author: Brad Spengler +Date: Tue Jul 30 19:41:44 2013 -0400 + + Update to pax-linux-3.10.4-test6.patch: + - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender + + include/linux/syscalls.h | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 +Author: Brad Spengler +Date: Tue Jul 30 19:15:50 2013 -0400 + + compile fix + + grsecurity/gracl_compat.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 +Author: Brad Spengler +Date: Tue Jul 30 19:12:46 2013 -0400 + + remove BUILD_BUG_ONs + + grsecurity/gracl_compat.c | 20 -------------------- + 1 files changed, 0 insertions(+), 20 deletions(-) + +commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 +Author: Brad Spengler +Date: Tue Jul 30 00:18:36 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 8 ++++---- + include/linux/gracl_compat.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 8b744005f8bae565e24c1fd88af77e6e619b9434 +Author: Brad Spengler +Date: Tue Jul 30 00:16:42 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_compat.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c +Author: Brad Spengler +Date: Tue Jul 30 00:13:51 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +commit b93b829afcc98b6108b18d99ff63c53642d0b951 +Author: Brad Spengler +Date: Tue Jul 30 00:11:03 2013 -0400 + + compile fixes + + grsecurity/gracl_compat.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 +Author: Brad Spengler +Date: Tue Jul 30 00:08:21 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 28 ++++++++++++++-------------- + 1 files changed, 14 insertions(+), 14 deletions(-) + +commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b +Author: Brad Spengler +Date: Mon Jul 29 23:59:50 2013 -0400 + + more compile fixes + + grsecurity/gracl.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 +Author: Brad Spengler +Date: Mon Jul 29 23:56:47 2013 -0400 + + additional compile fixes + + grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 files changed, 49 insertions(+), 10 deletions(-) + +commit ac695a081d1124fb28bec46814535d34c5e40611 +Author: Brad Spengler +Date: Mon Jul 29 23:47:15 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 +Author: Brad Spengler +Date: Mon Jul 29 23:46:59 2013 -0400 + + compile fixes + + grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 14 deletions(-) + +commit 82631f451cc7432b6c5578cf8d24155473feb25c +Author: Brad Spengler +Date: Mon Jul 29 23:22:44 2013 -0400 + + Initial commit of compat RBAC loading + Permits 32bit gradm to load policy for a 64bit kernel + + Also removed code duplication for copying strings into the kernel + + Work performed as part of sponsorship + + grsecurity/Makefile | 4 + + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- + grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ + include/linux/gracl_compat.h | 156 +++++++++++++++++++++ + 4 files changed, 603 insertions(+), 142 deletions(-) + +commit 84c4a433dfb096e4a1162ee5e68025122c70b421 +Merge: c9d3ed3 9fe5897 +Author: Brad Spengler +Date: Mon Jul 29 17:08:56 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9fe58978938e357642885866ca48090a7753d403 +Merge: 8f693ad 6f7bb6b +Author: Brad Spengler +Date: Mon Jul 29 17:08:43 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 +Merge: d5e5bfd 8f693ad +Author: Brad Spengler +Date: Sun Jul 28 10:03:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8f693ade9b3e448f92706d34148b00a087637f70 +Author: Brad Spengler +Date: Sun Jul 28 10:02:16 2013 -0400 + + Update to pax-linux-3.10.3-test5.patch: + - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) + - fixed handling of faulting userland accesses for UDEREF/arm, from spender + - updated the size overflow hash table, from Emese + + arch/arm/kernel/entry-armv.S | 3 +- + arch/x86/include/asm/processor.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 +- + arch/x86/kernel/process_64.c | 2 +- + arch/x86/kernel/smpboot.c | 2 +- + arch/x86/xen/smp.c | 2 +- + tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- + 7 files changed, 513 insertions(+), 55 deletions(-) + +commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 +Merge: 19e077b 8a8a0d0 +Author: Brad Spengler +Date: Thu Jul 25 21:05:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 +Author: Brad Spengler +Date: Thu Jul 25 21:04:09 2013 -0400 + + Update to pax-linux-3.10.3-test4.patch: + - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. + this is finer grained sanitization than the existing per-page based approach (which + is still done) at a somewhat higher performance cost. the pax_sanitize_slab command + line option can be used to enable/disable it on boot (it's enabled by default when + CONFIG_PAX_MEMORY_SANITIZE is enabled). + + Documentation/kernel-parameters.txt | 4 ++++ + fs/buffer.c | 2 +- + fs/dcache.c | 3 ++- + include/linux/slab.h | 7 +++++++ + include/linux/slab_def.h | 4 ++++ + kernel/fork.c | 2 +- + mm/rmap.c | 6 ++++-- + mm/slab.c | 27 +++++++++++++++++++++++++++ + mm/slab.h | 12 +++++++++++- + mm/slab_common.c | 14 ++++++++++++++ + mm/slob.c | 5 +++++ + mm/slub.c | 11 +++++++++++ + net/core/skbuff.c | 6 ++++-- + security/Kconfig | 23 +++++++++++++++++------ + 14 files changed, 112 insertions(+), 14 deletions(-) + +commit 19e077bfff54ca211d0142c07cb6dd88069a390c +Merge: 960ec51 c8f7f51 +Author: Brad Spengler +Date: Thu Jul 25 19:53:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c8f7f51591207b82530214300e86277028919286 +Merge: d5142e3 81a4648 +Author: Brad Spengler +Date: Thu Jul 25 19:52:29 2013 -0400 + + Update to pax-linux-3.10.3-test3.patch: + - fixed some compile issues reported by Michael Tremer and spender + - fixed an i386 regression with the lower address space gap on i386, reported by cnu + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + kernel/time/tick-broadcast.c + +commit 960ec51ab2142544fbae563d4fd5744775408965 +Author: Al Viro +Date: Sat Jul 20 03:13:55 2013 +0400 + + Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 + + livelock avoidance in sget() + + Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about + to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, + ->s_active is 1. Along comes two more processes, trying to mount the same + thing; sget() in each is picking that superblock, bumping ->s_count and + trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) + finally gets to deactivate_locked_super() on failure; ->s_active is 2, + superblock is still ->fs_supers because shutdown will *not* happen until + ->s_active hits 0. ->s_umount is dropped and now we have two processes + chasing each other: + s_active = 2, A acquired ->s_umount, B blocked + A sees that the damn thing is stillborn, does deactivate_locked_super() + s_active = 1, A drops ->s_umount, B gets it + A restarts the search and finds the same superblock. And bumps it ->s_active. + s_active = 2, B holds ->s_umount, A blocked on trying to get it + ... and we are in the earlier situation with A and B switched places. + + The root cause, of course, is that ->s_active should not grow until we'd + got MS_BORN. Then failing ->mount() will have deactivate_locked_super() + shut the damn thing down. Fortunately, it's easy to do - the key point + is that grab_super() is called only for superblocks currently on ->fs_supers, + so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and + bump ->s_active; we must never increment ->s_count for superblocks past + ->kill_sb(), but grab_super() is never called for those. + + The bug is pretty old; we would've caught it by now, if not for accidental + exclusion between sget() for block filesystems; the things like cgroup or + e.g. mtd-based filesystems don't have anything of that sort, so they get + bitten. The right way to deal with that is obviously to fix sget()... + + Signed-off-by: Al Viro + + fs/super.c | 25 ++++++++++--------------- + 1 files changed, 10 insertions(+), 15 deletions(-) + +commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 +Merge: ab95b58 d5142e3 +Author: Brad Spengler +Date: Sun Jul 21 22:47:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d5142e31785f8c32c7338c51fcc27313bdd4a84e +Merge: f36ae8c 0f4a56e +Author: Brad Spengler +Date: Sun Jul 21 22:47:34 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + +commit ab95b5842899d61ff5c30f4582e72029b3155be8 +Author: Brad Spengler +Date: Sun Jul 21 22:28:40 2013 -0400 + + compile fix with constification reported by Michael Tremer + + drivers/gpu/host1x/drm/dc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 817cd2d1e7a55720326599dd8f542578eef30927 +Author: Hannes Frederic Sowa +Date: Fri Jul 12 23:46:33 2013 +0200 + + Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 + + ipv6: only static routes qualify for equal cost multipathing + + Static routes in this case are non-expiring routes which did not get + configured by autoconf or by icmpv6 redirects. + + To make sure we actually get an ecmp route while searching for the first + one in this fib6_node's leafs, also make sure it matches the ecmp route + assumptions. + + v2: + a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + + v3: + a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + + Cc: Nicolas Dichtel + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_fib.c | 15 +++++++++++---- + 1 files changed, 11 insertions(+), 4 deletions(-) + +commit 77db8196d51b043e2e2d124094da101b0f01bccb +Author: Dan Carpenter +Date: Fri Jul 12 09:39:03 2013 +0300 + + Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 + + svcrdma: underflow issue in decode_write_list() + + My static checker marks everything from ntohl() as untrusted and it + complains we could have an underflow problem doing: + + return (u32 *)&ary->wc_array[nchunks]; + + Also on 32 bit systems the upper bound check could overflow. + + Cc: stable@vger.kernel.org + Signed-off-by: Dan Carpenter + Signed-off-by: J. Bruce Fields + + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ + 1 files changed, 14 insertions(+), 6 deletions(-) + +commit 926473317fd7953137ef97835edd36dabc584b01 +Author: Brad Spengler +Date: Wed Jul 17 21:29:02 2013 -0400 + + add missing asm/pgtable.h include, reported by Michael Tremer + + drivers/clk/socfpga/clk.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c592ae0001b31932ef1491784dfa374058797c66 +Author: Brad Spengler +Date: Tue Jul 16 20:40:24 2013 -0400 + + allow viewing of ecryptfs version under SYSFS_RESTRICT + + fs/sysfs/dir.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 +Merge: 9c96441 f36ae8c +Author: Brad Spengler +Date: Sun Jul 14 19:23:13 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f36ae8c741ae32b1caff10825be12c327792c925 +Author: Brad Spengler +Date: Sun Jul 14 19:22:15 2013 -0400 + + Update to pax-linux-3.10-test2.patch: + - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer + - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer + - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer + - spender fixed an madvise regression, reported by Peter Keel + - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) + - fixed a headers_install regression, reported by Mathias Krause + - fixed a SLOB compile regression, reported by Mathias Krause + + arch/arm/include/asm/uaccess.h | 4 ++-- + arch/arm/mm/mmu.c | 15 +++++++++++++-- + drivers/clk/socfpga/clk.c | 6 ++++-- + mm/madvise.c | 4 ++-- + mm/slab.c | 4 ++-- + mm/slob.c | 4 ++-- + scripts/headers_install.sh | 2 +- + 7 files changed, 26 insertions(+), 13 deletions(-) + +commit 9c9644156a49637050741d9165df79174e59b0ef +Author: Brad Spengler +Date: Sun Jul 14 19:19:54 2013 -0400 + + Fix sparc64 compilation, reported by Blake Self + + arch/sparc/kernel/sys_sparc_64.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 +Author: Brad Spengler +Date: Sun Jul 14 11:49:17 2013 -0400 + + Update PaX fix, just return the error + + mm/madvise.c | 15 +++++++-------- + 1 files changed, 7 insertions(+), 8 deletions(-) + +commit a10e377d0eddd37e8a3665b135e546ab03d9d171 +Author: Brad Spengler +Date: Sun Jul 14 11:36:00 2013 -0400 + + Fix madvise oops reported by Peter Keel + + mm/madvise.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +commit 08c5adca34d408772255b313f90d82c250c1d967 +Author: Brad Spengler +Date: Sun Jul 14 11:26:34 2013 -0400 + + don't make high vector mapping non-present on old ARM architectures, no + point in emulating some vector entries when the processor doesn't even support XN + + arch/arm/mm/mmu.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 2b40781d4197a89a003616af584884e36361c5b2 +Author: Brad Spengler +Date: Sun Jul 14 09:51:58 2013 -0400 + + Temporary compile fix for code incorrectly modifying const data + Wrap a cast version of the code with open/close + + Thanks to Michael Tremer for the report + + drivers/clk/socfpga/clk.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit a8258c1b4098c396cd4ea719e20858182feac1c1 +Author: Brad Spengler +Date: Sun Jul 14 09:41:16 2013 -0400 + + Fix missing right parens in pipacs' "improvement" of my ARM code ;) + Thanks to Michael Tremer for reporting + + arch/arm/include/asm/uaccess.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 8542e1e973be7cc9a009d2ada8033576b2890e6f +Merge: 86f446e 2577f8e +Author: Brad Spengler +Date: Sat Jul 13 20:46:58 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + mm/memcontrol.c + +commit 2577f8e4ec41efb347706a59c6838de20f0c90da +Merge: 75a36f0 cb5d8be +Author: Brad Spengler +Date: Sat Jul 13 20:43:42 2013 -0400 + + Merge branch 'linux-3.10.y' into pax-test + + Conflicts: + crypto/algapi.c + drivers/block/nbd.c + +commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 +Author: Brad Spengler +Date: Fri Jul 12 23:02:11 2013 -0400 + + we always want the vector page to be noaccess for userland + therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY + which turns into supervisor rwx, userland rx, we instead omit that entirely, + leaving it as supervisor rwx only + + Fixes booting on ARMv5 and earlier, which need to write directly + to the high vector mapping via set_tls when context switching + + Thanks to Michael Tremer for the bugreport + + arch/arm/mm/mmu.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +commit 90cd0827eef656ec884f19c977873fefe2f2e47d +Author: Cong Wang +Date: Sat Jun 29 12:02:59 2013 +0800 + + Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 + + gre: fix a regression in ioctl + + When testing GRE tunnel, I got: + + # ip tunnel show + get tunnel gre0 failed: Invalid argument + get tunnel gre1 failed: Invalid argument + + This is a regression introduced by commit c54419321455631079c7d + ("GRE: Refactor GRE tunneling code.") because previously we + only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, + after that commit, the check is moved for all commands. + + So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + + After this patch I got: + + # ip tunnel show + gre0: gre/ip remote any local any ttl inherit nopmtudisc + gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit + + Cc: Pravin B Shelar + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv4/ip_gre.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 +Author: Cong Wang +Date: Sat Jun 29 13:00:57 2013 +0800 + + Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 + + vti: remove duplicated code to fix a memory leak + + vti module allocates dev->tstats twice: in vti_fb_tunnel_init() + and in vti_tunnel_init(), this lead to a memory leak of + dev->tstats. + + Just remove the duplicated operations in vti_fb_tunnel_init(). + + (candidate for -stable) + + Cc: Stephen Hemminger + Cc: Saurabh Mohan + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd +Author: Michal Schmidt +Date: Mon Jul 1 17:23:05 2013 +0200 + + Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a + + bnx2x: remove zeroing of dump data buffer + + There is no need to initialize the dump data with zeros. + data is allocated with vzalloc, so it's already zero-filled. + + More importantly, the memset is harmful, because dump->len (the length + requested by userspace) can be bigger than the allocated buffer (whose + size is determined by asking the driver's .get_dump_flag method). + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit c771072b72c261f9bddd6734dca6979c1b96e7df +Author: Michal Schmidt +Date: Mon Jul 1 17:23:06 2013 +0200 + + Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 + + bnx2x: fix dump flag handling + + bnx2x interprets the dump flag as an index of a register preset. + It is important to validate the index to avoid out of bounds + memory accesses. + + Signed-off-by: Michal Schmidt + Signed-off-by: David S. Miller + + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ + 2 files changed, 5 insertions(+), 0 deletions(-) + +commit aed315c8fad9b2044143b46b239574b1b72135ce +Author: Michal Schmidt +Date: Mon Jul 1 17:23:30 2013 +0200 + + Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 + + ethtool: make .get_dump_data() harder to misuse by drivers + + As the patch "bnx2x: remove zeroing of dump data buffer" showed, + it is too easy implement .get_dump_data incorrectly in a driver. + + Let's make sure drivers cannot get confused by userspace requesting + a too big dump. + + Also WARN if the driver sets dump->len to something weird and make + sure the length reported to userspace is the actual length of data + copied to userspace. + + Signed-off-by: Michal Schmidt + Reviewed-by: Ben Hutchings + Signed-off-by: David S. Miller + + net/core/ethtool.c | 21 ++++++++++++++++++++- + 1 files changed, 20 insertions(+), 1 deletions(-) + +commit 5c57991e66216e386dcc875d34c33f0edd038569 +Author: Wei Yongjun +Date: Tue Jul 2 09:02:07 2013 +0800 + + Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd + + l2tp: add missing .owner to struct pppox_proto + + Add missing .owner of struct pppox_proto. This prevents the + module from being removed from underneath its users. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 +Author: Benjamin Herrenschmidt +Date: Sun Jun 30 14:37:11 2013 +1000 + + Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 + + cxgb3: Missing rtnl lock in error recovery + + When exercising error injection on IBM pseries machine, I hit the + following warning: + + [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 + [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) + [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 + [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) + [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 + [ 254.895474] Call Trace: + [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) + [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c + [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 + [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] + [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] + [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 + [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 + [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 + [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 + [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 + [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 + + It appears that t3_resume_ports() is called with the rtnl_lock held from + the fatal error task but not from the PCI error callbacks. This fixes it. + + Signed-off-by: Benjamin Herrenschmidt + Signed-off-by: David S. Miller + + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 +Author: Hannes Frederic Sowa +Date: Mon Jul 1 20:21:30 2013 +0200 + + Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 + + ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data + + We accidentally call down to ip6_push_pending_frames when uncorking + pending AF_INET data on a ipv6 socket. This results in the following + splat (from Dave Jones): + + skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:126! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth + +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c + CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 + task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 + RIP: 0010:[] [] skb_panic+0x63/0x65 + RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 + RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 + RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 + RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 + R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 + FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 + Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 + Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 + Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 + RIP [] skb_panic+0x63/0x65 + RSP + + This patch adds a check if the pending data is of address family AF_INET + and directly calls udp_push_ending_frames from udp_v6_push_pending_frames + if that is the case. + + This bug was found by Dave Jones with trinity. + + (Also move the initialization of fl6 below the AF_INET check, even if + not strictly necessary.) + + Cc: Dave Jones + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +commit cd83094a85d9bbd5a67332156407d53cf8835432 +Author: Hannes Frederic Sowa +Date: Tue Jul 2 08:04:05 2013 +0200 + + Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be + + ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size + + If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track + of this when appending the second frame on a corked socket. This results + in the following splat: + + [37598.993962] ------------[ cut here ]------------ + [37598.994008] kernel BUG at net/core/skbuff.c:2064! + [37598.994008] invalid opcode: 0000 [#1] SMP + [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat + +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi + +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm + [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc + +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video + [37598.994008] CPU 0 + [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG + [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 + [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 + [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 + [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 + [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 + [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 + [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 + [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 + [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) + [37598.994008] Stack: + [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 + [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 + [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 + [37598.994008] Call Trace: + [37598.994008] [] ip6_append_data+0xccf/0xfe0 + [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 + [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 + [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 + [37598.994008] [] ? sock_has_perm+0x75/0x90 + [37598.994008] [] inet_sendmsg+0x63/0xb0 + [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 + [37598.994008] [] sock_sendmsg+0xb0/0xe0 + [37598.994008] [] ? __switch_to+0x181/0x4a0 + [37598.994008] [] sys_sendto+0x12d/0x180 + [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 + [37598.994008] [] ? syscall_trace_enter+0x231/0x240 + [37598.994008] [] tracesys+0xdd/0xe2 + [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 + [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 + [37598.994008] RSP + [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + + While there, also check if path mtu discovery is activated for this + socket. The logic was adapted from ip6_append_data when first writing + on the corked socket. + + This bug was introduced with commit + 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec + fragment"). + + v2: + a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. + b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). + c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + + Acked-by: Gao feng + Cc: YOSHIFUJI Hideaki + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 files changed, 10 insertions(+), 6 deletions(-) + +commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c +Author: Michael S. Tsirkin +Date: Sun Jul 7 14:26:53 2013 +0300 + + Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 + + vhost-net: fix use-after-free in vhost_net_flush + + vhost_net_ubuf_put_and_wait has a confusing name: + it will actually also free it's argument. + Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" + vhost_net_flush tries to use the argument after passing it + to vhost_net_ubuf_put_and_wait, this results + in use after free. + To fix, don't free the argument in vhost_net_ubuf_put_and_wait, + add an new API for callers that want to free ubufs. + + Acked-by: Asias He + Acked-by: Jason Wang + Signed-off-by: Michael S. Tsirkin + Signed-off-by: David S. Miller + + drivers/vhost/net.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 088806db74ac2f08c106202bc5498585a9ee529f +Author: Michal Hocko +Date: Mon Jul 8 16:00:29 2013 -0700 + + Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b + + memcg, kmem: fix reference count handling on the error path + + mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. + This is not correct because only memcg_propagate_kmem takes an + additional reference while mem_cgroup_sockets_init is allowed to fail as + well (although no current implementation fails) but it doesn't take any + reference. This all suggests that it should be memcg_propagate_kmem + that should clean up after itself so this patch moves mem_cgroup_put + over there. + + Unfortunately this is not that easy (as pointed out by Li Zefan) because + memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is + marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if + memcg_propagate_kmem fails so the additional reference is dropped in + that case in kmem_cgroup_destroy which means that the reference would be + dropped two times. + + The easiest way then would be to simply remove mem_cgrroup_put from + mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right + thing. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.8] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 08bfb6e700d13886ed722c2236e1ec10f03a95df +Author: Michal Hocko +Date: Mon Jul 8 16:00:27 2013 -0700 + + Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 + + Revert "memcg: avoid dangling reference count in creation failure" + + This reverts commit e4715f01be697a. + + mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops + an additional reference from all parents so the additional + mem_cgrroup_put(parent) potentially causes use-after-free. + + Signed-off-by: Michal Hocko + Signed-off-by: Li Zefan + Acked-by: KAMEZAWA Hiroyuki + Cc: Hugh Dickins + Cc: Tejun Heo + Cc: Glauber Costa + Cc: Johannes Weiner + Cc: [3.9+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/memcontrol.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +commit 3267ec559f48327a1836eccecd53215afc5810d0 +Author: Tyler Hicks +Date: Thu Jun 20 13:13:59 2013 -0700 + + Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e + + libceph: Fix NULL pointer dereference in auth client code + + A malicious monitor can craft an auth reply message that could cause a + NULL function pointer dereference in the client's kernel. + + To prevent this, the auth_none protocol handler needs an empty + ceph_auth_client_ops->build_request() function. + + CVE-2013-1059 + + Signed-off-by: Tyler Hicks + Reported-by: Chanam Park + Reviewed-by: Seth Arnold + Reviewed-by: Sage Weil + Cc: stable@vger.kernel.org + + net/ceph/auth_none.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit cdfeb4049e7cb38702215b2c356ce0407974ac79 +Author: Eric Paris +Date: Wed Jul 3 15:08:29 2013 -0700 + + Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 + + fork: reorder permissions when violating number of processes limits + + When a task is attempting to violate the RLIMIT_NPROC limit we have a + check to see if the task is sufficiently priviledged. The check first + looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. + + A result is that tasks which are allowed by the uid=0 check are first + checked against the security subsystem. This results in the security + subsystem auditting a denial for sys_admin and sys_resource and then the + task passing the uid=0 check. + + This patch rearranges the code to first check uid=0, since if we pass that + we shouldn't hit the security system at all. We then check sys_resource, + since it is the smallest capability which will solve the problem. Lastly + we check the fallback everything cap_sysadmin. We don't want to give this + capability many places since it is so powerful. + + This will eliminate many of the false positive/needless denial messages we + get when a root task tries to violate the nproc limit. (note that + kthreads count against root, so on a sufficiently large machine we can + actually get past the default limits before any userspace tasks are + launched.) + + Signed-off-by: Eric Paris + Cc: Al Viro + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/fork.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08c87e049c8a50707908785d950fd48c334f4c09 +Author: Chen Gang +Date: Sat Jun 22 13:26:09 2013 +0800 + + Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 + + arch: sparc: kernel: check the memory length before use strcpy(). + + For the related next strcpy(), the destination length is less than 512, + but the source maximize length may be 'OPROMMAXPARAM' (4096) which is + more than 512. + + One work flow may: + openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) + getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. + opromsetopt() -> devide the buffer into 'var' and 'value' + of_set_property() -> pass + prom_setprop() -> pass + ldom_set_var() + + And do not mind the additional 4 alignment buffer increasing, since + 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + arch/sparc/kernel/ds.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 +Author: Brad Spengler +Date: Fri Jul 12 20:38:45 2013 -0400 + + Fix SLAB boot errors due to PAX_USERCOPY reported on the forums + + Unlike slub, slab can initally create two of the kmalloc_caches + which will be used later for generic kmallocs of their particular + aligned size (since the later loop in the unified allocator code + skips any already-existing kmalloc_caches) + + mm/slab.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 +Author: Brad Spengler +Date: Tue Jul 9 22:04:59 2013 -0400 + + compile fixes + + fs/exec.c | 2 +- + mm/mmap.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit e2d027c7e0f106be683c0c72482b8285daefcbe6 +Author: Brad Spengler +Date: Tue Jul 9 20:58:40 2013 -0400 + + commit successful merges + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 3 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/signal.c | 9 +- + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 9 +- + arch/x86/kernel/sys_x86_64.c | 8 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 1 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 129 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/block/cpqarray.c | 1 + + drivers/cdrom/cdrom.c | 4 +- + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/mwave/tp3780i.c | 1 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 9 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 184 ++- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/resize.c | 17 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 234 ++- + fs/namespace.c | 16 + + fs/notify/fanotify/fanotify_user.c | 1 + + fs/open.c | 38 + + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 ++- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 4 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/perf_event.h | 13 +- + include/linux/printk.h | 3 +- + include/linux/sched.h | 24 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/events/core.c | 14 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 64 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 2 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 7 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 70 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 1 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 63 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev_ioctl.c | 4 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 4 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netrom/af_netrom.c | 1 - + net/phonet/af_phonet.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 343 +++- + security/apparmor/Kconfig | 9 + + security/apparmor/apparmorfs.c | 231 ++ + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 242 files changed, 4385 insertions(+), 2042 deletions(-) + +commit 043a378c0f72ed92cc30182c48abce39867ac93f +Author: Brad Spengler +Date: Tue Jul 9 20:57:40 2013 -0400 + + Commit merge of new files and rejected patches + + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/kernel/process.c | 4 +- + arch/powerpc/include/asm/thread_info.h | 7 +- + arch/powerpc/mm/slice.c | 2 +- + arch/sparc/kernel/process_64.c | 4 +- + arch/x86/kernel/vm86_32.c | 15 + + fs/coredump.c | 1 + + fs/ext4/balloc.c | 4 +- + fs/namei.c | 7 + + fs/namespace.c | 8 + + fs/pipe.c | 2 +- + fs/proc/inode.c | 13 + + fs/proc/internal.h | 3 + + grsecurity/Kconfig | 1054 +++++++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 ++++ + grsecurity/gracl_ip.c | 387 +++ + grsecurity/gracl_learn.c | 207 ++ + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 +++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 +++ + grsecurity/grsec_disabled.c | 434 ++++ + grsecurity/grsec_exec.c | 187 ++ + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 +++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 +++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 246 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 ++++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/gracl.h | 319 +++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 ++ + include/linux/grinternal.h | 227 ++ + include/linux/grmsg.h | 112 + + include/linux/grsecurity.h | 241 ++ + include/linux/grsock.h | 19 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/proc_fs.h | 13 + + include/linux/sched.h | 48 +- + include/trace/events/fs.h | 53 + + kernel/kmod.c | 7 +- + kernel/panic.c | 2 +- + kernel/posix-timers.c | 1 + + kernel/time/timekeeping.c | 2 + + lib/Kconfig.debug | 2 +- + lib/vsprintf.c | 31 + + localversion-grsec | 1 + + mm/mmap.c | 13 +- + mm/shmem.c | 2 +- + net/core/net-procfs.c | 5 + + net/ipv6/udp.c | 3 + + net/netfilter/xt_gradm.c | 51 + + 66 files changed, 11184 insertions(+), 21 deletions(-) + +commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 +Author: Brad Spengler +Date: Tue Jul 9 17:35:47 2013 -0400 + + Initial import of pax-linux-3.10-test1.patch + + Documentation/dontdiff | 46 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 444 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/psci.h | 2 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 14 +- + arch/arm/kernel/psci.c | 2 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- + arch/arm/mach-ux500/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 30 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 13 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 + + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 4 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/efi_stub_32.S | 16 +- + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 22 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 4 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 +- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page.h | 1 + + arch/x86/include/asm/page_64.h | 4 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 122 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 33 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/crash_dump_64.c | 2 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 28 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 61 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 +- + arch/x86/kernel/entry_64.S | 548 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 13 +- + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 143 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 55 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 2 + + arch/x86/kernel/setup.c | 21 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 184 + + arch/x86/kernel/sys_x86_64.c | 22 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 4 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 61 +- + arch/x86/kvm/x86.c | 8 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 363 +- + arch/x86/lib/usercopy_64.c | 13 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 98 +- + arch/x86/mm/init_32.c | 113 +- + arch/x86/mm/init_64.c | 38 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pat_rbtree.c | 2 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 24 + + arch/x86/platform/efi/efi_64.c | 10 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 11 +- + arch/x86/realmode/init.c | 10 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/Makefile | 2 +- + arch/x86/tools/relocs.c | 94 +- + arch/x86/um/tls_32.c | 2 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/genhd.c | 11 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/algapi.c | 2 +- + crypto/cryptd.c | 4 +- + crypto/pcrypt.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 8 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/sysfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 11 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 4 +- + drivers/char/hpet.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 45 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clk/clk-composite.c | 2 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 6 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_ondemand.c | 8 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 6 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efi/efi.c | 12 +- + drivers/firmware/efi/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/iio_hwmon.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/i2c/i2c-dev.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 12 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bcache/closure.h | 2 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/chromeos_laptop.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/vhost/vringh.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/output.c | 2 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_addr.c | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 12 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 607 ++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 12 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 4 +- + fs/fhandle.c | 3 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 4 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/lockd/svc.c | 2 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 10 +- + fs/nfs/callback.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 9 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 61 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/proc/vmcore.c | 12 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/read_write.c | 2 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 40 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/clk-provider.h | 1 + + include/linux/compat.h | 4 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 4 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 116 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 8 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-ohci-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_ns.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 65 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 42 +- + include/linux/slab_def.h | 28 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 8 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 10 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/netns/ipv6.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/compress_driver.h | 2 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 30 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 42 +- + init/main.c | 83 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditfilter.c | 2 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 38 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 30 +- + kernel/events/internal.h | 10 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 11 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 22 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 76 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/sched/sched.h | 2 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 18 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 2 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + kernel/workqueue.c | 2 +- + lib/Kconfig.debug | 8 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 6 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/usercopy.c | 6 + + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/backing-dev.c | 4 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 15 +- + mm/mmap.c | 606 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/page_io.c | 2 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 79 +- + mm/slab.h | 5 +- + mm/slab_common.c | 46 +- + mm/slob.c | 201 +- + mm/slub.c | 79 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 77 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_core.c | 8 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 18 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 12 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 16 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 4 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.sh | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 676 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/internal.h | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/core/sound.c | 2 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/fsl/fsl_ssi.c | 2 +- + sound/sound_core.c | 2 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 172 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 560 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 +++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 277 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1607 files changed, 30734 insertions(+), 7318 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 +Author: Brad Spengler +Date: Thu Jul 4 23:05:14 2013 -0400 + + always enforce a non-zero gap for RAND_THREADSTACK + + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 40d67e38a42d4e94b43b3d7400addc662b9857dc +Author: Brad Spengler +Date: Thu Jul 4 16:09:28 2013 -0400 + + fix up file comparisons + + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_sig.c | 4 ++-- + include/linux/grinternal.h | 12 ++++++++++++ + 3 files changed, 15 insertions(+), 3 deletions(-) + +commit a1fff2c95162314626dd96bec71d951a8c1c4708 +Author: Brad Spengler +Date: Thu Jul 4 15:33:18 2013 -0400 + + fix suid binary matching + + grsecurity/grsec_sig.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 00131c458eea5200971c8fc326e90fdb6c2d0baa +Merge: 37b97a9 47beb61 +Author: Brad Spengler +Date: Thu Jul 4 15:02:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 +Author: Brad Spengler +Date: Thu Jul 4 15:01:37 2013 -0400 + + Update to pax-linux-3.9.9-test13.patch: + - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) + - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) + + arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- + arch/arm/kernel/armksyms.c | 2 +- + arch/arm/kernel/entry-armv.S | 4 ++-- + arch/arm/mm/Kconfig | 2 +- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/page.h | 1 + + arch/x86/kernel/entry_32.S | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + arch/x86/kernel/head64.c | 12 ++++++------ + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/init.c | 8 ++++++++ + arch/x86/mm/init_32.c | 6 ------ + arch/x86/mm/init_64.c | 6 ------ + arch/x86/platform/efi/efi_32.c | 5 +++++ + arch/x86/platform/efi/efi_64.c | 10 ++++++++++ + 15 files changed, 64 insertions(+), 44 deletions(-) + +commit 89085d2d0643813a62f23d1199a335dc1e129bc0 +Merge: 963af7f 0adf2e7 +Author: Brad Spengler +Date: Thu Jul 4 14:55:44 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 +Author: Brad Spengler +Date: Thu Jul 4 13:46:02 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 +Author: Brad Spengler +Date: Thu Jul 4 13:29:51 2013 -0400 + + update log arguments + + grsecurity/grsec_sig.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 +Author: Brad Spengler +Date: Thu Jul 4 13:20:23 2013 -0400 + + Update logging of suid exec ban + + Conflicts: + + grsecurity/grsec_sig.c + + grsecurity/grsec_sig.c | 3 +-- + include/linux/grmsg.h | 1 + + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit ef808866c070aa1901bd2224521baaf5d145a3a7 +Author: Brad Spengler +Date: Thu Jul 4 12:58:33 2013 -0400 + + Additional improvements to the user banning code: + + Separate the kernel-bruteforcing case from the suid bruteforcing case + In the suid bruteforcing case, only kill existing copies of the bruteforced + binary. Instead of preventing all future execs by this user, prevent them + from executing any suid/sgid binaries for the next 15 minutes. + + Kernel case is mostly unchanged from before, except the task trying to change + real uid to the banned user will be terminated instead of failing the setuid + call. + + Configuration help has been updated to reflect the new changes. + + fs/exec.c | 13 +++++--- + grsecurity/Kconfig | 5 ++- + grsecurity/gracl.c | 6 ++-- + grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ + include/linux/grsecurity.h | 1 - + include/linux/sched.h | 9 +++-- + 6 files changed, 65 insertions(+), 45 deletions(-) + +commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 +Author: Brad Spengler +Date: Wed Jul 3 16:14:09 2013 -0400 + + fix renamed export of csum_partial_copy_from_user, as reported by fabled + on the forums + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 318235973c2a548c3d25562645d6b69f66e85934 +Author: Brad Spengler +Date: Wed Jul 3 16:09:16 2013 -0400 + + make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error + reported on the forums by fabled + + arch/arm/mm/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b569a7f60fab7a522d8c142765c8b847bbce8a1e +Author: Brad Spengler +Date: Wed Jul 3 15:53:12 2013 -0400 + + Revise the user ban code to kill the process issuing a banned + set*id instead of returning an error. For the sake of keeping + unified user banning between the suid and kernel bruteforce case, + we will apply this killing to the suid bruteforce case, despite + a check just at exec time (that already existed) being sufficient. + + Returning an error could enable exploitation of the "failure to check + setuid return value" case which was recently effectively closed + upstream, albeit in a rare situation with a suitable binary and + two colluding users. + + Many thanks to stealth for reviewing the user ban code. + + grsecurity/gracl.c | 4 ++-- + grsecurity/grsec_sig.c | 16 +++++++++++++--- + 2 files changed, 15 insertions(+), 5 deletions(-) + +commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f +Author: Artem Bityutskiy +Date: Fri Jun 28 14:15:15 2013 +0300 + + Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d + + UBIFS: fix a horrid bug + + Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no + mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are + in the middle of 'ubifs_readdir()'. + + This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses + it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, + but this may corrupt memory and lead to all kinds of problems like crashes an + security holes. + + This patch fixes the problem by using the 'file->f_version' field, which + '->llseek()' always unconditionally sets to zero. We set it to 1 in + 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a + seek and it is time to clear the state saved in 'file->private_data'. + + I tested this patch by writing a user-space program which runds readdir and + seek in parallell. I could easily crash the kernel without these patches, but + could not crash it with these patches. + + Cc: stable@vger.kernel.org + Reported-by: Al Viro + Tested-by: Artem Bityutskiy + Signed-off-by: Artem Bityutskiy + Signed-off-by: Al Viro + + fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- + 1 files changed, 27 insertions(+), 3 deletions(-) + +commit c22280b85088978bd8b45bd23096879459b48008 +Author: Stephane Eranian +Date: Thu Jun 20 11:36:28 2013 +0200 + + Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 + + perf: Disable monitoring on setuid processes for regular users + + There was a a bug in setup_new_exec(), whereby + the test to disabled perf monitoring was not + correct because the new credentials for the + process were not yet committed and therefore + the get_dumpable() test was never firing. + + The patch fixes the problem by moving the + perf_event test until after the credentials + are committed. + + Signed-off-by: Stephane Eranian + Tested-by: Jiri Olsa + Acked-by: Peter Zijlstra + Cc: + Signed-off-by: Ingo Molnar + + fs/exec.c | 16 +++++++++------- + 1 files changed, 9 insertions(+), 7 deletions(-) + +commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 +Author: Brad Spengler +Date: Sat Jun 29 13:10:02 2013 -0400 + + on context switch, make sure we switch DACR when domain support and + KERNEXEC is disabled but UDEREF is enabled + + arch/arm/kernel/entry-armv.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 08d017fa51370921694ce087b28c96fec92993d4 +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:26:58 2013 +0300 + + Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 + + macvtap: fix recovery from gup errors + + get user pages might fail partially in macvtap zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Signed-off-by: David S. Miller + + drivers/net/macvtap.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be +Author: Michael S. Tsirkin +Date: Sun Jun 23 17:19:03 2013 +0300 + + Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 + + tun: fix recovery from gup errors + + get user pages might fail partially in tun zero copy + mode. To recover we need to put all pages that we got, + but code used a wrong index resulting in double-free + errors. + + Reported-by: Brad Hubbard + Signed-off-by: Michael S. Tsirkin + Acked-by: Jason Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + drivers/net/tun.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 +Author: Balazs Peter Odor +Date: Sat Jun 22 19:24:43 2013 +0200 + + Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 + + netfilter: nf_nat_sip: fix mangling + + In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) + there were some missing brackets around the logging information, thus + always returning drop. + + Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 + + Signed-off-by: Balazs Peter Odor + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nf_nat_sip.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 +Author: Anderson Lizardo +Date: Sun Jun 2 16:30:40 2013 -0400 + + Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d + + Bluetooth: Fix crash in l2cap_build_cmd() with small MTU + + If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus + controller, memory corruption happens due to a memcpy() call with + negative length. + + Fix this crash on either incoming or outgoing connections with a MTU + smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: + + [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 + [ 46.888037] IP: [] memcpy+0x1d/0x40 + [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 + [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC + [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common + [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 + [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 + [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] + [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 + [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 + [ 46.888037] EIP is at memcpy+0x1d/0x40 + [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 + [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c + [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 + [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 + [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + [ 46.888037] DR6: ffff0ff0 DR7: 00000400 + [ 46.888037] Stack: + [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 + [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 + [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 + [ 46.888037] Call Trace: + [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] + [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] + [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] + [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 + [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 + [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] + [ 46.888037] [] ? mark_held_locks+0x68/0x110 + [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 + [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 + [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] + [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] + [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] + [ 46.888037] [] process_one_work+0x1a9/0x600 + [ 46.888037] [] ? process_one_work+0x12b/0x600 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] ? worker_thread+0x19e/0x320 + [ 46.888037] [] worker_thread+0xf7/0x320 + [ 46.888037] [] ? rescuer_thread+0x290/0x290 + [ 46.888037] [] kthread+0xa8/0xb0 + [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 + [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 + [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 + [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c + [ 46.888037] CR2: 00000000f56ad000 + [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- + + Signed-off-by: Anderson Lizardo + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b0471b6c1160858fc646d8e94628fd1299f61692 +Author: Jaganath Kanakkassery +Date: Fri Jun 21 19:55:11 2013 +0530 + + Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 + + Bluetooth: Fix invalid length check in l2cap_information_rsp() + + The length check is invalid since the length varies with type of + info response. + + This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 + + Because of this, l2cap info rsp is not handled and command reject is sent. + + > ACL data: handle 11 flags 0x02 dlen 16 + L2CAP(s): Info rsp: type 2 result 0 + Extended feature mask 0x00b8 + Enhanced Retransmission mode + Streaming mode + FCS Option + Fixed Channels + < ACL data: handle 11 flags 0x00 dlen 10 + L2CAP(s): Command rej: reason 0 + Command not understood + + Cc: stable@vger.kernel.org + Signed-off-by: Jaganath Kanakkassery + Signed-off-by: Chan-Yeol Park + Acked-by: Johan Hedberg + Signed-off-by: Gustavo Padovan + + net/bluetooth/l2cap_core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4184af98c360d825e638b268b1a9847232e8d299 +Author: Eric Dumazet +Date: Wed Jun 26 04:15:07 2013 -0700 + + Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 + + ipv6: ip6_sk_dst_check() must not assume ipv6 dst + + It's possible to use AF_INET6 sockets and to connect to an IPv4 + destination. After this, socket dst cache is a pointer to a rtable, + not rt6_info. + + ip6_sk_dst_check() should check the socket dst cache is IPv6, or else + various corruptions/crashes can happen. + + Dave Jones can reproduce immediate crash with + trinity -q -l off -n -c sendmsg -c connect + + With help from Hannes Frederic Sowa + + Reported-by: Dave Jones + Reported-by: Hannes Frederic Sowa + Signed-off-by: Eric Dumazet + Acked-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller + + net/ipv6/ip6_output.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 +Author: Zefan Li +Date: Wed Jun 26 15:29:54 2013 +0800 + + Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 + + dlci: acquire rtnl_lock before calling __dev_get_by_name() + + Otherwise the net device returned can be freed at anytime. + + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +commit 1fe6f23c9acd14d832d056909ff326bde418e645 +Author: Zefan Li +Date: Wed Jun 26 15:31:58 2013 +0800 + + Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a + + dlci: validate the net device in dlci_del() + + We triggered an oops while running trinity with 3.4 kernel: + + BUG: unable to handle kernel paging request at 0000000100000d07 + IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] + PGD 640c0d067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP + CPU 3 + ... + Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA + RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] + ... + Call Trace: + [] sock_ioctl+0x153/0x280 + [] do_vfs_ioctl+0xa4/0x5e0 + [] ? fget_light+0x3ea/0x490 + [] sys_ioctl+0x4f/0x80 + [] system_call_fastpath+0x16/0x1b + ... + + It's because the net device is not a dlci device. + + Reported-by: Li Jinyue + Signed-off-by: Li Zefan + Cc: stable@vger.kernel.org + Signed-off-by: David S. Miller + + drivers/net/wan/dlci.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 4d4464407611527ef6b6b5475cfcab6121b3da66 +Merge: 59571a9 963af7f +Author: Brad Spengler +Date: Thu Jun 27 18:54:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 963af7f7f591759b731ce6325ceb583a72fcf423 +Merge: c51e25a 55db48a +Author: Brad Spengler +Date: Thu Jun 27 18:54:42 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 59571a9db7485f530a1e865a13cacc4c991ec41f +Author: Brad Spengler +Date: Wed Jun 26 18:39:08 2013 -0400 + + From: Mathias Krause + To: Steffen Klassert , + "David S. Miller" + Cc: Mathias Krause , netdev@vger.kernel.org, + Herbert Xu + Subject: [PATCH] af_key: fix info leaks in notify messages + + key_notify_sa_flush() and key_notify_policy_flush() miss to initialize + the sadb_msg_reserved member of the broadcasted message and thereby + leak 2 bytes of heap memory to listeners. Fix that. + + Signed-off-by: Mathias Krause + Cc: Steffen Klassert + Cc: "David S. Miller" + Cc: Herbert Xu + + net/key/af_key.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 +Author: Brad Spengler +Date: Wed Jun 26 18:33:06 2013 -0400 + + update rand_threadstack code to continue the search for a gap if the first + choice doesn't have enough space, instead of returning ENOMEM + + mm/mmap.c | 17 ++++++++++------- + 1 files changed, 10 insertions(+), 7 deletions(-) + +commit 87020d4a4d83038d65ff1fd519938840f6888b9e +Merge: 2682346 c51e25a +Author: Brad Spengler +Date: Wed Jun 26 18:25:32 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c51e25a23f30a1198076bd085f19b2073caf164d +Author: Brad Spengler +Date: Wed Jun 26 18:24:54 2013 -0400 + + Update to pax-linux-3.9.7-test12.patch: + - fixed a regression on PARAVIRT/amd64 kernels + - simplified the recent vm_unmapped_area_info based change + + arch/x86/kernel/entry_64.S | 8 ++++---- + mm/mmap.c | 22 ++++++++++++---------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +commit 26823469a08e59cb67bea18d448d9e8c65f82e08 +Author: Brad Spengler +Date: Tue Jun 25 21:26:51 2013 -0400 + + re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX + vm_unmapped_area code is complete + + arch/x86/kernel/sys_i386_32.c | 5 +++++ + grsecurity/Kconfig | 2 +- + mm/mmap.c | 11 ++++++++++- + 3 files changed, 16 insertions(+), 2 deletions(-) + +commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 +Merge: e58fe8c c4e0704 +Author: Brad Spengler +Date: Tue Jun 25 19:08:52 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/sys_i386_32.c + +commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 +Author: Brad Spengler +Date: Tue Jun 25 19:05:39 2013 -0400 + + Update to pax-linux-3.9.7-test11.patch: + - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) + - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure + - fixed the recent nested nmi related fixes some more + - fixed a regression in kernel memory initialization on relocatable i386 kernels + - empty_zero_page can be read-only on amd64 as well + + arch/arm/mm/mmap.c | 6 -- + arch/x86/kernel/entry_64.S | 8 +-- + arch/x86/kernel/head_64.S | 1 - + arch/x86/kernel/setup.c | 2 +- + arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- + drivers/lguest/core.c | 2 +- + include/linux/mm.h | 6 +- + include/linux/vmalloc.h | 2 +- + mm/mmap.c | 30 +++++++- + 9 files changed, 83 insertions(+), 134 deletions(-) + +commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d +Author: Brad Spengler +Date: Sun Jun 23 14:37:14 2013 -0400 + + second compile fix, reported by forsaken on forums + + include/linux/vmalloc.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f +Author: Brad Spengler +Date: Sun Jun 23 14:36:35 2013 -0400 + + compile fix, reported by KDE on forums + + kernel/printk.c | 7 ------- + 1 files changed, 0 insertions(+), 7 deletions(-) + +commit 1fc9a5e2e267205d28302e1e86ca0da434561111 +Author: Ben Hutchings +Date: Sun Jun 16 21:27:12 2013 +0100 + + Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d + + x86/efi: Fix dummy variable buffer allocation + + 1. Check for allocation failure + 2. Clear the buffer contents, as they may actually be written to flash + 3. Don't leak the buffer + + Compile-tested only. + + [ Tested successfully on my buggy ASUS machine - Matt ] + + Signed-off-by: Ben Hutchings + Cc: stable@vger.kernel.org + Signed-off-by: Matt Fleming + + arch/x86/platform/efi/efi.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 +Author: Dave Kleikamp +Date: Tue Jun 18 09:05:36 2013 -0500 + + Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 + + sparc: tsb must be flushed before tlb + + This fixes a race where a cpu may re-load a tlb from a stale tsb right + after it has been flushed by a remote function call. + + I still see some instability when stressing the system with parallel + kernel builds while creating memory pressure by writing to + /proc/sys/vm/nr_hugepages, but this patch improves the stability + significantly. + + Signed-off-by: Dave Kleikamp + Acked-by: Bob Picco + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d93b62f6485db9aadda34322a6867868db07f56f +Merge: 4ef62f5 71d83e9 +Author: Brad Spengler +Date: Fri Jun 21 16:52:55 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 71d83e97c936563913bcfb5a25c45b2021a331eb +Author: Brad Spengler +Date: Fri Jun 21 16:48:42 2013 -0400 + + Update to pax-linux-3.9.7-test10.patch: + - fixed a few format string problems uncovered by -Wformat-nonliteral + - another attempt at fixing the nested nmi/cr0.wp problem + - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) + - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) + - fixed a locking issue with track_exec_limit reported by spender + - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) + + Documentation/dontdiff | 1 + + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/e820.c | 4 +- + arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ + arch/x86/kernel/vmlinux.lds.S | 2 +- + block/genhd.c | 11 +++-- + crypto/algapi.c | 2 +- + crypto/pcrypt.c | 6 +- + drivers/base/attribute_container.c | 2 +- + drivers/base/power/sysfs.c | 2 +- + drivers/block/nbd.c | 2 +- + drivers/cdrom/cdrom.c | 2 +- + drivers/char/hw_random/intel-rng.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/devfreq/devfreq.c | 2 +- + drivers/gpu/drm/drm_encoder_slave.c | 6 +-- + drivers/gpu/drm/drm_sysfs.c | 2 +- + drivers/gpu/drm/ttm/ttm_memory.c | 4 +- + drivers/iommu/irq_remapping.c | 2 +- + drivers/video/output.c | 2 +- + fs/ext4/mmp.c | 2 +- + fs/ext4/super.c | 2 +- + fs/lockd/svc.c | 2 +- + fs/nfs/callback.c | 4 +- + fs/nfs/nfs4state.c | 2 +- + fs/nfsd/nfscache.c | 3 +- + init/initramfs.c | 2 +- + kernel/rcutree.c | 2 +- + lib/kobject.c | 2 +- + mm/backing-dev.c | 4 +- + mm/mmap.c | 4 +- + mm/slub.c | 2 +- + mm/vmalloc.c | 15 +++---- + net/bluetooth/hci_core.c | 8 ++-- + net/netfilter/nf_conntrack_proto_dccp.c | 4 +- + net/sunrpc/svc.c | 2 +- + security/Kconfig | 15 +++--- + sound/core/sound.c | 2 +- + sound/sound_core.c | 2 +- + 40 files changed, 116 insertions(+), 111 deletions(-) + +commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c +Merge: 39efd8f 256eff7 +Author: Brad Spengler +Date: Fri Jun 21 16:45:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + kernel/printk.c + +commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 +Merge: e6e3059 485f25f +Author: Brad Spengler +Date: Thu Jun 20 22:14:24 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d +Author: Brad Spengler +Date: Tue Jun 18 17:20:18 2013 -0400 + + add apparmor compat patch + + security/apparmor/Kconfig | 9 ++ + security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 240 insertions(+), 0 deletions(-) + +commit 49bee3c5341687504669bf62becf4a419a226ba0 +Author: Brad Spengler +Date: Mon Jun 17 18:48:04 2013 -0400 + + Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" + + This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. + + kernel/sys.c | 29 +++-------------------------- + 1 files changed, 3 insertions(+), 26 deletions(-) + +commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 +Author: Al Viro +Date: Sun Jun 16 18:06:06 2013 +0100 + + Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 + + lseek(fd, n, SEEK_END) does *not* go to eof - n + + When you copy some code, you are supposed to read it. If nothing else, + there's a chance to spot and fix an obvious bug instead of sharing it... + + X-Song: "I Got It From Agnes", by Tom Lehrer + Signed-off-by: Al Viro + [ Tom Lehrer? You're dating yourself, Al ] + Signed-off-by: Linus Torvalds + + drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- + drivers/scsi/bfa/bfad_debugfs.c | 2 +- + drivers/scsi/fnic/fnic_debugfs.c | 2 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +commit 5a450f1c46f0c84379518aee878993d3f4a331b6 +Author: Theodore Ts'o +Date: Thu Jun 6 11:14:31 2013 -0400 + + Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 + + ext4: verify group number in verify_group_input() before using it + + Check the group number for sanity earilier, before calling routines + such as ext4_bg_has_super() or ext4_group_overhead_blocks(). + + Reported-by: Jonathan Salwan + Signed-off-by: "Theodore Ts'o" + + fs/ext4/resize.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 +Author: Neil Horman +Date: Wed Jun 12 14:26:44 2013 -0400 + + Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 + + sctp: fully initialize sctp_outq in sctp_outq_init + + In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 + (refactor sctp_outq_teardown to insure proper re-initalization) + we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the + outq structure. Steve West recently asked me why I removed the q->error = 0 + initalization from sctp_outq_teardown. I did so because I was operating under + the impression that sctp_outq_init would properly initalize that value for us, + but it doesn't. sctp_outq_init operates under the assumption that the outq + struct is all 0's (as it is when called from sctp_association_init), but using + it in __sctp_outq_teardown violates that assumption. We should do a memset in + sctp_outq_init to ensure that the entire structure is in a known state there + instead. + + Signed-off-by: Neil Horman + Reported-by: "West, Steve (NSN - US/Fort Worth)" + CC: Vlad Yasevich + CC: netdev@vger.kernel.org + CC: davem@davemloft.net + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + Conflicts: + + net/sctp/outqueue.c + + net/sctp/outqueue.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit e13515ad7a9c7634599a105b2527752e527a905d +Author: Saurabh Mohan +Date: Mon Jun 10 17:45:10 2013 -0700 + + Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 + + net/ipv4: ip_vti clear skb cb before tunneling. + + If users apply shaper to vti tunnel then it will cause a kernel crash. The + problem seems to be due to the vti_tunnel_xmit function not clearing + skb->opt field before passing the packet to xfrm tunneling code. + + Signed-off-by: Saurabh Mohan + Acked-by: Stephen Hemminger + Signed-off-by: David S. Miller + + net/ipv4/ip_vti.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:36 2013 +0200 + + Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 + + l2tp: Fix sendmsg() return value + + PPPoL2TP sockets should comply with the standard send*() return values + (i.e. return number of bytes sent instead of 0 upon success). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit af361b412e816e894fb42ddff7a0545b7def64c0 +Author: Guillaume Nault +Date: Wed Jun 12 16:07:23 2013 +0200 + + Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 + + l2tp: Fix PPP header erasure and memory leak + + Copy user data after PPP framing header. This prevents erasure of the + added PPP header and avoids leaking two bytes of uninitialised memory + at the end of skb's data buffer. + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1f43aca088c35dda35abf76e08544e534c71fed4 +Author: Daniel Borkmann +Date: Wed Jun 12 16:02:27 2013 +0200 + + Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe + + packet: packet_getname_spkt: make sure string is always 0-terminated + + uaddr->sa_data is exactly of size 14, which is hard-coded here and + passed as a size argument to strncpy(). A device name can be of size + IFNAMSIZ (== 16), meaning we might leave the destination string + unterminated. Thus, use strlcpy() and also sizeof() while we're + at it. We need to memset the data area beforehand, since strlcpy + does not padd the remaining buffer with zeroes for user space, so + that we do not possibly leak anything. + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/packet/af_packet.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f +Author: Andy Lutomirski +Date: Wed Jun 5 19:38:26 2013 +0000 + + Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab + + net: Unbreak compat_sys_{send,recv}msg + + I broke them in this commit: + + commit 1be374a0518a288147c6a7398792583200a67261 + Author: Andy Lutomirski + Date: Wed May 22 14:07:44 2013 -0700 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept + MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It + also reverts some unnecessary checks in sys_socketcall. + + Apparently I was suffering from underscore blindness the first time around. + + Signed-off-by: Andy Lutomirski + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/linux/socket.h | 3 ++ + net/compat.c | 13 +++++++- + net/socket.c | 72 ++++++++++++++++++++++-------------------------- + 3 files changed, 47 insertions(+), 41 deletions(-) + +commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f +Author: Andy Lutomirski +Date: Wed May 22 14:07:44 2013 -0700 + + Upstream commit: 1be374a0518a288147c6a7398792583200a67261 + + net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + To: linux-kernel@vger.kernel.org + Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. + Miller" + Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg + + MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- + it's a hack that steals a bit to indicate to other networking code + that a compat entry was used. So don't allow it from a non-compat + syscall. + + This prevents an oops when running this code: + + int main() + { + int s; + struct sockaddr_in addr; + struct msghdr *hdr; + + char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (highpage == MAP_FAILED) + err(1, "mmap"); + + s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) + err(1, "socket"); + + addr.sin_family = AF_INET; + addr.sin_port = htons(1); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) + err(1, "connect"); + + void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; + printf("Evil address is %p\n", evil); + + if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) + err(1, "sendmmsg"); + + return 0; + } + + Cc: David S. Miller + Signed-off-by: Andy Lutomirski + Signed-off-by: David S. Miller + + net/socket.c | 33 +++++++++++++++++++++++++++++++-- + 1 files changed, 31 insertions(+), 2 deletions(-) + +commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e +Author: Kees Cook +Date: Fri May 10 14:48:21 2013 -0700 + + Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c + + b43: stop format string leaking into error msgs + + The module parameter "fwpostfix" is userspace controllable, unfiltered, + and is used to define the firmware filename. b43_do_request_fw() populates + ctx->errors[] on error, containing the firmware filename. b43err() + parses its arguments as a format string. For systems with b43 hardware, + this could lead to a uid-0 to ring-0 escalation. + + CVE-2013-2852 + + Signed-off-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: John W. Linville + + drivers/net/wireless/b43/main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit dfb67a67049ace7b94ad7e2febfac69816d50d85 +Author: Mark A. Greer +Date: Wed May 29 12:25:34 2013 -0700 + + Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 + + mwifiex: debugfs: Fix out of bounds array access + + When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', + the following panic occurs: + + $ cat /sys/kernel/debug/mwifiex/p2p0/info + Unable to handle kernel paging request at virtual address 74706164 + pgd = de530000 + [74706164] *pgd=00000000 + Internal error: Oops: 5 [#1] SMP ARM + Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex + CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 + task: de16b6c0 ti: de048000 task.ti: de048000 + PC is at strnlen+0xc/0x4c + LR is at string+0x3c/0xf8 + pc : [] lr : [] psr: a0000013 + sp : de049e10 ip : c06efba0 fp : de6d2092 + r10: bf01a260 r9 : ffffffff r8 : 74706164 + r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 + r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user + Control: 10c5387d Table: 9e530019 DAC: 00000015 + Process cat (pid: 1635, stack limit = 0xde048240) + Stack: (0xde049e10 to 0xde04a000) + 9e00: de6d2092 00000002 bf01a25e de6d209c + 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 + 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 + 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 + 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 + 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 + 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 + 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 + 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 + 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 + 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 + 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 + 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 + 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd + [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) + [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) + [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) + [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) + [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) + [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) + [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) + Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) + ---[ end trace ca98273dc605a04f ]--- + + The panic is caused by the mwifiex_info_read() routine assuming that + there can only be four modes (0-3) which is an invalid assumption. + For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the + code accesses data beyond the bounds of the bss_modes[] array which + causes the panic. Fix this by updating bss_modes[] to support the + current list of modes and adding a check to prevent the out-of-bounds + access from occuring in the future when more modes are added. + + Signed-off-by: Mark A. Greer + Acked-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- + 1 files changed, 17 insertions(+), 5 deletions(-) + +commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 +Author: Johan Hedberg +Date: Tue May 28 13:46:30 2013 +0300 + + Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 + + Bluetooth: Fix missing length checks for L2CAP signalling PDUs + + There has been code in place to check that the L2CAP length header + matches the amount of data received, but many PDU handlers have not been + checking that the data received actually matches that expected by the + specific PDU. This patch adds passing the length header to the specific + handler functions and ensures that those functions fail cleanly in the + case of an incorrect amount of data. + + Signed-off-by: Johan Hedberg + Cc: stable@vger.kernel.org + Signed-off-by: Gustavo Padovan + Signed-off-by: John W. Linville + + net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- + 1 files changed, 52 insertions(+), 18 deletions(-) + +commit 628be2427afb241b5a1aa24bc5907d05287e1f25 +Author: Dan Carpenter +Date: Mon Jun 3 12:00:49 2013 +0300 + + Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 + + ipvs: info leak in __ip_vs_get_dest_entries() + + The entry struct has a 2 byte hole after ->port and another 4 byte + hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your + namespace to hit this information leak. + + Signed-off-by: Dan Carpenter + Acked-by: Julian Anastasov + Signed-off-by: Simon Horman + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/ipvs/ip_vs_ctl.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 066d9226bc6c569d5f420c978b758e0bddd23444 +Author: Robin Holt +Date: Wed Jun 12 14:04:37 2013 -0700 + + Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db + + reboot: rigrate shutdown/reboot to boot cpu + + We recently noticed that reboot of a 1024 cpu machine takes approx 16 + minutes of just stopping the cpus. The slowdown was tracked to commit + f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in + kernel_restart()"). + + The current implementation does all the work of hot removing the cpus + before halting the system. We are switching to just migrating to the + boot cpu and then continuing with shutdown/reboot. + + This also has the effect of not breaking x86's command line parameter + for specifying the reboot cpu. Note, this code was shamelessly copied + from arch/x86/kernel/reboot.c with bits removed pertaining to the + reboot_cpu command line parameter. + + Signed-off-by: Robin Holt + Tested-by: Shawn Guo + Cc: "Srivatsa S. Bhat" + Cc: H. Peter Anvin + Cc: Thomas Gleixner + Cc: Ingo Molnar + Cc: Russ Anderson + Cc: Robin Holt + Cc: Russell King + Cc: Guan Xuetao + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sys.c | 29 ++++++++++++++++++++++++++--- + 1 files changed, 26 insertions(+), 3 deletions(-) + +commit 94e2a91600b07d39825e7059195f35eb611a39a2 +Merge: 20cc761 e6e3059 +Author: Brad Spengler +Date: Thu Jun 13 16:23:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a +Merge: c6aadb1 4b73feb +Author: Brad Spengler +Date: Thu Jun 13 16:23:39 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 20cc7613e38cde07adc73179a91d6c15292e8d43 +Author: Daniel Borkmann +Date: Thu Jun 6 15:53:47 2013 +0200 + + Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c + + net: sctp: fix NULL pointer dereference in socket destruction + + While stress testing sctp sockets, I hit the following panic: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] sctp_endpoint_free+0xe/0x40 [sctp] + PGD 7cead067 PUD 7ce76067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: sctp(F) libcrc32c(F) [...] + CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 + Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 + task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 + RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 + RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 + RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 + RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 + FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded + ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e + 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e + Call Trace: + [] sctp_destroy_sock+0x3d/0x80 [sctp] + [] sk_common_release+0x1e/0xf0 + [] inet_create+0x2ae/0x350 + [] __sock_create+0x11f/0x240 + [] sock_create+0x30/0x40 + [] SyS_socket+0x4c/0xc0 + [] ? do_page_fault+0xe/0x10 + [] ? page_fault+0x22/0x30 + [] system_call_fastpath+0x16/0x1b + Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f + 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> + 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 + RIP [] sctp_endpoint_free+0xe/0x40 [sctp] + RSP + CR2: 0000000000000020 + ---[ end trace e0d71ec1108c1dd9 ]--- + + I did not hit this with the lksctp-tools functional tests, but with a + small, multi-threaded test program, that heavily allocates, binds, + listens and waits in accept on sctp sockets, and then randomly kills + some of them (no need for an actual client in this case to hit this). + Then, again, allocating, binding, etc, and then killing child processes. + + This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' + is set. The cause for that is actually very simple: in sctp_endpoint_init() + we enter the path of sctp_auth_init_hmacs(). There, we try to allocate + our crypto transforms through crypto_alloc_hash(). In our scenario, + it then can happen that crypto_alloc_hash() fails with -EINTR from + crypto_larval_wait(), thus we bail out and release the socket via + sk_common_release(), sctp_destroy_sock() and hit the NULL pointer + dereference as soon as we try to access members in the endpoint during + sctp_endpoint_free(), since endpoint at that time is still NULL. Now, + if we have that case, we do not need to do any cleanup work and just + leave the destruction handler. + + Signed-off-by: Daniel Borkmann + Acked-by: Neil Horman + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +commit 386ba837978cc8a1111440bdcd8600f2df4634a4 +Author: Brad Spengler +Date: Wed Jun 12 20:37:48 2013 -0400 + + fix deadlock when booting i386 kernel without NX + + mm/mmap.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 +Author: Brad Spengler +Date: Tue Jun 11 22:18:07 2013 -0400 + + fix elif / elif defined() typo in recent change + + kernel/events/core.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit bc43377e1e757cd37a06be0187884a42af718aab +Merge: 3cdea63 c6aadb1 +Author: Brad Spengler +Date: Tue Jun 11 18:50:39 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 +Author: Brad Spengler +Date: Tue Jun 11 18:49:36 2013 -0400 + + Update to pax-linux-3.9.4-test9.patch: + - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) + - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort + + arch/x86/kernel/setup.c | 2 +- + mm/mlock.c | 1 - + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 3cdea63e90607d8d55820b101854091623feedb8 +Author: Brad Spengler +Date: Mon Jun 10 21:21:44 2013 -0400 + + Fix fanotify infoleak reported by Dan Carpenter at: + https://lkml.org/lkml/2013/6/3/128 + + Requires CAP_SYS_ADMIN, so this is about as low priority as it gets + + fs/notify/fanotify/fanotify_user.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 373a2b5df78f82b9d3db72bd6577e29a71591323 +Author: Brad Spengler +Date: Mon Jun 10 21:16:46 2013 -0400 + + Backport infoleak fix by Dan Carpenter in cpqarray: + https://lkml.org/lkml/2013/6/3/131 + + drivers/block/cpqarray.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 251e84b9b05e063981b20be154c9389862f94759 +Author: Brad Spengler +Date: Mon Jun 10 21:04:17 2013 -0400 + + Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 + + drivers/cdrom/cdrom.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 383d89bf95818b05a485a6e8b118963b5bcbc83e +Author: Brad Spengler +Date: Mon Jun 10 18:34:32 2013 -0400 + + change const to __read_only + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 +Author: Brad Spengler +Date: Mon Jun 10 17:34:13 2013 -0400 + + compile fix, make const values const + + kernel/sysctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d +Author: Brad Spengler +Date: Mon Jun 10 17:37:13 2013 -0400 + + Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a + + drivers/char/mwave/tp3780i.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1c590aa70c95ebd76ba9672aa23d800b81780615 +Author: Brad Spengler +Date: Sun Jun 9 19:50:35 2013 -0400 + + allow -1 perf_event_paranoid + + kernel/sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 +Merge: 4e85539 117c3fa +Author: Brad Spengler +Date: Sun Jun 9 17:30:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 117c3fa8d26c3806103123560f807d99071b60b6 +Merge: ed9b427 5dd2e98 +Author: Brad Spengler +Date: Sun Jun 9 17:30:00 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 +Author: Eric Dumazet +Date: Mon May 13 21:25:52 2013 +0000 + + Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e + + tcp: fix tcp_md5_hash_skb_data() + + TCP md5 communications fail [1] for some devices, because sg/crypto code + assume page offsets are below PAGE_SIZE. + + This was discovered using mlx4 driver [2], but I suspect loopback + might trigger the same bug now we use order-3 pages in tcp_sendmsg() + + [1] Failure is giving following messages. + + huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, + exited with 00000101? + + [2] mlx4 driver uses order-2 pages to allocate RX frags + + Reported-by: Matt Schnall + Signed-off-by: Eric Dumazet + Cc: Bernhard Beck + Signed-off-by: David S. Miller + + net/ipv4/tcp.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb +Author: Eric Dumazet +Date: Fri May 17 04:53:13 2013 +0000 + + Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a + + ipv6: fix possible crashes in ip6_cork_release() + + commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") + added some code duplication and bad error recovery, leading to potential + crash in ip6_cork_release() as kfree() could be called with garbage. + + use kzalloc() to make sure this wont happen. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + Cc: Herbert Xu + Cc: Hideaki YOSHIFUJI + Cc: Neal Cardwell + + net/ipv6/ip6_output.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5771263fe368cd384127dd17d7596a7e1a4e2eec +Author: Chen Gang +Date: Thu May 16 23:13:04 2013 +0000 + + Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 + + net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. + + 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the + strncpy() will always left the last byte of 'discovery->data.info' + uninitialized. + + When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left + the last byte of 'discovery->data.info' uninitialized, the next + strlen() will cause issue. + + Also 'discovery->data' is 'struct irda_device_info' which defined in + "include/uapi/...", it may copy to user mode, so need whole initialized. + + All together, need use kzalloc() instead of kmalloc() to initialize all + members firstly. + + Signed-off-by: Chen Gang + Signed-off-by: David S. Miller + + net/irda/irlap_frame.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c01c9af268cb066f240aec53454b8b74d8d01688 +Author: Dan Carpenter +Date: Sun May 19 08:36:36 2013 +0000 + + Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 + + isdn/kcapi: fix a small underflow + + In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes + from skb->data. The current code can underflow to one space before the + start of the array. + + The sanity check isn't needed in __get_capi_appl_by_nr() but I changed + it to match the others. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + drivers/isdn/capi/kcapi.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 +Author: Timo Teräs +Date: Wed May 22 01:40:47 2013 +0000 + + Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 + + xfrm: properly handle invalid states as an error + + The error exit path needs err explicitly set. Otherwise it + returns success and the only caller, xfrm_output_resume(), + would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is + NULL. + + Bug introduced in commit bb65a9cb (xfrm: removes a superfluous + check and add a statistic). + + Signed-off-by: Timo Teräs + Cc: Li RongQing + Cc: Steffen Klassert + Signed-off-by: David S. Miller + + net/xfrm/xfrm_output.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd +Author: Jeff Mahoney +Date: Fri May 31 15:07:52 2013 -0400 + + Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab + + reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + + After sleeping for filldir(), we check to see if the file system has + changed and research. The next_pos pointer is updated but its value + isn't pushed into the key used for the search itself. As a result, + the search returns the same item that the last cycle of the loop did + and filldir() is called multiple times with the same data. + + The end result is that the buffer can contain the same name multiple + times. This can be returned to userspace or used internally in the + xattr code where it can manifest with the following warning: + + jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) + + reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over + the xattr names and ends up trying to unlink the same name twice. The + second attempt fails with -ENOENT and the error is returned. At some + point I'll need to add support into reiserfsck to remove the orphaned + directories left behind when this occurs. + + The fix is to push the value into the key before researching. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/dir.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 +Author: Jeff Mahoney +Date: Fri May 31 15:51:17 2013 -0400 + + Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc + + reiserfs: fix deadlock with nfs racing on create/lookup + + Reiserfs is currently able to be deadlocked by having two NFS clients + where one has removed and recreated a file and another is accessing the + file with an open file handle. + + If one client deletes and recreates a file with timing such that the + recreated file obtains the same [dirid, objectid] pair as the original + file while another client accesses the file via file handle, the create + and lookup can race and deadlock if the lookup manages to create the + in-memory inode first. + + The create thread, in insert_inode_locked4, will hold the write lock + while waiting on the other inode to be unlocked. The lookup thread, + anywhere in the iget path, will release and reacquire the write lock while + it schedules. If it needs to reacquire the lock while the create thread + has it, it will never be able to make forward progress because it needs + to reacquire the lock before ultimately unlocking the inode. + + This patch drops the write lock across the insert_inode_locked4 call so + that the ordering of inode_wait -> write lock is retained. Since this + would have been the case before the BKL push-down, this is safe. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/inode.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 +Author: Jeff Mahoney +Date: Fri May 31 15:54:17 2013 -0400 + + Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b + + reiserfs: fix problems with chowning setuid file w/ xattrs + + reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr + and uses it to iterate over all the attrs associated with a file to change + ownership of xattrs (and transfer quota associated with the xattr files). + + When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode + are passed to all the xattrs as well. This means that the xattr directory + will have S_IFREG added to its mode bits. + + This has been prevented in practice by a missing IS_PRIVATE check + in reiserfs_acl_chmod, which caused a double-lock to occur while holding + the write lock. Since the file system was completely locked up, the + writeout of the corrupted mode never happened. + + This patch temporarily clears everything but ATTR_UID|ATTR_GID for the + calls to reiserfs_setattr and adds the missing IS_PRIVATE check. + + Signed-off-by: Jeff Mahoney + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 14 +++++++++++++- + fs/reiserfs/xattr_acl.c | 3 +++ + 2 files changed, 16 insertions(+), 1 deletions(-) + +commit c18cef940310c06bdf86d64d8cb227e56e165300 +Author: Dave Chinner +Date: Mon May 27 16:38:25 2013 +1000 + + Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b + + xfs: kill suid/sgid through the truncate path. + + XFS has failed to kill suid/sgid bits correctly when truncating + files of non-zero size since commit c4ed4243 ("xfs: split + xfs_setattr") introduced in the 3.1 kernel. Fix it. + + Fix it. + + cc: stable kernel + Signed-off-by: Dave Chinner + Reviewed-by: Brian Foster + Signed-off-by: Ben Myers + + (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) + + fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 files changed, 32 insertions(+), 15 deletions(-) + +commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc +Author: Trond Myklebust +Date: Wed May 29 15:36:40 2013 -0400 + + Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 + + NFSv4: Fix a thinko in nfs4_try_open_cached + + We need to pass the full open mode flags to nfs_may_open() when doing + a delegated open. + + Signed-off-by: Trond Myklebust + Cc: stable@vger.kernel.org + + fs/nfs/nfs4proc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c47de62893a9f269be0a272c2840aac1e2a35c68 +Author: Chen Gang +Date: Thu May 30 01:18:43 2013 +0000 + + Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 + + parisc: kernel: using strlcpy() instead of strcpy() + + 'boot_args' is an input args, and 'boot_command_line' has a fix length. + So use strlcpy() instead of strcpy() to avoid memory overflow. + + Signed-off-by: Chen Gang + Acked-by: Kyle McMartin + Signed-off-by: Helge Deller + + arch/parisc/kernel/setup.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit ce869e6f799f95fcac340420ba3612503df80dbf +Author: Chen Gang +Date: Mon May 27 04:57:09 2013 +0000 + + Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 + + parisc: memory overflow, 'name' length is too short for using + + 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 + * "%u:" + "%u" + '\0') may be 21. + + Since 'name' length is 20, it may be memory overflow. + + And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the + max length of 'name' must be less than 28. + + So simplify thinking, we can use 28 instead of 20 directly, and do not + think of whether 'patchc.bc[i]' can '> 100'. + + Signed-off-by: Chen Gang + Signed-off-by: Helge Deller + + arch/parisc/kernel/drivers.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5dc65cd34d442783118a17c518e2daedb90a31d0 +Author: Brad Spengler +Date: Tue Jun 4 17:52:23 2013 -0400 + + add PERF_HARDEN recommendation + + grsecurity/Kconfig | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c +Author: Brad Spengler +Date: Tue Jun 4 17:22:44 2013 -0400 + + Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN + + grsecurity/Kconfig | 19 +++++++++++++++++++ + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 10 +++++++++- + kernel/sysctl.c | 9 ++++++++- + 4 files changed, 41 insertions(+), 2 deletions(-) + +commit 84619a3501fd38285a72d9e963f58d1827beedd6 +Author: Brad Spengler +Date: Sat Jun 1 14:23:31 2013 -0400 + + remove user-triggerable BUG_ON in do_munlockall() + + mm/mlock.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 +Author: Brad Spengler +Date: Sat Jun 1 13:44:05 2013 -0400 + + Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 + + From: Kees Cook + Date: Thu, 23 May 2013 17:32:17 +0000 + Subject: iscsi-target: fix heap buffer overflow on error + + If a key was larger than 64 bytes, as checked by iscsi_check_key(), the + error response packet, generated by iscsi_add_notunderstood_response(), + would still attempt to copy the entire key into the packet, overflowing + the structure on the heap. + + Remote preauthentication kernel memory corruption was possible if a + target was configured and listening on the network. + + CVE-2013-2850 + + Embargo-screwup-by: Kees Cook + Cc: stable@vger.kernel.org + Signed-off-by: Nicholas Bellinger + + drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- + drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e +Author: Brad Spengler +Date: Sat Jun 1 13:43:26 2013 -0400 + + Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" + Applying upstream fix instead + + This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. + + drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 +Author: Dan Carpenter +Date: Sun May 19 21:52:20 2013 +0300 + + Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 + + USB: cxacru: potential underflow in cxacru_cm_get_array() + + commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. + + The value of "offd" comes off the instance->rcv_buf[] and we used it as + the offset into an array. The problem is that we check the upper bound + but not for negative values. + + Signed-off-by: Dan Carpenter + Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Ben Hutchings + + drivers/usb/atm/cxacru.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 +Author: Brad Spengler +Date: Sat Jun 1 11:30:17 2013 -0400 + + Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters + + drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +commit 8578566969d91678a3d7d5251b4eafc6d7775314 +Author: Brad Spengler +Date: Thu May 30 17:44:15 2013 -0400 + + Apply compatibility fix to previous RLIMIT_NPROC change + don't enforce the rlimit check at exec time if the user is root + Prevents problems with sudo if root is listed as part of a group + in limits.conf with process limits enforced + + kernel/sys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 +Merge: 643b294 ed9b427 +Author: Brad Spengler +Date: Wed May 29 19:19:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit ed9b4276488528d0c3803df1dc0df804238241e0 +Author: Brad Spengler +Date: Wed May 29 19:18:45 2013 -0400 + + Updated to pax-linux-3.9.4-test8.patch: + - fixed some fallout detected by the checker plugin + + arch/x86/kernel/crash_dump_64.c | 2 +- + drivers/base/devtmpfs.c | 6 +++--- + drivers/char/agp/compat_ioctl.c | 2 +- + drivers/char/agp/frontend.c | 2 +- + drivers/char/mem.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- + drivers/i2c/i2c-dev.c | 2 +- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- + drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- + fs/9p/vfs_addr.c | 2 +- + fs/binfmt_elf.c | 4 ++-- + fs/compat_ioctl.c | 4 ++-- + fs/exec.c | 2 +- + fs/namespace.c | 8 ++++---- + fs/proc/vmcore.c | 12 ++++++++---- + fs/read_write.c | 2 +- + include/linux/syscalls.h | 8 ++++---- + init/do_mounts_initrd.c | 8 ++++---- + init/main.c | 4 ++-- + kernel/events/core.c | 2 +- + kernel/events/internal.h | 10 +++++----- + mm/page_io.c | 2 +- + security/keys/internal.h | 2 +- + tools/gcc/checker_plugin.c | 1 + + 24 files changed, 63 insertions(+), 54 deletions(-) + +commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 +Author: Brad Spengler +Date: Wed May 29 18:51:31 2013 -0400 + + eliminate gcc warning + + fs/exec.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 +Author: Brad Spengler +Date: Wed May 29 18:30:20 2013 -0400 + + use BUILD_BUG() instead of BUILD_BUG_ON(1) + + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 5343410354267368e5809f3ad8d9a264f141be18 +Author: Brad Spengler +Date: Wed May 29 17:57:41 2013 -0400 + + defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON + for unknown opcodes + + arch/x86/net/bpf_jit_comp.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d +Author: Xiao Guangrong +Date: Fri May 24 15:55:11 2013 -0700 + + Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 + + mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + + Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and + multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: + fix freed page still mapped in secondary MMU"). + + Since hlist_for_each_entry_rcu() is changed now, we can not revert that + patch directly, so this patch reverts the commit and simply fix the bug + spotted by that patch + + This bug spotted by commit 751efd8610d3 is: + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result + of a filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. + + The another issue spotted in the commit is "multiple ->release() + callouts", we needn't care it too much because it is really rare (e.g, + can not happen on kvm since mmu-notify is unregistered after + exit_mmap()) and the later call of multiple ->release should be fast + since all the pages have already been released by the first call. + Anyway, this issue should be fixed in a separate patch. + + -stable suggestions: Any version that has commit 751efd8610d3 need to be + backported. I find the oldest version has this commit is 3.0-stable. + + [akpm@linux-foundation.org: tweak comments] + Signed-off-by: Xiao Guangrong + Tested-by: Robin Holt + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- + 1 files changed, 39 insertions(+), 40 deletions(-) + +commit 163a5539b36247865d39b2bcfa8efc03a62124a6 +Author: Aneesh Kumar K.V +Date: Fri May 24 15:55:21 2013 -0700 + + Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 + + mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + + We should not use set_pmd_at to update pmd_t with pgtable_t pointer. + set_pmd_at is used to set pmd with huge pte entries and architectures + like ppc64, clear few flags from the pte when saving a new entry. + Without this change we observe bad pte errors like below on ppc64 with + THP enabled. + + BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 + + Signed-off-by: Aneesh Kumar K.V + Cc: Hugh Dickins + Cc: Benjamin Herrenschmidt + Reviewed-by: Andrea Arcangeli + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/huge_memory.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +commit 3e54faf888d324d5f362dcba16173ea7bba61e8a +Author: OGAWA Hirofumi +Date: Fri May 24 15:55:08 2013 -0700 + + Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 + + fat: fix possible overflow for fat_clusters + + Intermediate value of fat_clusters can be overflowed on 32bits arch. + + Reported-by: Krzysztof Strasburger + Signed-off-by: OGAWA Hirofumi + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/fat/inode.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d +Author: Jarod Wilson +Date: Fri May 24 15:55:31 2013 -0700 + + Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 + + drivers/char/random.c: fix priming of last_data + + Commit ec8f02da9ea5 ("random: prime last_data value per fips + requirements") added priming of last_data per fips requirements. + + Unfortuantely, it did so in a way that can lead to multiple threads all + incrementing nbytes, but only one actually doing anything with the extra + data, which leads to some fun random corruption and panics. + + The fix is to simply do everything needed to prime last_data in a single + shot, so there's no window for multiple cpus to increment nbytes -- in + fact, we won't even increment or decrement nbytes anymore, we'll just + extract the needed EXTRACT_SIZE one time per pool and then carry on with + the normal routine. + + All these changes have been tested across multiple hosts and + architectures where panics were previously encoutered. The code changes + are are strictly limited to areas only touched when when booted in fips + mode. + + This change should also go into 3.8-stable, to make the myriads of fips + users on 3.8.x happy. + + Signed-off-by: Jarod Wilson + Tested-by: Jan Stancek + Tested-by: Jan Stodola + Cc: Herbert Xu + Acked-by: Neil Horman + Cc: "David S. Miller" + Cc: Matt Mackall + Cc: "Theodore Ts'o" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 30 +++++++++++++++--------------- + 1 files changed, 15 insertions(+), 15 deletions(-) + +commit 2d74639040ba6ce47f57ec010714ec06529c4b42 +Author: Jiri Kosina +Date: Fri May 24 15:55:33 2013 -0700 + + Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 + + random: fix accounting race condition with lockless irq entropy_count update + + Commit 902c098a3663 ("random: use lockless techniques in the interrupt + path") turned IRQ path from being spinlock protected into lockless + cmpxchg-retry update. + + That commit removed r->lock serialization between crediting entropy bits + from IRQ context and accounting when extracting entropy on userspace + read path, but didn't turn the r->entropy_count reads/updates in + account() to use cmpxchg as well. + + It has been observed, that under certain circumstances this leads to + read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets + corrupted and becomes negative, which in turn results in propagating 0 + all the way from account() to the actual read() call. + + Convert the accounting code to be the proper lockless counterpart of + what has been partially done by 902c098a3663. + + Signed-off-by: Jiri Kosina + Cc: Theodore Ts'o + Cc: Greg KH + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/char/random.c | 26 +++++++++++++++++--------- + 1 files changed, 17 insertions(+), 9 deletions(-) + +commit 65d05c7ea468c23c175105526dd4f163302a92cf +Merge: 1a98d0a 6ce3a135 +Author: Brad Spengler +Date: Sat May 25 07:48:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kernel/vm86_32.c + +commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 +Merge: 79bdd65 0bfd8ff +Author: Brad Spengler +Date: Sat May 25 07:46:55 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 +Author: Brad Spengler +Date: Thu May 23 18:42:23 2013 -0400 + + use existing local variable + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b2b80ef8586061e32e986b31608717c25d1e7c54 +Merge: cb45fbd 79bdd65 +Author: Brad Spengler +Date: Thu May 23 17:58:53 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 79bdd65dac68267bc1b201c6b4a99966a373c305 +Author: Brad Spengler +Date: Thu May 23 17:57:46 2013 -0400 + + Update to pax-linux-3.9.3-test7.patch: + - fixed some size overflow related warnings (hash table, attributes) + - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html + + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/kernel/head64.c | 2 +- + tools/gcc/constify_plugin.c | 48 ++- + tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ + 4 files changed, 651 insertions(+), 592 deletions(-) + +commit cb45fbda4967b1b544a754fbdc92d73283379522 +Merge: 62588fa 57c11b8 +Author: Brad Spengler +Date: Mon May 20 17:32:17 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 57c11b85acd841a088aa4df8e60be337880df8cd +Merge: 0598b37 4bb0869 +Author: Brad Spengler +Date: Mon May 20 17:32:08 2013 -0400 + + Merge branch 'linux-3.9.y' into pax-test + +commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 +Merge: e261c7b 0598b37 +Author: Brad Spengler +Date: Fri May 17 22:57:36 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 +Author: Brad Spengler +Date: Fri May 17 22:57:07 2013 -0400 + + Update to pax-linux-3.9.2-test6.patch: + - fixed a gcc assert in the structleak plugin, reported by Emese Revfy + - fixed pfn extraction from pud/pgd entries, reported by ousado + + arch/x86/include/asm/pgtable.h | 9 +++++++-- + tools/gcc/structleak_plugin.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +commit e261c7bc611e9127bbb7bd95cddd51524bf255ae +Author: Brad Spengler +Date: Thu May 16 22:54:12 2013 -0400 + + add offset to topdown check, fixes compilation + + arch/x86/kernel/sys_x86_64.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 +Author: Brad Spengler +Date: Thu May 16 20:57:41 2013 -0400 + + CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, + reported by lulzh3ad on irc + + security/Kconfig | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0d4593e84707cdf6deb6b925c18c676a476b1613 +Merge: 43cd0c0 39a877f +Author: Brad Spengler +Date: Thu May 16 20:39:11 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 39a877f192ed305d88edac10a14a9e8e1e161f3f +Author: Brad Spengler +Date: Thu May 16 20:37:35 2013 -0400 + + Update to pax-linux-3.9.2-test105.patch: + - fixed !EFI boot problem, reported by spender + - fixed a few compile warnings + - fixed some more compile errors due to constification + - fixed some arm fallout, reported by Michael Tremer + + arch/arm/include/asm/psci.h | 2 +- + arch/arm/kernel/psci.c | 2 +- + arch/x86/kernel/sys_x86_64.c | 3 +-- + arch/x86/realmode/init.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- + drivers/irqchip/irq-gic.c | 2 +- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- + drivers/platform/x86/chromeos_laptop.c | 2 +- + fs/jfs/super.c | 4 ++-- + include/linux/irqchip/arm-gic.h | 2 ++ + include/sound/compress_driver.h | 2 +- + net/mac80211/cfg.c | 4 ++-- + sound/soc/fsl/fsl_ssi.c | 2 +- + 14 files changed, 31 insertions(+), 22 deletions(-) + +commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 +Author: Brad Spengler +Date: Thu May 16 20:35:22 2013 -0400 + + Fix usercopy false positive under gcc 4.1 + + arch/x86/kernel/signal.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +commit 56a166129d817f6634c8c230e6ec497669bdfaca +Author: Amerigo Wang +Date: Thu May 9 21:56:37 2013 +0000 + + Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f + + ipv6,gre: do not leak info to user-space + + There is a hole in struct ip6_tnl_parm2, so we have to + zero the struct on stack before copying it to user-space. + + Cc: David S. Miller + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + net/ipv6/ip6_gre.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit d6f50dae2653ad912952da40417a8ccbd59c7699 +Author: Brad Spengler +Date: Tue May 14 16:52:35 2013 -0400 + + disable unprivileged kernel profiling under HIDESYM, rename + the variable to something more appropriate + + include/linux/perf_event.h | 8 ++++---- + kernel/events/core.c | 6 +++++- + kernel/sysctl.c | 4 ++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +commit 01322c6951bed4eedefbd2178dbd99292b365d99 +Author: Brad Spengler +Date: Mon May 13 17:19:57 2013 -0400 + + mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its + existing stack-heap gap code for the new unified vm_unmapped_area + + grsecurity/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 +Author: Brad Spengler +Date: Mon May 13 15:40:32 2013 -0400 + + fix NX fault on early boot + + arch/x86/realmode/init.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 +Author: Brad Spengler +Date: Mon May 13 10:48:13 2013 -0400 + + compile fix, we weren't using %pa anyway and it's now being used + by upstream for physical address printing + + lib/vsprintf.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d +Author: Brad Spengler +Date: Mon May 13 10:39:52 2013 -0400 + + compile fix + + grsecurity/grsec_chroot.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b +Author: Brad Spengler +Date: Mon May 13 10:35:36 2013 -0400 + + compile fixes + + grsecurity/grsec_chroot.c | 2 +- + include/linux/grinternal.h | 8 ++++---- + include/linux/grsecurity.h | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 +Author: Brad Spengler +Date: Mon May 13 10:27:18 2013 -0400 + + compile fix + + fs/exec.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 +Author: Brad Spengler +Date: Mon May 13 10:23:17 2013 -0400 + + Initial port of grsecurity for 3.9.2 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 8 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 12 +- + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 29 +- + arch/arm/mm/mmap.c | 8 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 4 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 2 + + arch/ia64/mm/hugetlbpage.c | 2 + + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/metag/mm/hugetlbpage.c | 1 + + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 4 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 17 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 8 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/tile/mm/hugetlbpage.c | 2 + + arch/um/defconfig | 1 - + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 6 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 15 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 9 + + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/usb/storage/realtek_cr.c | 2 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 8 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 20 +- + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 181 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 4 + + fs/fs_struct.c | 13 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 241 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1031 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4073 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 387 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 305 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 370 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 187 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 326 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 + + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 242 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/mm.h | 1 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 68 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/skbuff.h | 3 + + include/linux/slab.h | 9 - + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/uidgid.h | 5 + + include/linux/vermagic.h | 9 +- + include/net/secure_seq.h | 1 + + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 3 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 110 +- + kernel/exit.c | 10 +- + kernel/fork.c | 41 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 81 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 13 +- + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 45 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 64 +- + mm/mprotect.c | 8 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/8021q/vlan.c | 7 + + net/core/dev_ioctl.c | 4 + + net/core/net-procfs.c | 5 + + net/core/secure_seq.c | 4 +- + net/core/sock_diag.c | 7 + + net/ipv4/af_inet.c | 5 +- + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 2 +- + net/sctp/probe.c | 2 +- + net/sctp/proc.c | 3 +- + net/socket.c | 66 +- + net/sysctl_net.c | 2 +- + net/tipc/link.c | 11 +- + net/unix/af_unix.c | 31 +- + security/Kconfig | 342 ++- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/tomoyo/mount.c | 4 + + security/yama/Kconfig | 2 +- + 291 files changed, 15221 insertions(+), 2052 deletions(-) + +commit 88854c350c899bceca4a94598c42bed44d0dc91b +Author: Brad Spengler +Date: Mon May 13 07:37:47 2013 -0400 + + Initial import of pax-linux-3.9.2-test2.patch + + Documentation/dontdiff | 45 +- + Documentation/kernel-parameters.txt | 12 + + Makefile | 100 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 8 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 ++- + arch/arm/include/asm/cache.h | 5 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 6 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/patch.c | 2 + + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 15 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 15 +- + arch/arm/kernel/vmlinux.lds.S | 22 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 2 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/gpmc.c | 22 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_device.c | 4 +- + arch/arm/mach-omap2/omap_device.h | 4 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-omap2/wd_timer.c | 6 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 91 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 187 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 3 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 26 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 7 + + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 9 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/smp.h | 2 +- + arch/powerpc/include/asm/uaccess.h | 140 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/cell/spufs/file.c | 4 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 1 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/kernel/us3_cpufreq.c | 69 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 ++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 8 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 21 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + + arch/x86/crypto/sha1_ssse3_asm.S | 2 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 6 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 +- + arch/x86/include/asm/bitops.h | 4 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/compat.h | 2 +- + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 67 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/io.h | 21 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/nmi.h | 6 +- + arch/x86/include/asm/page_64.h | 2 +- + arch/x86/include/asm/paravirt.h | 46 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 113 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 8 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 530 ++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head64.c | 1 - + arch/x86/kernel/head_32.S | 237 +- + arch/x86/kernel/head_64.S | 120 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 10 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 8 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes/core.c | 30 +- + arch/x86/kernel/kprobes/opt.c | 16 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 19 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 19 +- + arch/x86/kernel/setup_percpu.c | 29 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 248 + + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 57 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 70 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 +- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 556 ++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 90 +- + arch/x86/mm/init_32.c | 119 +- + arch/x86/mm/init_64.c | 44 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 15 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/physaddr.c | 4 +- + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/irq.c | 8 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 4 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/bus.c | 4 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/node.c | 2 +- + drivers/base/power/domain.c | 4 +- + drivers/base/power/wakeup.c | 8 +- + drivers/base/syscore.c | 4 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 22 +- + drivers/block/loop.c | 2 +- + drivers/block/pktcdvd.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 10 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_arch_timer.c | 2 +- + drivers/clocksource/metag_generic.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 +- + drivers/cpufreq/cpufreq.c | 9 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_mc_sysfs.c | 12 +- + drivers/edac/edac_pci_sysfs.c | 22 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-device.c | 2 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 4 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 6 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 13 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 4 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 26 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/iommu/iommu.c | 2 +- + drivers/iommu/irq_remapping.c | 10 +- + drivers/irqchip/irq-gic.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/page_tables.c | 2 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/pci/cx88/cx88-video.c | 6 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 18 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/slip/slhc.c | 2 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/vxlan.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 7 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/storage/usb.h | 2 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 5 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 +- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 36 +- + drivers/video/uvesafb.c | 53 +- + drivers/video/vesafb.c | 58 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/endian.h | 4 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 605 +++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 2 +- + fs/exec.c | 362 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/ext4/super.c | 2 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 6 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nfsd/nfscache.c | 8 +- + fs/nfsd/vfs.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/base.c | 4 +- + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/proc_sysctl.c | 18 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/bin.c | 6 +- + fs/sysfs/dir.c | 2 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/udf/misc.c | 2 +- + fs/ufs/swab.h | 4 +- + fs/xattr.c | 21 + + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 + + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 17 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 4 +- + include/linux/binfmts.h | 3 +- + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compat.h | 6 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 65 +- + include/linux/completion.h | 6 +- + include/linux/configfs.h | 2 +- + include/linux/cpu.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/cpumask.h | 12 +- + include/linux/crypto.h | 6 +- + include/linux/ctype.h | 2 +- + include/linux/decompress/mm.h | 2 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/err.h | 4 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fscache.h | 2 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/hwmon-sysfs.h | 5 +- + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/iommu.h | 2 +- + include/linux/ioport.h | 2 +- + include/linux/irq.h | 3 +- + include/linux/irqchip/arm-gic.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 3 +- + include/linux/kobject_ns.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 15 + + include/linux/math64.h | 6 +- + include/linux/mm.h | 110 +- + include/linux/mm_types.h | 20 + + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 6 +- + include/linux/module.h | 60 +- + include/linux/moduleloader.h | 16 + + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/net.h | 2 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter.h | 2 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/perf_event.h | 12 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pm_domain.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/proc_fs.h | 2 +- + include/linux/random.h | 5 + + include/linux/rculist.h | 16 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 67 +- + include/linux/sched/sysctl.h | 1 + + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sock_diag.h | 2 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/addr.h | 8 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscalls.h | 2 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 3 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 24 +- + include/linux/usb.h | 4 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/linux/xattr.h | 5 +- + include/linux/zlib.h | 3 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/gro_cells.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip.h | 2 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 8 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 12 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 8 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 28 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/swab.h | 6 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 77 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/futex_compat.c | 2 +- + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/irq_work.c | 7 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 4 +- + kernel/kprobes.c | 8 +- + kernel/ksysfs.c | 2 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 337 +- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/pid_namespace.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 8 +- + kernel/rcupdate.c | 4 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 68 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 20 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 51 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 18 +- + kernel/srcu.c | 4 +- + kernel/sys.c | 10 +- + kernel/sysctl.c | 39 +- + kernel/time.c | 2 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 6 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 8 +- + kernel/trace/trace.h | 2 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + kernel/user_namespace.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 6 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/div64.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 126 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/swiotlb.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 70 +- + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 26 +- + mm/memory.c | 424 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 576 ++- + mm/mprotect.c | 139 +- + mm/mremap.c | 44 +- + mm/nommu.c | 21 +- + mm/page-writeback.c | 4 +- + mm/page_alloc.c | 41 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 105 +- + mm/slab.h | 5 +- + mm/slab_common.c | 11 +- + mm/slob.c | 201 +- + mm/slub.c | 99 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/mod.c | 4 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 13 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 18 +- + net/decnet/af_decnet.c | 1 + + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/devinet.c | 14 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 15 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 18 +- + net/ipv4/sysctl_net_ipv4.c | 45 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv4/xfrm4_policy.c | 14 +- + net/ipv6/addrconf.c | 6 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 8 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- + net/ipv6/raw.c | 19 +- + net/ipv6/reassembly.c | 13 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/ipv6/udp.c | 8 +- + net/ipv6/xfrm6_policy.c | 13 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 8 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 14 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/phonet/sysctl.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/rds.h | 2 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/socket.c | 21 +- + net/sctp/sysctl.c | 4 +- + net/socket.c | 18 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/unix/sysctl_net_unix.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 27 +- + net/xfrm/xfrm_state.c | 29 +- + net/xfrm/xfrm_sysctl.c | 2 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/headers_install.pl | 1 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/package/builddeb | 1 + + scripts/pnmtologo.c | 6 +- + scripts/sortextable.h | 6 +- + security/Kconfig | 675 +++- + security/apparmor/lsm.c | 2 +- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/key.c | 18 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + security/yama/yama_lsm.c | 22 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 45 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 518 ++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 ++ + tools/gcc/latent_entropy_plugin.c | 327 ++ + tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 2114 ++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/gcc/structleak_plugin.c | 276 + + tools/perf/util/include/asm/alternative-asm.h | 3 + + tools/perf/util/include/linux/compiler.h | 8 + + virt/kvm/kvm_main.c | 32 +- + 1555 files changed, 30474 insertions(+), 7126 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch +commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 +Merge: 814820a 3a59a59 +Author: Brad Spengler +Date: Sun May 12 21:51:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f +Author: Brad Spengler +Date: Sun May 12 21:50:07 2013 -0400 + + Update to pax-linux-3.8.13-test24.patch: + - fixed sparc/constification compile error, reported by blake + - UDEREF/amd64 should be a bit more efficient when disabled at boot time + - fixed some unnecessary integer truncations that could trip up the size overflow plugin + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + arch/sparc/kernel/us3_cpufreq.c | 4 ++-- + arch/x86/ia32/ia32entry.S | 4 ++-- + arch/x86/include/asm/pgtable.h | 6 ++++-- + arch/x86/include/asm/uaccess.h | 6 +++--- + arch/x86/kernel/kprobes-opt.c | 4 ++++ + arch/x86/lib/copy_user_nocache_64.S | 2 +- + arch/x86/lib/getuser.S | 8 ++++---- + arch/x86/lib/putuser.S | 8 ++++---- + arch/x86/mm/fault.c | 6 +++--- + drivers/net/slip/slhc.c | 2 +- + drivers/staging/iio/ring_sw.c | 2 +- + fs/binfmt_elf.c | 6 +++--- + fs/nfsd/nfscache.c | 2 +- + fs/xattr.c | 21 +++++++++++++++++++++ + include/linux/syscalls.h | 2 +- + include/linux/xattr.h | 3 +++ + init/main.c | 3 +++ + kernel/futex_compat.c | 2 +- + kernel/trace/trace.h | 2 +- + net/socket.c | 2 +- + security/Kconfig | 2 +- + 22 files changed, 67 insertions(+), 34 deletions(-) + +commit 814820abfe5b9a34401d838b2510431a4cd92be9 +Author: Dan Carpenter +Date: Mon May 6 09:31:17 2013 +0000 + + Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa + + tipc: potential divide by zero in tipc_link_recv_fragment() + + The worry here is that fragm_sz could be zero since it comes from + skb->data. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 +Author: Dan Carpenter +Date: Mon May 6 08:28:41 2013 +0000 + + Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc + + tipc: add a bounds check in link_recv_changeover_msg() + + The bearer_id here comes from skb->data and it can be a number from 0 to + 7. The problem is that the ->links[] array has only 2 elements so I + have added a range check. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/tipc/link.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +commit ed0428c4ef6c5498870772f212ac651216eb8d0c +Merge: 2452d8d dbf932a +Author: Brad Spengler +Date: Sun May 12 21:18:25 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/cpu/perf_event_intel_uncore.c + arch/x86/mm/init.c + +commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 +Author: Brad Spengler +Date: Sun May 12 20:24:01 2013 -0400 + + compile fix + + grsecurity/gracl.c | 1 + + grsecurity/gracl_segv.c | 1 + + 2 files changed, 2 insertions(+), 0 deletions(-) + +commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 +Author: Brad Spengler +Date: Sun May 12 18:25:26 2013 -0400 + + fix btrfs support here as well + + grsecurity/gracl_segv.c | 17 +++++++++-------- + 1 files changed, 9 insertions(+), 8 deletions(-) + +commit c75e4664fe4d20da1639f70d9def097c4f20856b +Author: Brad Spengler +Date: Sun May 12 18:12:57 2013 -0400 + + Fix RBAC compatibility with btrfs compiled as a module, as + reported on the forums by YuHg at: + http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 + + fs/btrfs/inode.c | 11 +---------- + grsecurity/gracl.c | 19 ++++++++++--------- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_disabled.c | 2 +- + 4 files changed, 13 insertions(+), 21 deletions(-) + +commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 +Author: Brad Spengler +Date: Sat May 11 12:12:00 2013 -0400 + + allow copies just up to the start of kernel code + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 04638852588cf243f865f5a73aa9dab94fab53b7 +Author: Brad Spengler +Date: Fri May 10 16:53:07 2013 -0400 + + MODULES_EXEC_VADDR is a virtual address + + fs/exec.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 +Author: Brad Spengler +Date: Fri May 10 16:51:03 2013 -0400 + + exempt module rx areas from usercopy protection under i386 kernexec + their .rodata will be placed between stext/etext causing copies of + constant strings to trigger usercopy reports/terminations + + fs/exec.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da +Author: Brad Spengler +Date: Wed May 8 20:25:52 2013 -0400 + + User jorgus on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 + discovered that the upstreamed version of enforcing RLIMIT_NPROC + at setuid/exec time missed an important corner case: + If RLIMIT_NPROC is set after a setuid occurs and the user's process + limit is reached elsewhere, no enforcement of RLIMIT_NPROC will + happen at exec time for the task with a modified RLIMIT_NPROC. + + This patch fixes that. + + kernel/sys.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff +Merge: 539fff0 2452d8d +Author: Brad Spengler +Date: Wed May 8 18:13:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a +Merge: 6c850d8 9c9ab76 +Author: Brad Spengler +Date: Wed May 8 18:13:31 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/irq.c + kernel/trace/trace_stack.c + +commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a +Author: Brad Spengler +Date: Tue May 7 21:43:00 2013 -0400 + + turn counter into a flag + + grsecurity/Kconfig | 2 +- + grsecurity/grsec_chroot.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 +Author: Brad Spengler +Date: Tue May 7 21:02:39 2013 -0400 + + add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity + useful for Fedora/RHEL users + + grsecurity/Kconfig | 10 ++++++++++ + grsecurity/grsec_chroot.c | 17 +++++++++++++++-- + 2 files changed, 25 insertions(+), 2 deletions(-) + +commit 418102925c0cfb0de51b0a021abaa575e28fafa6 +Author: Peter Zijlstra +Date: Fri May 3 14:11:25 2013 +0200 + + Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 + + perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL + + We should always have proper privileges when requesting kernel + data. + + Signed-off-by: Peter Zijlstra + Cc: + Cc: Andi Kleen + Cc: eranian@google.com + Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl + [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] + Signed-off-by: Ingo Molnar + Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org + + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- + 1 files changed, 10 insertions(+), 3 deletions(-) + +commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 +Author: Eric Dumazet +Date: Mon Apr 29 05:58:52 2013 +0000 + + Upstream commit: aebda156a570782a86fc4426842152237a19427d + + net: defer net_secret[] initialization + + Instead of feeding net_secret[] at boot time, defer the init + at the point first socket is created. + + This permits some platforms to use better entropy sources than + the ones available at boot time. + + Signed-off-by: Eric Dumazet + Signed-off-by: David S. Miller + + include/net/secure_seq.h | 1 + + net/core/secure_seq.c | 4 +--- + net/ipv4/af_inet.c | 5 ++++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac +Author: Daniel Borkmann +Date: Wed May 1 02:59:23 2013 +0000 + + Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 + + net: sctp: attribute printl with __printf for gcc fmt checks + + Let GCC check for format string errors in sctp's probe printl + function. This patch fixes the warning when compiled with W=1: + + net/sctp/probe.c:73:2: warning: function might be possible candidate + for 'gnu_printf' format attribute [-Wmissing-format-attribute] + + Signed-off-by: Daniel Borkmann + Signed-off-by: David S. Miller + + net/sctp/probe.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 +Author: Brad Spengler +Date: Thu May 2 19:58:54 2013 -0400 + + remove no-longer-needed vmware 8 compat fix + + mm/page_alloc.c | 6 ------ + 1 files changed, 0 insertions(+), 6 deletions(-) + +commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 +Author: Brad Spengler +Date: Thu May 2 19:55:23 2013 -0400 + + remove unnecessary < 0 check + + net/phonet/af_phonet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f +Author: Brad Spengler +Date: Wed May 1 18:30:48 2013 -0400 + + remove references to CONFIG_X86_WP_WORKS_OK + + arch/um/defconfig | 1 - + security/Kconfig | 2 +- + 2 files changed, 1 insertions(+), 2 deletions(-) + +commit 408da6791f93ffe00d26bfe919f1b2218fe0804d +Merge: a8dbe8e 6c850d8 +Author: Brad Spengler +Date: Wed May 1 18:28:44 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/mm/ultra.S + drivers/tty/tty_io.c + +commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf +Merge: cdbcbef 9fa1d01 +Author: Brad Spengler +Date: Wed May 1 18:25:18 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 +Author: Brad Spengler +Date: Mon Apr 29 18:44:23 2013 -0400 + + add module.h to silence compiler warning, thanks to + Sergei Trofimovich + + fs/btrfs/inode.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 55eba82aca97aa56378e000840c48965557721e8 +Author: Brad Spengler +Date: Mon Apr 29 18:43:03 2013 -0400 + + compilation fix + + kernel/trace/trace.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e3bf912b54af6df7fbebc68b5999554562056c5c +Merge: 5b72e37 cdbcbef +Author: Brad Spengler +Date: Mon Apr 29 18:34:42 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit cdbcbef45c4f003cbee11e10668a35d424c17c60 +Author: Brad Spengler +Date: Mon Apr 29 18:33:35 2013 -0400 + + Update to pax-linux-3.8.10-test21.patch: + - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 + note that the false positive is not fixed yet + - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin + - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) + - reverted the nested NMI fix in search for a real one + - simplified the arm_delay_ops constification + + arch/arm/include/asm/delay.h | 8 ++++---- + arch/arm/lib/delay.c | 17 +++++------------ + arch/x86/kernel/entry_64.S | 11 ++++++++++- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/pci-calgary_64.c | 2 +- + arch/x86/kvm/vmx.c | 4 ++-- + drivers/block/pktcdvd.c | 2 +- + fs/btrfs/extent-tree.c | 2 +- + fs/nfsd/nfscache.c | 6 ++++-- + kernel/trace/trace.c | 2 +- + tools/gcc/structleak_plugin.c | 4 ++++ + 11 files changed, 34 insertions(+), 26 deletions(-) + +commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 +Author: Brad Spengler +Date: Fri Apr 26 20:53:06 2013 -0400 + + don't use file_inode() + + drivers/tty/tty_io.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 +Author: Jiri Slaby +Date: Fri Apr 26 13:48:53 2013 +0200 + + Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee + + TTY: fix atime/mtime regression + + In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") + we removed timestamps from tty inodes to fix a security issue and waited + if something breaks. Well, 'w', the utility to find out logged users + and their inactivity time broke. It shows that users are inactive since + the time they logged in. + + To revert to the old behaviour while still preventing attackers to + guess the password length, we update the timestamps in one-minute + intervals by this patch. + + Signed-off-by: Jiri Slaby + Cc: Greg Kroah-Hartman + Signed-off-by: Linus Torvalds + + Conflicts: + + drivers/tty/tty_io.c + + drivers/tty/tty_io.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec +Author: Jiri Slaby +Date: Fri Feb 15 15:25:05 2013 +0100 + + Upstream commit: b0de59b5733d + + TTY: do not update atime/mtime on read/write + + On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find + out length of a password using timestamps of /dev/ptmx. It is + documented in "Timing Analysis of Keystrokes and Timing Attacks on + SSH". To avoid that problem, do not update time when reading + from/writing to a TTY. + + I am afraid of regressions as this is a behavior we have since 0.97 + and apps may expect the time to be current, e.g. for monitoring + whether there was a change on the TTY. Now, there is no change. So + this would better have a lot of testing before it goes upstream. + + References: CVE-2013-0160 + + Signed-off-by: Jiri Slaby + Cc: stable # after 3.9 is out + Signed-off-by: Greg Kroah-Hartman + + drivers/tty/tty_io.c | 8 ++------ + 1 files changed, 2 insertions(+), 6 deletions(-) + +commit 5344a24e2320d61dbdb88aae04922f0799deefd0 +Author: Zhao Hongjiang +Date: Fri Apr 26 11:03:53 2013 +0800 + + Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad + + aio: fix possible invalid memory access when DEBUG is enabled + + dprintk() shouldn't access @ring after it's unmapped. + + Signed-off-by: Zhao Hongjiang + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + fs/aio.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 +Author: John David Anglin +Date: Tue Apr 23 22:42:07 2013 +0200 + + Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 + + parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates + + User applications running on SMP kernels have long suffered from instability + and random segmentation faults. This patch improves the situation although + there is more work to be done. + + One of the problems is the various routines in pgtable.h that update page table + entries use different locking mechanisms, or no lock at all (set_pte_at). This + change modifies the routines to all use the same lock pa_dbit_lock. This lock + is used for dirty bit updates in the interruption code. The patch also purges + the TLB entries associated with the PTE to ensure that inconsistent values are + not used after the page table entry is updated. The UP and SMP code are now + identical. + + The change also includes a minor update to the purge_tlb_entries function in + cache.c to improve its efficiency. + + Signed-off-by: John David Anglin + Cc: Helge Deller + Signed-off-by: Helge Deller + + arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- + arch/parisc/kernel/cache.c | 5 +--- + 2 files changed, 26 insertions(+), 26 deletions(-) + +commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 +Merge: ba54c97 4d05084 +Author: Brad Spengler +Date: Fri Apr 26 18:17:20 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/x86/kvm/x86.c + include/linux/capability.h + +commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 +Merge: c664779 bb8dd67 +Author: Brad Spengler +Date: Fri Apr 26 18:15:45 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 +Author: David S. Miller +Date: Wed Apr 24 16:52:18 2013 -0700 + + Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee + + sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. + + Reported-by: Meelis Roos + Signed-off-by: David S. Miller + + arch/sparc/mm/tlb.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 +Author: David S. Miller +Date: Fri Apr 19 17:26:26 2013 -0400 + + Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 + + sparc64: Fix race in TLB batch processing. + + As reported by Dave Kleikamp, when we emit cross calls to do batched + TLB flush processing we have a race because we do not synchronize on + the sibling cpus completing the cross call. + + So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) + and either flushes are missed or flushes will flush the wrong + addresses. + + Fix this by using generic infrastructure to synchonize on the + completion of the cross call. + + This first required getting the flush_tlb_pending() call out from + switch_to() which operates with locks held and interrupts disabled. + The problem is that smp_call_function_many() cannot be invoked with + IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). + + We get the batch processing outside of locked IRQ disabled sections by + using some ideas from the powerpc port. Namely, we only batch inside + of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a + region, we flush TLBs synchronously. + + 1) Get rid of xcall_flush_tlb_pending and per-cpu type + implementations. + + 2) Do TLB batch cross calls instead via: + + smp_call_function_many() + tlb_pending_func() + __flush_tlb_pending() + + 3) Batch only in lazy mmu sequences: + + a) Add 'active' member to struct tlb_batch + b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE + c) Set 'active' in arch_enter_lazy_mmu_mode() + d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() + e) Check 'active' in tlb_batch_add_one() and do a synchronous + flush if it's clear. + + 4) Add infrastructure for synchronous TLB page flushes. + + a) Implement __flush_tlb_page and per-cpu variants, patch + as needed. + b) Likewise for xcall_flush_tlb_page. + c) Implement smp_flush_tlb_page() to invoke the cross-call. + d) Wire up global_flush_tlb_page() to the right routine based + upon CONFIG_SMP + + 5) It turns out that singleton batches are very common, 2 out of every + 3 batch flushes have only a single entry in them. + + The batch flush waiting is very expensive, both because of the poll + on sibling cpu completeion, as well as because passing the tlb batch + pointer to the sibling cpus invokes a shared memory dereference. + + Therefore, in flush_tlb_pending(), if there is only one entry in + the batch perform a completely asynchronous global_flush_tlb_page() + instead. + + Reported-by: Dave Kleikamp + Signed-off-by: David S. Miller + Acked-by: Dave Kleikamp + + arch/sparc/include/asm/pgtable_64.h | 1 + + arch/sparc/include/asm/switch_to_64.h | 3 +- + arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- + arch/sparc/kernel/smp_64.c | 41 ++++++++++- + arch/sparc/mm/tlb.c | 38 +++++++++- + arch/sparc/mm/tsb.c | 57 ++++++++++++---- + arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- + 7 files changed, 241 insertions(+), 55 deletions(-) + +commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 +Author: Linus Torvalds +Date: Fri Apr 19 15:32:32 2013 +0000 + + Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 + + net: fix incorrect credentials passing + + Commit 257b5358b32f ("scm: Capture the full credentials of the scm + sender") changed the credentials passing code to pass in the effective + uid/gid instead of the real uid/gid. + + Obviously this doesn't matter most of the time (since normally they are + the same), but it results in differences for suid binaries when the wrong + uid/gid ends up being used. + + This just undoes that (presumably unintentional) part of the commit. + + Reported-by: Andy Lutomirski + Cc: Eric W. Biederman + Cc: Serge E. Hallyn + Cc: David S. Miller + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + Acked-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + include/net/scm.h | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 +Author: Brad Spengler +Date: Thu Apr 18 19:22:40 2013 -0400 + + move _etext to only cover kernel code, not read-only data, as reported by Gu1 + + arch/arm/kernel/vmlinux.lds.S | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 98ad6adbc48759e4f9eae435d3e51ba487155685 +Author: Brad Spengler +Date: Thu Apr 18 19:17:24 2013 -0400 + + add asm/sections.h for USERCOPY change + + fs/exec.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 +Author: Dmitry Popov +Date: Thu Apr 11 08:55:07 2013 +0000 + + Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 + + tcp: incoming connections might use wrong route under synflood + + There is a bug in cookie_v4_check (net/ipv4/syncookies.c): + flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), + RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); + + Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be + taken. This dst_entry is used by new socket (get_cookie_sock -> + tcp_v4_syn_recv_sock), so its packets may take the wrong path. + + Signed-off-by: Dmitry Popov + Signed-off-by: David S. Miller + + net/ipv4/syncookies.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 3600395e8fef3ae712e72f9b68c3609639616df8 +Author: Thomas Graf +Date: Thu Apr 11 10:57:18 2013 +0000 + + Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 + + tcp: Reallocate headroom if it would overflow csum_start + + If a TCP retransmission gets partially ACKed and collapsed multiple + times it is possible for the headroom to grow beyond 64K which will + overflow the 16bit skb->csum_start which is based on the start of + the headroom. It has been observed rarely in the wild with IPoIB due + to the 64K MTU. + + Verify if the acking and collapsing resulted in a headroom exceeding + what csum_start can cover and reallocate the headroom if so. + + A big thank you to Jim Foraker and the team at + LLNL for helping out with the investigation and testing. + + Reported-by: Jim Foraker + Signed-off-by: Thomas Graf + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv4/tcp_output.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 +Author: Ivan Vecera +Date: Fri Apr 12 16:49:24 2013 +0200 + + Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f + + be2net: take care of __vlan_put_tag return value + + The driver should use return value of __vlan_put_tag with appropriate + NULL-check instead of old skb pointer. + + Signed-off-by: Ivan Vecera + Signed-off-by: David S. Miller + + drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 +Author: Wei Yongjun +Date: Fri Apr 12 03:17:12 2013 +0000 + + Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 + + tuntap: fix error return code in tun_set_iff() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + [ Bug added in linux-3.8 , commit 4008e97f866db665 + ("tuntap: fix ambigious multiqueue API") ] + + Signed-off-by: Wei Yongjun + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + drivers/net/tun.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c +Author: Wei Yongjun +Date: Sat Apr 13 15:49:03 2013 +0000 + + Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 + + esp4: fix error return code in esp_output() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Acked-by: Steffen Klassert + Signed-off-by: David S. Miller + + net/ipv4/esp4.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 2b45b5f52c2a8930f80c62de392a62516c83e225 +Author: Bjørn Mork +Date: Tue Apr 16 00:17:07 2013 +0000 + + Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 + + net: cdc_mbim: remove bogus sizeof() + + The intention was to test against the constant, not the size of + the constant. + + Signed-off-by: Bjørn Mork + Signed-off-by: David S. Miller + + drivers/net/usb/cdc_mbim.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 17d7408795519037a5a1272c7888238e20830bfe +Author: Vyacheslav Dubeyko +Date: Wed Apr 17 15:58:33 2013 -0700 + + Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 + + hfsplus: fix potential overflow in hfsplus_file_truncate() + + Change a u32 to loff_t hfsplus_file_truncate(). + + Signed-off-by: Vyacheslav Dubeyko + Cc: Christoph Hellwig + Cc: Al Viro + Cc: Hin-Tak Leung + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/hfsplus/extents.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b +Author: Emese Revfy +Date: Wed Apr 17 15:58:36 2013 -0700 + + Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f + + kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + + This fixes a kernel memory contents leak via the tkill and tgkill syscalls + for compat processes. + + This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field + when handling signals delivered from tkill. + + The place of the infoleak: + + int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) + { + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... + } + + Signed-off-by: Emese Revfy + Reviewed-by: PaX Team + Signed-off-by: Kees Cook + Cc: Al Viro + Cc: Oleg Nesterov + Cc: "Eric W. Biederman" + Cc: Serge Hallyn + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/signal.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 +Author: Brad Spengler +Date: Wed Apr 17 20:17:00 2013 -0400 + + Improve PAX_USERCOPY to reject direct copies to/from main kernel text + + fs/exec.c | 29 +++++++++++++++++++++++++++-- + 1 files changed, 27 insertions(+), 2 deletions(-) + +commit 3cb37d0c0c77dc3928ff8417f982139f95366eba +Merge: e87c19f c664779 +Author: Brad Spengler +Date: Wed Apr 17 20:06:08 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c664779987cb0c27a242029f0e0db812e3236203 +Author: Brad Spengler +Date: Wed Apr 17 19:54:09 2013 -0400 + + add intentional_overflow marking for resource_size() as reasoned by: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 + + include/linux/ioport.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e87c19f8312355b8658e5138c16bfa6043a379c8 +Merge: 802d119 d0c636c +Author: Brad Spengler +Date: Wed Apr 17 16:57:12 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit d0c636ceaaf406e606898ce3e770e32fb043ea8a +Merge: bc88628 2396403 +Author: Brad Spengler +Date: Wed Apr 17 16:57:01 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/x86/kernel/paravirt.c + +commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b +Author: Brad Spengler +Date: Sun Apr 14 21:39:51 2013 -0400 + + move location of RBAC user check on setfsuid until after capability checks + for consistency with other checks + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 1a860d7d67051559ab2e6d10f9888649c92904e6 +Author: Brad Spengler +Date: Sun Apr 14 21:34:46 2013 -0400 + + A denied setfsuid by the RBAC system would result in an abort_creds() being called + with an uninitalized pointer, introduced by a bad forward-port + + kernel/sys.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 +Merge: c38d142 bc88628 +Author: Brad Spengler +Date: Sun Apr 14 21:28:33 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit bc88628a6a8fcccaabb90908640809b0540df225 +Author: Brad Spengler +Date: Sun Apr 14 21:26:41 2013 -0400 + + Update to pax-linux-3.8.7-test20.patch: + - fixed KERNEXEC and NMI nesting problem reported by stef&hunger + - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 + - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) + - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) + + arch/powerpc/include/asm/smp.h | 2 +- + arch/x86/Kconfig | 4 ++-- + arch/x86/kernel/entry_64.S | 8 ++++---- + security/Kconfig | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +commit c38d142744489fc4d9be80188b6435a278438fd9 +Author: Suleiman Souhlal +Date: Sat Apr 13 16:03:06 2013 -0700 + + Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 + + vfs: Revert spurious fix to spinning prevention in prune_icache_sb + + Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). + + This commit doesn't look right: since we are looking at the tail of the + list (sb->s_inode_lru.prev) if we want to skip an inode, we should put + it back at the head of the list instead of the tail, otherwise we will + keep spinning on it. + + Discovered when investigating why prune_icache_sb came top in perf + reports of a swapping load. + + Signed-off-by: Suleiman Souhlal + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org # v3.2+ + Signed-off-by: Linus Torvalds + + fs/inode.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93019624b80ba59798393942798d7f6ed0c1dbc6 +Author: Linus Torvalds +Date: Sat Apr 13 15:15:30 2013 -0700 + + Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 + + kobject: fix kset_find_obj() race with concurrent last kobject_put() + + Anatol Pomozov identified a race condition that hits module unloading + and re-loading. To quote Anatol: + + "This is a race codition that exists between kset_find_obj() and + kobject_put(). kset_find_obj() might return kobject that has refcount + equal to 0 if this kobject is freeing by kobject_put() in other + thread. + + Here is timeline for the crash in case if kset_find_obj() searches for + an object tht nobody holds and other thread is doing kobject_put() on + the same kobject: + + THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) + splin_lock() + atomic_dec_return(kobj->kref), counter gets zero here + ... starts kobject cleanup .... + spin_lock() // WAIT thread A in kobj_kset_leave() + iterate over kset->list + atomic_inc(kobj->kref) (counter becomes 1) + spin_unlock() + spin_lock() // taken + // it does not know that thread A increased counter so it + remove obj from list + spin_unlock() + vfree(module) // frees module object with containing kobj + + // kobj points to freed memory area!! + kobject_put(kobj) // OOPS!!!! + + The race above happens because module.c tries to use kset_find_obj() + when somebody unloads module. The module.c code was introduced in + commit 6494a93d55fa" + + Anatol supplied a patch specific for module.c that worked around the + problem by simply not using kset_find_obj() at all, but rather than make + a local band-aid, this just fixes kset_find_obj() to be thread-safe + using the proper model of refusing the get a new reference if the + refcount has already dropped to zero. + + See examples of this proper refcount handling not only in the kref + documentation, but in various other equivalent uses of this pattern by + grepping for atomic_inc_not_zero(). + + [ Side note: the module race does indicate that module loading and + unloading is not properly serialized wrt sysfs information using the + module mutex. That may require further thought, but this is the + correct fix at the kobject layer regardless. ] + + Reported-analyzed-and-tested-by: Anatol Pomozov + Cc: Greg Kroah-Hartman + Cc: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + lib/kobject.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 5277b052b5fab36729e1255fb3b12f47a4b12867 +Author: Dave Hansen +Date: Fri Apr 12 16:23:54 2013 -0700 + + Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 + + x86-32: Fix possible incomplete TLB invalidate with PAE pagetables + + This patch attempts to fix: + + https://bugzilla.kernel.org/show_bug.cgi?id=56461 + + The symptom is a crash and messages like this: + + chrome: Corrupted page table at address 34a03000 + *pdpt = 0000000000000000 *pde = 0000000000000000 + Bad pagetable: 000f [#1] PREEMPT SMP + + Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: + enable tlb flush range support for x86") since that code started to free + unused pagetables. + + On x86-32 PAE kernels, that new code has the potential to free an entire + PMD page and will clear one of the four page-directory-pointer-table + (aka pgd_t entries). + + The hardware aggressively "caches" these top-level entries and invlpg + does not actually affect the CPU's copy. If we clear one we *HAVE* to + do a full TLB flush, otherwise we might continue using a freed pmd page. + (note, we do this properly on the population side in pud_populate()). + + This patch tracks whenever we clear one of these entries in the 'struct + mmu_gather', and ensures that we follow up with a full tlb flush. + + BTW, I disassembled and checked that: + + if (tlb->fullmm == 0) + and + if (!tlb->fullmm && !tlb->need_flush_all) + + generate essentially the same code, so there should be zero impact there + to the !PAE case. + + Signed-off-by: Dave Hansen + Cc: Peter Anvin + Cc: Ingo Molnar + Cc: Artem S Tashkinov + Signed-off-by: Linus Torvalds + + arch/x86/include/asm/tlb.h | 2 +- + arch/x86/mm/pgtable.c | 7 +++++++ + include/asm-generic/tlb.h | 7 ++++++- + mm/memory.c | 1 + + 4 files changed, 15 insertions(+), 2 deletions(-) + +commit 521e573fc77d1783c1d4636dfbb4617a922f043d +Merge: 032f626 f807619 +Author: Brad Spengler +Date: Fri Apr 12 19:29:34 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f80761993b85df96fc142dfc3a317cadc0f8eae5 +Author: Brad Spengler +Date: Fri Apr 12 19:28:21 2013 -0400 + + Update to pax-linux-3.8.7-test19.patch: + - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld + - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) + - fixed the structleak plugin to compile for gcc 4.5-4.6 as well + + Makefile | 2 +- + arch/x86/xen/enlighten.c | 6 +++--- + tools/gcc/structleak_plugin.c | 5 +++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 +Merge: a3a770e 89886f5 +Author: Brad Spengler +Date: Fri Apr 12 18:38:40 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89886f561cc0d1c42a99624ec8c3704711088155 +Merge: 9123489 531ec28 +Author: Brad Spengler +Date: Fri Apr 12 18:38:30 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit a3a770e18578841e4fbe2aa0831a22811b4812cf +Author: Brad Spengler +Date: Thu Apr 11 20:46:20 2013 -0400 + + Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" + Will be fixed with the next PaX patch + + This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 +Author: Konrad Rzeszutek Wilk +Date: Fri Mar 29 10:20:56 2013 -0400 + + Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 + + xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. + + Occassionaly on a DL380 G4 the guest would crash quite early with this: + + (XEN) d244:v0: unhandled page fault (ec=0003) + (XEN) Pagetable walk from ffffffff84dc7000: + (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 + (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d + (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def + (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 + (XEN) domain_crash_sync called from entry.S + (XEN) Domain 244 (vcpu#0) crashed on cpu#3: + (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- + (XEN) CPU: 3 + (XEN) RIP: e033:[] + (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest + (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f + (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 + + The offending code shows it to be a loop writting the value zero + (%rax) in the %rdi (the L4 provided by Xen) register: + + 0: 44 00 00 add %r8b,(%rax) + 3: 31 c0 xor %eax,%eax + 5: b9 40 00 00 00 mov $0x40,%ecx + a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) + 11: 00 00 + 13: ff c9 dec %ecx + 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction + 18: 48 89 47 08 mov %rax,0x8(%rdi) + 1c: 48 89 47 10 mov %rax,0x10(%rdi) + + which fails. xen_setup_kernel_pagetable recycles some of the Xen's + page-table entries when it has switched over to its Linux page-tables. + + Right before try to clear the page, we make a hypercall to change + it from _RO to _RW and that works (otherwise we would hit an BUG()). + And the _RW flag is set for that page: + (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 + + The error code is 3, so PFEC_page_present and PFEC_write_access, so page is + present (correct), and we tried to write to the page, but a violation + occurred. The one theory is that the the page entries in hardware + (which are cached) are not up to date with what we just set. Especially + as we have just done an CR3 write and flushed the multicalls. + + This patch does solve the problem by flusing out the TLB page + entry after changing it from _RO to _RW and we don't hit this + issue anymore. + + Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO + 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] + Reported-and-Tested-by: Saar Maoz + Signed-off-by: Konrad Rzeszutek Wilk + + arch/x86/xen/mmu.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 +Author: Namhyung Kim +Date: Mon Apr 1 21:46:23 2013 +0900 + + Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 + + tracing: Fix double free when function profile init failed + + On the failure path, stat->start and stat->pages will refer same page. + So it'll attempt to free the same page again and get kernel panic. + + Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org + + Cc: Frederic Weisbecker + Cc: Namhyung Kim + Cc: stable@vger.kernel.org + Signed-off-by: Namhyung Kim + Signed-off-by: Steven Rostedt + + kernel/trace/ftrace.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb +Author: Neil Horman +Date: Tue Apr 9 23:19:00 2013 +0000 + + Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 + + e100: Add dma mapping error check + + e100 uses pci_map_single, but fails to check for a dma mapping error after its + use, resulting in a stack trace: + + [ 46.656594] ------------[ cut here ]------------ + [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() + [ 46.657004] Hardware name: To Be Filled By O.E.M. + [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map + error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] + [ 46.657004] Modules linked in: + [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus + snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc + e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp + k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd + sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit + drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core + sata_promise crc_itu_t + [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 + [ 46.657004] Call Trace: + [ 46.657004] [] warn_slowpath_common+0x70/0xa0 + [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 + [ 46.657004] [] check_unmap+0x47b/0x950 + [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 + [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] + [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] + [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] + [ 46.657004] [] ? net_rx_action+0xa1/0x370 + [ 46.657004] [] net_rx_action+0x172/0x370 + [ 46.657004] [] __do_softirq+0xef/0x3d0 + [ 46.657004] [] call_softirq+0x1c/0x30 + [ 46.657004] [] do_softirq+0x85/0xc0 + [ 46.657004] [] irq_exit+0xd5/0xe0 + [ 46.657004] [] do_IRQ+0x56/0xc0 + [ 46.657004] [] common_interrupt+0x72/0x72 + [ 46.657004] [] ? + _raw_spin_unlock_irqrestore+0x3b/0x70 + [ 46.657004] [] __slab_free+0x58/0x38b + [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 + [ 46.657004] [] ? kmem_cache_free+0x97/0x320 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 + [ 46.657004] [] kmem_cache_free+0x312/0x320 + [ 46.657004] [] sock_destroy_inode+0x34/0x40 + [ 46.657004] [] destroy_inode+0x38/0x60 + [ 46.657004] [] evict+0x10e/0x1a0 + [ 46.657004] [] iput+0xf5/0x180 + [ 46.657004] [] dput+0x248/0x310 + [ 46.657004] [] __fput+0x171/0x240 + [ 46.657004] [] ____fput+0xe/0x10 + [ 46.657004] [] task_work_run+0xac/0xe0 + [ 46.657004] [] do_exit+0x26d/0xc30 + [ 46.657004] [] ? finish_task_switch+0x7c/0x120 + [ 46.657004] [] ? retint_swapgs+0x13/0x1b + [ 46.657004] [] do_group_exit+0x49/0xc0 + [ 46.657004] [] sys_exit_group+0x14/0x20 + [ 46.657004] [] system_call_fastpath+0x16/0x1b + [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- + [ 46.657004] Mapped at: + [ 46.657004] [] debug_dma_map_page+0x91/0x140 + [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] + [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] + [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] + [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 + + Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the + dma_mapping_error check in the obvious place + + This was reported previously here: + http://article.gmane.org/gmane.linux.network/257893 + + But nobody stepped up and fixed it. + + CC: Josh Boyer + CC: e1000-devel@lists.sourceforge.net + Signed-off-by: Neil Horman + Reported-by: Michal Jaegermann + Tested-by: Aaron Brown + Signed-off-by: Jeff Kirsher + Signed-off-by: David S. Miller + + drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- + 1 files changed, 25 insertions(+), 11 deletions(-) + +commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 +Author: Trond Myklebust +Date: Wed Apr 10 12:44:18 2013 -0400 + + Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 + + NFSv4: Doh! Typo in the fix to nfs41_walk_client_list + + Make sure that we set the status to 0 on success. Missed in testing + because it never appears when doing multiple mounts to _different_ + servers. + + Signed-off-by: Trond Myklebust + Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + fs/nfs/nfs4client.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea +Author: Yuval Mintz +Date: Wed Apr 10 13:34:39 2013 +0300 + + Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b + + bnx2x: Prevent null pointer dereference in AFEX mode + + The cnic module is responsible for initializing various bnx2x structs + via callbacks provided by the bnx2x module. + One such struct is the queue object for the FCoE queue. + + If a device is working in AFEX mode and its configuration allows FCoE yet + the cnic module is not loaded, it's very likely a null pointer dereference + will occur, as the bnx2x will erroneously access the FCoE's queue object. + + Prevent said access until cnic properly registers itself. + + Signed-off-by: Yuval Mintz + Signed-off-by: Ariel Elior + Signed-off-by: Eilon Greenstein + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 2908830232725db624aaa052f7ad38d1f98bf541 +Author: Wei Yongjun +Date: Tue Apr 9 14:16:04 2013 +0800 + + Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc + + can: gw: use kmem_cache_free() instead of kfree() + + Memory allocated by kmem_cache_alloc() should be freed using + kmem_cache_free(), not kfree(). + + Cc: linux-stable # >= v3.2 + Signed-off-by: Wei Yongjun + Acked-by: Oliver Hartkopp + Signed-off-by: Marc Kleine-Budde + + net/can/gw.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit d40b572e845a5fb561e3c4a80cc306cd38888a4e +Author: Christoph Paasch +Date: Sun Apr 7 04:53:15 2013 +0000 + + Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd + + ipv6/tcp: Stop processing ICMPv6 redirect messages + + Tetja Rediske found that if the host receives an ICMPv6 redirect message + after sending a SYN+ACK, the connection will be reset. + + He bisected it down to 093d04d (ipv6: Change skb->data before using + icmpv6_notify() to propagate redirect), but the origin of the bug comes + from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error + handlers.). The bug simply did not trigger prior to 093d04d, because + skb->data did not point to the inner IP header and thus icmpv6_notify + did not call the correct err_handler. + + This patch adds the missing "goto out;" in tcp_v6_err. After receiving + an ICMPv6 Redirect, we should not continue processing the ICMP in + tcp_v6_err, as this may trigger the removal of request-socks or setting + sk_err(_soft). + + Reported-by: Tetja Rediske + Signed-off-by: Christoph Paasch + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/ipv6/tcp_ipv6.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit c7d5c2524456ef3ea9194840e7a9a75069a46824 +Author: Brad Spengler +Date: Wed Apr 10 20:32:54 2013 -0400 + + - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit acac2380fd97acee4367d2aa24c74322dcf1d22b +Author: Trond Myklebust +Date: Fri Apr 5 16:11:11 2013 -0400 + + Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc + + NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + + It is unsafe to use list_for_each_entry_safe() here, because + when we drop the nn->nfs_client_lock, we pin the _current_ list + entry and ensure that it stays in the list, but we don't do the + same for the _next_ list entry. Use of list_for_each_entry() is + therefore the correct thing to do. + + Also fix the refcounting in nfs41_walk_client_list(). + + Finally, ensure that the nfs_client has finished being initialised + and, in the case of NFSv4.1, that the session is set up. + + Signed-off-by: Trond Myklebust + Cc: Chuck Lever + Cc: Bryan Schumaker + Cc: stable@vger.kernel.org [>= 3.7] + + fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- + 1 files changed, 28 insertions(+), 16 deletions(-) + +commit a6cf5f387b882ac0ce655b75f623f86c075517be +Author: Chuck Lever +Date: Fri Mar 22 12:52:59 2013 -0400 + + Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e + + SUNRPC: Remove extra xprt_put() + + While testing error cases where rpc_new_client() fails, I saw + some oopses. + + If rpc_new_client() fails, it already invokes xprt_put(). Thus + __rpc_clone_client() does not need to invoke it again. + + Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" + Fri Sep 14, 2012. + + Signed-off-by: Chuck Lever + Cc: stable@vger.kernel.org [>=3.7] + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 +Author: Trond Myklebust +Date: Fri Apr 5 14:13:21 2013 -0400 + + Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 + + SUNRPC: Fix a potential memory leak in rpc_new_client + + If the call to rpciod_up() fails, we currently leak a reference to the + struct rpc_xprt. + As part of the fix, we also remove the redundant check for xprt!=NULL. + This is already taken care of by the callers. + + Signed-off-by: Trond Myklebust + + net/sunrpc/clnt.c | 7 ++----- + 1 files changed, 2 insertions(+), 5 deletions(-) + +commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac +Author: Brad Spengler +Date: Wed Apr 10 19:16:05 2013 -0400 + + From https://lkml.org/lkml/2013/4/8/469: + [PATCH] rtnetlink: call nlmsg_parse() with correct header length + + net/core/rtnetlink.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9529169b8c405874fd543b785f53c74fa0501c2a +Author: Christopher Harvey +Date: Fri Apr 5 10:51:15 2013 -0400 + + Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 + + drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. + + This change properly enables the "requester" in G200ER cards that is + responsible for getting pixels out of memory and clocking them out to + the screen. + + Signed-off-by: Christopher Harvey + Cc: stable@vger.kernel.org + Signed-off-by: Dave Airlie + + drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- + 1 files changed, 3 insertions(+), 10 deletions(-) + +commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a +Author: Al Viro +Date: Thu Mar 28 13:30:23 2013 -0400 + + Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee + + ecryptfs: close rmmod race + + Signed-off-by: Al Viro + + fs/ecryptfs/miscdev.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b +Author: Brad Spengler +Date: Wed Apr 10 19:03:45 2013 -0400 + + Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 + + arch/ia64/kernel/palinfo.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 83280e384ae3ceadad30369ced111dc7d4b46085 +Author: Andrey Vagin +Date: Tue Apr 9 17:33:29 2013 +0400 + + Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 + + mnt: release locks on error path in do_loopback + + do_loopback calls lock_mount(path) and forget to unlock_mount + if clone_mnt or copy_mnt fails. + + [ 77.661566] ================================================ + [ 77.662939] [ BUG: lock held when returning to user space! ] + [ 77.664104] 3.9.0-rc5+ #17 Not tainted + [ 77.664982] ------------------------------------------------ + [ 77.666488] mount/514 is leaving the kernel with locks still held! + [ 77.668027] 2 locks held by mount/514: + [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 + [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 + + Signed-off-by: Andrey Vagin + Signed-off-by: Al Viro + + fs/namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 679e536b9d9536d804f049fe942367a596253e6d +Author: Alex Williamson +Date: Tue Mar 26 11:33:16 2013 -0600 + + Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c + + vfio-pci: Fix possible integer overflow + + The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both + of which are unsigned. We attempt to bounds check these, but fail to + account for the case where start is a very large number, allowing + start + count to wrap back into the valid range. Bounds check both + start and start + count. + + Reported-by: Dan Carpenter + Signed-off-by: Alex Williamson + + drivers/vfio/pci/vfio_pci.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 +Author: Brad Spengler +Date: Wed Apr 10 18:48:45 2013 -0400 + + Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot + + security/Kconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b5261a6384ee42499b29495aaae40b271e77d394 +Author: Brad Spengler +Date: Tue Apr 9 17:30:45 2013 -0400 + + some undefined behavior fixups + + grsecurity/gracl.c | 4 ++-- + grsecurity/gracl_ip.c | 10 +++++----- + grsecurity/gracl_segv.c | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 +Author: Brad Spengler +Date: Tue Apr 9 17:28:54 2013 -0400 + + don't whine about denied ipv6 when it's not enabled + + grsecurity/gracl_ip.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 +Merge: 97bca88 9123489 +Author: Brad Spengler +Date: Tue Apr 9 17:18:45 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 9123489428c58668a89f316db6619739cbdd2c2a +Author: Brad Spengler +Date: Tue Apr 9 17:17:46 2013 -0400 + + Update to pax-linux-3.8.6-test18.patch: + - new size overflow plugin from Emese to work around a gcc optimization + resulting in an intentional overflow, reported by Carlos Carvalho + (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) + + tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- + 1 files changed, 66 insertions(+), 2 deletions(-) + +commit 97bca8889e0f1e853f16b7026c39c6729a8587ab +Merge: 675a41e e9d6073 +Author: Brad Spengler +Date: Mon Apr 8 21:32:59 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/sparc/kernel/us3_cpufreq.c + +commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef +Author: Brad Spengler +Date: Mon Apr 8 21:19:03 2013 -0400 + + Update to pax-linux-3.8.6-test17.patch: + - fixed ia64/ppc/sparc compilation by spender + - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) + + arch/ia64/include/asm/uaccess.h | 2 - + arch/powerpc/include/asm/uaccess.h | 2 - + arch/sparc/include/asm/uaccess.h | 7 ---- + arch/sparc/kernel/prom_common.c | 2 +- + arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- + tools/gcc/structleak_plugin.c | 15 ++++---- + 6 files changed, 28 insertions(+), 69 deletions(-) + +commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b +Author: Brad Spengler +Date: Sun Apr 7 12:00:50 2013 -0400 + + fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5a216624a06429488f24ce47db093da042f90e48 +Author: Brad Spengler +Date: Sat Apr 6 13:22:24 2013 -0400 + + fix typo + + arch/sparc/kernel/us3_cpufreq.c | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +commit e476ca18d21788898cd3acd1b57049971a2fb70f +Author: Brad Spengler +Date: Sat Apr 6 13:16:13 2013 -0400 + + properly fix cpufreq_driver for ultrasparc III with constification + + arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ + 1 files changed, 17 insertions(+), 18 deletions(-) + +commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae +Author: Brad Spengler +Date: Sat Apr 6 12:58:48 2013 -0400 + + mark prom_sparc_ops __initconst + + arch/sparc/kernel/prom_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 +Author: Brad Spengler +Date: Sat Apr 6 12:53:16 2013 -0400 + + fix ia64/powerpc/sparc compilation + + arch/ia64/include/asm/uaccess.h | 2 -- + arch/powerpc/include/asm/uaccess.h | 2 -- + arch/sparc/include/asm/uaccess.h | 7 ------- + 3 files changed, 0 insertions(+), 11 deletions(-) + +commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 +Author: Johannes Berg +Date: Tue Mar 19 20:26:57 2013 +0100 + + Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d + + cfg80211: fix wdev tracing crash + + Arend reported a crash in tracing if the driver returns an + ERR_PTR() value from the add_virtual_intf() callback. This + is due to the tracing then still attempting to dereference + the "pointer", fix this by using IS_ERR_OR_NULL(). + + Reported-by: Arend van Spriel + Tested-by: Arend van Spriel + Signed-off-by: Johannes Berg + + net/wireless/trace.h | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd +Author: Johannes Berg +Date: Mon Mar 25 11:51:14 2013 +0100 + + Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b + + mac80211: fix remain-on-channel cancel crash + + If a ROC item is canceled just as it expires, the work + struct may be scheduled while it is running (and waiting + for the mutex). This results in it being run after being + freed, which obviously crashes. + + To fix this don't free it when aborting is requested but + instead mark it as "to be freed", which makes the work a + no-op and allows freeing it outside. + + Cc: stable@vger.kernel.org [3.6+] + Reported-by: Jouni Malinen + Tested-by: Jouni Malinen + Signed-off-by: Johannes Berg + + net/mac80211/cfg.c | 6 ++++-- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/offchannel.c | 23 +++++++++++++++++------ + 3 files changed, 23 insertions(+), 9 deletions(-) + +commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 +Author: Stone Piao +Date: Fri Mar 29 19:21:21 2013 -0700 + + Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f + + mwifiex: limit channel number not to overflow memory + + Limit the channel number in scan request, or the driver scan + config structure memory will be overflowed. + + Cc: # 3.5+ + Signed-off-by: Stone Piao + Signed-off-by: Bing Zhao + Signed-off-by: John W. Linville + + drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 207c411512bdaf0e4271f93ecac6ca26588da36f +Author: Gao feng +Date: Thu Mar 21 19:48:41 2013 +0000 + + Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe + + netfilter: reset nf_trace in nf_reset + + We forgot to clear the nf_trace of sk_buff in nf_reset, + When we use veth device, this nf_trace information will + be leaked from one net namespace to another net namespace. + + Signed-off-by: Gao feng + Signed-off-by: Pablo Neira Ayuso + + include/linux/skbuff.h | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f +Author: Wei Yongjun +Date: Fri Mar 22 01:28:18 2013 +0000 + + Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c + + netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() + + Fix to return a negative error code from the error handling + case instead of 0, as returned elsewhere in this function. + + Signed-off-by: Wei Yongjun + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_queue_core.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +commit a79feb7d3251eca577d83d7f69eee2b961ab2924 +Author: Pablo Neira Ayuso +Date: Sat Mar 23 16:57:59 2013 +0100 + + Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 + + netfilter: nfnetlink_acct: return -EINVAL if object name is empty + + If user-space tries to create accounting object with an empty + name, then return -EINVAL. + + Reported-by: Michael Zintakis + Signed-off-by: Pablo Neira Ayuso + + net/netfilter/nfnetlink_acct.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 +Author: Matthias Schiffer +Date: Sat Mar 30 10:23:12 2013 +0000 + + Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 + + netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths + + The bitmask used for the prefix mangling was being calculated + incorrectly, leading to the wrong part of the address being replaced + when the prefix length wasn't a multiple of 32. + + Signed-off-by: Matthias Schiffer + Signed-off-by: Pablo Neira Ayuso + + net/ipv6/netfilter/ip6t_NPT.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e +Author: Veaceslav Falico +Date: Wed Apr 3 05:46:33 2013 +0000 + + Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d + + bonding: remove sysfs before removing devices + + We have a race condition if we try to rmmod bonding and simultaneously add + a bond master through sysfs. In bonding_exit() we first remove the devices + (through rtnl_link_unregister() ) and only after that we remove the sysfs. + If we manage to add a device through sysfs after that the devices were + removed - we'll end up with that device/sysfs structure and with the module + unloaded. + + Fix this by first removing the sysfs and only after that calling + rtnl_link_unregister(). + + Signed-off-by: Veaceslav Falico + Signed-off-by: David S. Miller + + drivers/net/bonding/bond_main.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d12cae44a9d12441d81c489178803237219d403d +Author: Eric W. Biederman +Date: Wed Apr 3 16:14:47 2013 +0000 + + Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 + + af_unix: If we don't care about credentials coallesce all messages + + It was reported that the following LSB test case failed + https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we + were not coallescing unix stream messages when the application was + expecting us to. + + The problem was that the first send was before the socket was accepted + and thus sock->sk_socket was NULL in maybe_add_creds, and the second + send after the socket was accepted had a non-NULL value for sk->socket + and thus we could tell the credentials were not needed so we did not + bother. + + The unnecessary credentials on the first message cause + unix_stream_recvmsg to start verifying that all messages had the same + credentials before coallescing and then the coallescing failed because + the second message had no credentials. + + Ignoring credentials when we don't care in unix_stream_recvmsg fixes a + long standing pessimization which would fail to coallesce messages when + reading from a unix stream socket if the senders were different even if + we did not care about their credentials. + + I have tested this and verified that the in the LSB test case mentioned + above that the messages do coallesce now, while the were failing to + coallesce without this change. + + Reported-by: Karel Srot + Reported-by: Ding Tianhong + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf +Author: Eric W. Biederman +Date: Wed Apr 3 16:13:35 2013 +0000 + + Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 + + Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" + + This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. + + The problem that the above patch was meant to address is that af_unix + messages are not being coallesced because we are sending unnecesarry + credentials. Not sending credentials in maybe_add_creds totally + breaks unconnected unix domain sockets that wish to send credentails + to other sockets. + + In practice this break some versions of udev because they receive a + message and the sending uid is bogus so they drop the message. + + Reported-by: Sven Joachim + Signed-off-by: "Eric W. Biederman" + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 +Author: Wei Yongjun +Date: Wed Mar 20 21:31:42 2013 +0000 + + Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e + + lantiq_etop: use free_netdev(netdev) instead of kfree() + + Freeing netdev without free_netdev() leads to net, tx leaks. + And it may lead to dereferencing freed pointer. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f +Author: Cong Wang +Date: Fri Mar 22 19:14:07 2013 +0000 + + Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb + + 8021q: fix a potential use-after-free + + vlan_vid_del() could possibly free ->vlan_info after a RCU grace + period, however, we may still refer to the freed memory area + by 'grp' pointer. Found by code inspection. + + This patch moves vlan_vid_del() as behind as possible. + + Cc: Patrick McHardy + Cc: "David S. Miller" + Signed-off-by: Cong Wang + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/8021q/vlan.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +commit fff29c277024a39845d4b535083c8dafc21b45d9 +Author: Hong zhi guo +Date: Sat Mar 23 02:27:50 2013 +0000 + + Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 + + bridge: fix crash when set mac address of br interface + + When I tried to set mac address of a bridge interface to a mac + address which already learned on this bridge, I got system hang. + + The cause is straight forward: function br_fdb_change_mac_address + calls fdb_insert with NULL source nbp. Then an fdb lookup is + performed. If an fdb entry is found and it's local, it's OK. But + if it's not local, source is dereferenced for printk without NULL + check. + + Signed-off-by: Hong Zhiguo + Signed-off-by: David S. Miller + + net/bridge/br_fdb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 +Author: Kumar Amit Mehta +Date: Sat Mar 23 20:10:25 2013 +0000 + + Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a + + bnx2x: fix assignment of signed expression to unsigned variable + + fix for incorrect assignment of signed expression to unsigned variable. + + Signed-off-by: Kumar Amit Mehta + Acked-by: Dmitry Kravkov + Signed-off-by: David S. Miller + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e +Author: dingtianhong +Date: Mon Mar 25 17:02:04 2013 +0000 + + Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 + + af_unix: dont send SCM_CREDENTIAL when dest socket is NULL + + SCM_SCREDENTIALS should apply to write() syscalls only either source or destination + socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, + and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). + + Origionally-authored-by: Karel Srot + Signed-off-by: Ding Tianhong + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller + + net/unix/af_unix.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit b964e1e61f0f0ccaa380be3342f956c604054bdc +Author: Eric W. Biederman +Date: Thu Mar 21 02:30:41 2013 -0700 + + Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 + + yama: Better permission check for ptraceme + + Change the permission check for yama_ptrace_ptracee to the standard + ptrace permission check, testing if the traceer has CAP_SYS_PTRACE + in the tracees user namespace. + + Reviewed-by: Kees Cook + Signed-off-by: "Eric W. Biederman" + + security/yama/yama_lsm.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +commit b94e71c7b6abe75989edff18aca2781233fa143b +Author: Stanislav Kinsbursky +Date: Mon Apr 1 11:40:51 2013 +0400 + + Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d + + ipc: set msg back to -EAGAIN if copy wasn't performed + + Make sure that msg pointer is set back to error value in case of + MSG_COPY flag is set and desired message to copy wasn't found. This + garantees that msg is either a error pointer or a copy address. + + Otherwise the last message in queue will be freed without unlinking from + the queue (which leads to memory corruption) and the dummy allocated + copy won't be released. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: Linus Torvalds + + ipc/msg.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 +Author: Jan Kara +Date: Fri Mar 29 15:39:16 2013 +0100 + + Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 + + reiserfs: Fix warning and inode leak when deleting inode with xattrs + + After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs + started failing to delete xattrs from inode. This was due to a buggy + test for '.' and '..' in fill_with_dentries() which resulted in passing + '.' and '..' entries to lookup_one_len() in some cases. That returned + error and so we failed to iterate over all xattrs of and inode. + + Fix the test in fill_with_dentries() along the lines of the one in + lookup_one_len(). + + Reported-by: Pawel Zawora + CC: stable@vger.kernel.org + Signed-off-by: Jan Kara + + fs/reiserfs/xattr.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit 9f07957378e0f55abb81da8e23b124a608fbe1cc +Author: Paul Bolle +Date: Wed Apr 3 12:24:45 2013 +0100 + + Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 + + ARM: 7690/1: mm: fix CONFIG_LPAE typos + + CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix + up the two typos under arch/arm/. + + The fix to head.S is slightly scary, but this is just for setting up + an early io-mapping for the serial port when running on a big-endian, + LPAE system. Since these systems don't exist in the wild (at least, I + have no access to one outside of kvmtool, which doesn't provide a serial + port suitable for earlyprintk), then we can revisit the code later if it + causes any problems. + + Signed-off-by: Paul Bolle + Signed-off-by: Will Deacon + Signed-off-by: Russell King + + arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/setup.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 984ba346b2d8f158473e9723ba145031368431ed +Author: Catalin Marinas +Date: Tue Mar 26 23:35:04 2013 +0100 + + Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb + + ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) + + On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down + all use of the old entries. This patch implements the erratum workaround + which consists of: + + 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. + 2. Send IPI to the CPUs that are running the same mm (and ASID) as the + one being invalidated (or all the online CPUs for global pages). + 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception + return code already). + + Signed-off-by: Catalin Marinas + Signed-off-by: Russell King + + Conflicts: + + arch/arm/include/asm/tlbflush.h + arch/arm/kernel/smp_tlb.c + arch/arm/mm/context.c + + arch/arm/Kconfig | 10 +++++ + arch/arm/include/asm/highmem.h | 7 ++++ + arch/arm/include/asm/mmu_context.h | 2 + + arch/arm/include/asm/tlbflush.h | 15 ++++++++ + arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ + arch/arm/mm/context.c | 6 ++- + 6 files changed, 104 insertions(+), 2 deletions(-) + +commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 +Author: Jan Stancek +Date: Thu Apr 4 11:35:10 2013 -0700 + + Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c + + mm: prevent mmap_cache race in find_vma() + + find_vma() can be called by multiple threads with read lock + held on mm->mmap_sem and any of them can update mm->mmap_cache. + Prevent compiler from re-fetching mm->mmap_cache, because other + readers could update it in the meantime: + + thread 1 thread 2 + | + find_vma() | find_vma() + struct vm_area_struct *vma = NULL; | + vma = mm->mmap_cache; | + if (!(vma && vma->vm_end > addr | + && vma->vm_start <= addr)) { | + | mm->mmap_cache = vma; + return vma; | + ^^ compiler may optimize this | + local variable out and re-read | + mm->mmap_cache | + + This issue can be reproduced with gcc-4.8.0-1 on s390x by running + mallocstress testcase from LTP, which triggers: + + kernel BUG at mm/rmap.c:1088! + Call Trace: + ([<000003d100c57000>] 0x3d100c57000) + [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 + [<000000000023baae>] handle_pte_fault+0x41a/0xac8 + [<000000000023d832>] handle_mm_fault+0x17a/0x268 + [<000000000060507a>] do_protection_exception+0x1e2/0x394 + [<0000000000603a04>] pgm_check_handler+0x138/0x13c + [<000003fffcf1f07a>] 0x3fffcf1f07a + Last Breaking-Event-Address: + [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 + + Thanks to Jakub Jelinek for his insight on gcc and helping to + track this down. + + Signed-off-by: Jan Stancek + Acked-by: David Rientjes + Signed-off-by: Hugh Dickins + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + mm/mmap.c | 2 +- + mm/nommu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit 53f5096daa14967938bc154e6c41f9119863fb36 +Merge: e988d7c 0a45285 +Author: Brad Spengler +Date: Fri Apr 5 17:32:31 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/net/ethernet/broadcom/tg3.c + +commit 0a452855444d02502df6eb21ef3083cf303f71e1 +Merge: 0277fa1 00cfbb8 +Author: Brad Spengler +Date: Fri Apr 5 17:31:15 2013 -0400 + + Update to pax-linux-3.8.6-test16.patch: + - fixed some attribute leakage into userland headers, patch by Mathias Krause + - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/intel_display.c + +commit e988d7c8d946c816a2cb97f0d38048a1584966b8 +Merge: baec40e 0277fa1 +Author: Brad Spengler +Date: Wed Apr 3 22:05:41 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0277fa123b486cf11420967e4568d7653e225fd3 +Author: Brad Spengler +Date: Wed Apr 3 22:04:48 2013 -0400 + + Update to pax-linux-3.8.5-test15.patch: + - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) + - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) + + drivers/media/pci/cx88/cx88-video.c | 6 +++--- + include/net/net_namespace.h | 4 ++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +commit baec40e6708fd5ae2000cad6c70c5980c998b91c +Author: Brad Spengler +Date: Tue Apr 2 19:50:32 2013 -0400 + + fix compilation as reported on forums for gcc versions lacking plugin + support + + include/net/net_namespace.h | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 +Merge: 6b69c35 0db9d15 +Author: Brad Spengler +Date: Tue Apr 2 17:47:27 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0db9d156826bdd50510086fde837648a3dfd370e +Author: Brad Spengler +Date: Tue Apr 2 17:46:05 2013 -0400 + + Update to pax-linux-3.8.5-test14.patch: + - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table + + arch/x86/include/asm/uaccess_64.h | 6 +- + include/linux/moduleloader.h | 4 +- + tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- + 3 files changed, 61 insertions(+), 47 deletions(-) + +commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d +Author: Brad Spengler +Date: Tue Apr 2 17:35:06 2013 -0400 + + remove duplicate compiler.h + + include/linux/sysrq.h | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit 01e1d503fd2220adaaec0b92ea19441bdff73555 +Author: Brad Spengler +Date: Fri Mar 29 19:53:50 2013 -0400 + + fix intentional_overflow marking on sys_sendto + + include/linux/syscalls.h | 2 +- + net/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit cd5ff114d958470f471c63775278e8c05e774630 +Author: Brad Spengler +Date: Fri Mar 29 18:46:16 2013 -0400 + + fix size_overflow false positive + + kernel/futex_compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 295ba16cc53df2375261accbedd6575ea327770a +Merge: 18340f1 278a989 +Author: Brad Spengler +Date: Fri Mar 29 17:36:18 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/exec.c + include/linux/thread_info.h + +commit 278a989c831d62193c7b3d119fe2302babd45d12 +Author: Brad Spengler +Date: Fri Mar 29 17:34:34 2013 -0400 + + Resync with pax-linux-3.8.5-test13.patch + + arch/arm/include/asm/pgtable.h | 3 ++- + arch/arm/lib/delay.c | 1 + + fs/exec.c | 8 ++++---- + include/linux/compiler.h | 1 + + include/linux/proc_fs.h | 2 +- + include/linux/thread_info.h | 6 +++--- + include/linux/zlib.h | 3 ++- + init/main.c | 4 ++-- + kernel/user_namespace.c | 2 +- + lib/list_debug.c | 4 ++-- + mm/slab.c | 1 + + mm/slob.c | 1 + + mm/slub.c | 1 + + net/core/sysctl_net_core.c | 3 +-- + tools/gcc/constify_plugin.c | 1 + + 15 files changed, 24 insertions(+), 17 deletions(-) + +commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 +Merge: 05f01ae e8cfeae +Author: Brad Spengler +Date: Fri Mar 29 17:30:57 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 +Merge: b461cb7 aa4cfde +Author: Brad Spengler +Date: Fri Mar 29 17:30:44 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + drivers/gpu/drm/i915/i915_gem_execbuffer.c + fs/nfsd/vfs.c + +commit 05f01ae4c3479541586a2387f916a6620889c479 +Author: Brad Spengler +Date: Fri Mar 29 17:05:39 2013 -0400 + + Another infoleak, up to 128 bytes on the stack in __sys_recvmsg + takes user-provided length, copies up to that amount in a sockaddr_storage + struct on the stack, then takes an upper-bounded-only user-provided length + and copies the sockaddr_storage struct back out to userland, complete with + uninitialized data + + net/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit eea6ade59490784e83e08ec67322288fcf14cb31 +Author: Brad Spengler +Date: Thu Mar 28 23:07:37 2013 -0400 + + return a proper error, otherwise we could be accessing uninitialized data + (previous define was a positive value) + + drivers/usb/storage/realtek_cr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e +Merge: c3dc9a6 b461cb7 +Author: Brad Spengler +Date: Thu Mar 28 20:54:24 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit b461cb7b1d85490430ef7896c247794af72c3749 +Author: Brad Spengler +Date: Thu Mar 28 20:54:11 2013 -0400 + + Add structleak plugin + + tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 270 insertions(+), 0 deletions(-) + +commit c3dc9a6ef10782894bb11fd088fd712db44d8062 +Author: Brad Spengler +Date: Thu Mar 28 20:53:22 2013 -0400 + + Enable structleak by default for the security auto-config + + security/Kconfig | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e +Merge: d8503a3 74bec16 +Author: Brad Spengler +Date: Thu Mar 28 20:47:10 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 74bec16b657147a5575b1f14f4423a717ba317a6 +Author: Brad Spengler +Date: Thu Mar 28 20:46:13 2013 -0400 + + Update to pax-linux-3.8.4-test13.patch: + - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) + - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland + + Makefile | 5 +++- + arch/x86/include/asm/compat.h | 2 +- + arch/x86/mm/fault.c | 3 +- + fs/binfmt_elf.c | 2 +- + include/linux/compiler.h | 42 ++++++++++++++-------------------------- + security/Kconfig | 16 +++++++++++++++ + tools/gcc/Makefile | 2 + + tools/gcc/constify_plugin.c | 7 +++++- + 8 files changed, 47 insertions(+), 32 deletions(-) + +commit d8503a3a35d68b9ba1615d29335aef3f70d51465 +Author: Brad Spengler +Date: Thu Mar 28 20:02:40 2013 -0400 + + Fix 8-byte stack infoleak in ia32_rt_sigpending + User controls length, kernel only performs check on the upper bound, will + fill in any amount less than sizeof(sigset_t) via a copy_to_user under + KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t + regardless of whether the sigset_t content copied into it has been initialized + or not + + arch/x86/ia32/sys_ia32.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b +Author: Brad Spengler +Date: Tue Mar 26 21:05:05 2013 -0400 + + commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 + Author: J. Bruce Fields + Date: Tue Mar 26 14:11:13 2013 -0400 + + nfsd4: reject "negative" acl lengths + + Since we only enforce an upper bound, not a lower bound, a "negative" + length can get through here. + + The symptom seen was a warning when we attempt to a kmalloc with an + excessive size. + + Reported-by: Toralf Förster + Signed-off-by: J. Bruce Fields + + fs/nfsd/nfs4xdr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 +Author: Jeff Layton +Date: Mon Mar 11 09:52:19 2013 -0400 + + Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 + + cifs: ignore everything in SPNEGO blob after mechTypes + + We've had several reports of people attempting to mount Windows 8 shares + and getting failures with a return code of -EINVAL. The default sec= + mode changed recently to sec=ntlmssp. With that, we expect and parse a + SPNEGO blob from the server in the NEGOTIATE reply. + + The current decode_negTokenInit function first parses all of the + mechTypes and then tries to parse the rest of the negTokenInit reply. + The parser however currently expects a mechListMIC or nothing to follow the + mechTypes, but Windows 8 puts a mechToken field there instead to carry + some info for the new NegoEx stuff. + + In practice, we don't do anything with the fields after the mechTypes + anyway so I don't see any real benefit in continuing to parse them. + This patch just has the kernel ignore the fields after the mechTypes. + We'll probably need to reinstate some of this if we ever want to support + NegoEx. + + Reported-by: Jason Burgess + Reported-by: Yan Li + Signed-off-by: Jeff Layton + Cc: + Signed-off-by: Steve French + + fs/cifs/asn1.c | 53 +++++------------------------------------------------ + 1 files changed, 5 insertions(+), 48 deletions(-) + +commit 0b1c6223105a05d5a84e39a5e951868e37610e1c +Merge: 93ff726 0deb54c +Author: Brad Spengler +Date: Mon Mar 25 18:35:15 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 +Author: Brad Spengler +Date: Mon Mar 25 18:35:05 2013 -0400 + + fix typo + + arch/x86/mm/ioremap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 +Merge: be9f8b8 f95e53a +Author: Brad Spengler +Date: Mon Mar 25 18:30:06 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit f95e53abadb6e4665866e4502ff9f518514193e1 +Author: Brad Spengler +Date: Mon Mar 25 18:29:25 2013 -0400 + + Update to pax-linux-3.8.4-test12.patch: + + - fixed perf compilation reported by Michael Tremer + - fixed USERCOPY reports triggered by SCTP, reported by mcp + - last fix for aslr gap accounting, promise (thanks to spender) + + arch/x86/mm/ioremap.c | 3 +++ + fs/binfmt_elf.c | 5 ++--- + mm/mmap.c | 2 +- + net/sctp/socket.c | 19 +++++++++++++++---- + tools/perf/util/include/linux/compiler.h | 8 ++++++++ + 5 files changed, 29 insertions(+), 8 deletions(-) + +commit be9f8b82b0d8a21d7515fb6e44a907623381c5df +Author: Brad Spengler +Date: Mon Mar 25 16:48:34 2013 -0400 + + From: Al Viro + To: Brad Spengler + Cc: Linus Torvalds + + Umm... I see what you are describing, and AFAICS you are correct; let me + see if I am misreading your analysis: + * vfsmount_lock may act fair; A holding it shared, with B spinning + on attempt to take it exclusive may lead to C spinning on attempt to take + it shared. + * path_is_under() tries get rename_lock while holding vfsmount_lock + shared. + * d_path() et.al. try to take vfsmount_lock shared, while holding + rename_lock. + + All true and yes, it's a bug (I'd probably classify it as a livelock, but + that doesn't make any real difference). There are three possible solutions, + AFAICS: + 1) two-liner in path_is_under() replacing the use of vfsmount_lock + with that of namespace_sem; trivial, but results in function unexpectedly + blocking. The current callers are fine with that, but it's a trouble + waiting to happen. + 2) replace write_seqlock() in prepend_path() callers with + read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike + is_subdir() we need more than just ->d_parent not pointing to something + freed - we also care about ->d_name.len being in sync with ->d_name.name. + It probably can be worked around, but... + + 3) declare that rename_lock nests inside vfsmount_lock and let + the callers of prepend_path() take vfsmount_lock(). I'd probably prefer + that one... + + Nest rename_lock inside vfsmount_lock + + ... lest we get livelocks between path_is_under() and d_path() and friends. + + [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing + the issue ] + + Spotted-by: Brad Spengler + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/dcache.c | 16 +++++++++++----- + grsecurity/gracl.c | 20 ++++++++++---------- + 2 files changed, 21 insertions(+), 15 deletions(-) + +commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee +Author: Linus Torvalds +Date: Fri Mar 22 11:44:04 2013 -0700 + + Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 + + vfs,proc: guarantee unique inodes in /proc + + Dave Jones found another /proc issue with his Trinity tool: thanks to + the namespace model, we can have multiple /proc dentries that point to + the same inode, aliasing directories in /proc//net/ for example. + + This ends up being a total disaster, because it acts like hardlinked + directories, and causes locking problems. We rely on the topological + sort of the inodes pointed to by dentries, and if we have aliased + directories, that odering becomes unreliable. + + In short: don't do this. Multiple dentries with the same (directory) + inode is just a bad idea, and the namespace code should never have + exposed things this way. But we're kind of stuck with it. + + This solves things by just always allocating a new inode during /proc + dentry lookup, instead of using "iget_locked()" to look up existing + inodes by superblock and number. That actually simplies the code a bit, + at the cost of potentially doing more inode [de]allocations. + + That said, the inode lookup wasn't free either (and did a lot of locking + of inodes), so it is probably not that noticeable. We could easily keep + the old lookup model for non-directory entries, but rather than try to + be excessively clever this just implements the minimal and simplest + workaround for the problem. + + Reported-and-tested-by: Dave Jones + Analyzed-by: Al Viro + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/inode.c + + fs/proc/inode.c | 9 +++------ + 1 files changed, 3 insertions(+), 6 deletions(-) + +commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb +Author: Vladimir Davydov +Date: Fri Mar 22 15:04:51 2013 -0700 + + Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 + + mqueue: sys_mq_open: do not call mnt_drop_write() if read-only + + mnt_drop_write() must be called only if mnt_want_write() succeeded, + otherwise the mnt_writers counter will diverge. + + mnt_writers counters are used to check if remounting FS as read-only is + OK, so after an extra mnt_drop_write() call, it would be impossible to + remount mqueue FS as read-only. Besides, on umount a warning would be + printed like this one: + + ===================================== + [ BUG: bad unlock balance detected! ] + 3.9.0-rc3 #5 Not tainted + ------------------------------------- + a.out/12486 is trying to release lock (sb_writers) at: + mnt_drop_write+0x1f/0x30 + but there are no more locks to release! + + Signed-off-by: Vladimir Davydov + Cc: Doug Ledford + Cc: KOSAKI Motohiro + Cc: "Eric W. Biederman" + Cc: Al Viro + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/mqueue.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e +Author: Brad Spengler +Date: Sat Mar 23 13:02:32 2013 -0400 + + Don't use constify plugin if not enabled in config, + reported by Alexey Vlasov + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 3afb82e020593249ac394e9859397c3e0ef5341c +Author: Brad Spengler +Date: Sat Mar 23 12:50:13 2013 -0400 + + oded 0day #2 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 20 + + drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 +Author: Brad Spengler +Date: Sat Mar 23 12:15:50 2013 -0400 + + oded 0day #1 + http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf + slide 18 + + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 +Author: Brad Spengler +Date: Sat Mar 23 12:13:12 2013 -0400 + + remove warning on accessing this /proc entry, HIDESYM already caught the infoleak + + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 44cb11a9470f72157601d0ad4d572d111f90f504 +Author: Brad Spengler +Date: Fri Mar 22 18:11:42 2013 -0400 + + use VM_DONTDUMP + + fs/binfmt_elf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb +Author: Brad Spengler +Date: Fri Mar 22 17:53:09 2013 -0400 + + fix recent RLIMIT_AS changes (due to vm_flags typo) + + Conflicts: + + fs/binfmt_elf.c + + fs/binfmt_elf.c | 2 +- + mm/mmap.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +commit fd5f0d92b0fbec02029dad124501a9c80e527a32 +Author: Brad Spengler +Date: Fri Mar 22 17:08:48 2013 -0400 + + complete_walk drops rcu-walk mode, no need for our own dropping + method outside of generic_permission + + fs/namei.c | 30 ------------------------------ + 1 files changed, 0 insertions(+), 30 deletions(-) + +commit b49ab1c73edb6442eec609b26bba4d850b3111b6 +Merge: 5e9a707 783ade9 +Author: Brad Spengler +Date: Thu Mar 21 21:56:28 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 +Author: Brad Spengler +Date: Thu Mar 21 21:55:31 2013 -0400 + + Update to pax-linux-3.8.3-test11.patch: + - rewrote the ASLR gap accounting code once again + - fixed ptrace compat bug found by the size overflow plugin + + fs/binfmt_elf.c | 25 ++++++++++++------------- + fs/exec.c | 7 ++----- + include/linux/compat.h | 2 +- + include/linux/mm.h | 5 +++++ + include/linux/mm_types.h | 2 +- + kernel/ptrace.c | 2 +- + mm/mmap.c | 15 ++++++++++----- + 7 files changed, 32 insertions(+), 26 deletions(-) + +commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a +Author: Brad Spengler +Date: Thu Mar 21 19:37:33 2013 -0400 + + Make the constify plugin usage actually depend on the introduced config option + (it was still forced on) + + tools/gcc/Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 1974b4f58d9d729c80ac1987785446115304a54c +Author: Brad Spengler +Date: Thu Mar 21 16:12:38 2013 -0400 + + fix failed merge + + arch/arm/mm/fault.c | 15 +++------------ + 1 files changed, 3 insertions(+), 12 deletions(-) + +commit 675a8ab4a8fe8315df348735a37a302a7535224c +Author: Brad Spengler +Date: Wed Mar 20 23:36:14 2013 -0400 + + From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 + From: Kees Cook + Date: Sun, 10 Mar 2013 20:09:31 +0000 + Subject: drm/i915: bounds check execbuffer relocation count + + It is possible to wrap the counter used to allocate the buffer for + relocation copies. This could lead to heap writing overflows. + + CVE-2013-0913 + + Signed-off-by: Kees Cook + Reported-by: Pinkie Pie + Cc: stable@vger.kernel.org + + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 +Author: Andy Honig +Date: Wed Feb 20 14:48:10 2013 -0800 + + Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 + + KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) + + There is a potential use after free issue with the handling of + MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable + memory such as frame buffers then KVM might continue to write to that + address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins + the page in memory so it's unlikely to cause an issue, but if the user + space component re-purposes the memory previously used for the guest, then + the guest will be able to corrupt that memory. + + Tested: Tested against kvmclock unit test + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/include/asm/kvm_host.h | 4 +- + arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +commit 0bcac31b57c381001feb69fd6ec8069e61e03432 +Author: Andy Honig +Date: Mon Mar 11 09:34:52 2013 -0700 + + Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 + + KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) + + If the guest sets the GPA of the time_page so that the request to update the + time straddles a page then KVM will write onto an incorrect page. The + write is done byusing kmap atomic to get a pointer to the page for the time + structure and then performing a memcpy to that page starting at an offset + that the guest controls. Well behaved guests always provide a 32-byte aligned + address, however a malicious guest could use this to corrupt host kernel + memory. + + Tested: Tested against kvmclock unit test. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + arch/x86/kvm/x86.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +commit 695c59887e4ec10b0b695ab4f645d1226c433be0 +Author: Andy Honig +Date: Wed Feb 20 14:49:16 2013 -0800 + + Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 + + KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) + + If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows + that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate + that request. ioapic_read_indirect contains an + ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in + non-debug builds. In recent kernels this allows a guest to cause a kernel + oops by reading invalid memory. In older kernels (pre-3.3) this allows a + guest to read from large ranges of host memory. + + Tested: tested against apic unit tests. + + Signed-off-by: Andrew Honig + Signed-off-by: Marcelo Tosatti + + virt/kvm/ioapic.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e +Merge: aec3cd4 c522e3a +Author: Brad Spengler +Date: Wed Mar 20 19:38:25 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 +Merge: c57d855 405acc3 +Author: Brad Spengler +Date: Wed Mar 20 19:38:11 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + +commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 +Author: Brad Spengler +Date: Tue Mar 19 19:56:04 2013 -0400 + + include linux/compiler.h + + include/linux/zlib.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e +Author: Brad Spengler +Date: Tue Mar 19 18:42:20 2013 -0400 + + fix missing sock_release() + + net/irda/af_irda.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit dd65c05cd24faf8946d4941434a553ee285c35a3 +Author: Brad Spengler +Date: Tue Mar 19 18:36:17 2013 -0400 + + fix mpt fusion infoleak + + drivers/message/fusion/mptbase.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit e297b4f150b769efdc4c547d3caf1e3c0f24735f +Author: Brad Spengler +Date: Tue Mar 19 18:33:45 2013 -0400 + + Fix size_overflow false positive reported by slashbeast + + include/linux/zlib.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be +Author: Brad Spengler +Date: Tue Mar 19 17:35:36 2013 -0400 + + fix up failed merge + + arch/arm/mm/fault.c | 9 ++------- + 1 files changed, 2 insertions(+), 7 deletions(-) + +commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd +Author: Brad Spengler +Date: Tue Mar 19 17:34:36 2013 -0400 + + update documentation on consequences of building without gcc plugin support + + Makefile | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 +Author: Brad Spengler +Date: Tue Mar 19 17:18:13 2013 -0400 + + fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit f00195c633f91cfbd8c1f530d2c371b713026e20 +Author: Brad Spengler +Date: Mon Mar 18 22:27:33 2013 -0400 + + Fix compile error reported by KDE on the forums + + kernel/user_namespace.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 +Merge: 0949569 c57d855 +Author: Brad Spengler +Date: Mon Mar 18 22:20:46 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/mm/fault.c + arch/x86/mm/fault.c + fs/exec.c + +commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 +Author: Brad Spengler +Date: Mon Mar 18 21:22:03 2013 -0400 + + Update to pax-linux-3.8.2-test9.patch: + arm changes from spender + - removed userland access to the vectors page + - removed obsolete sigreturn trampoline handling + - added emulation for __kuser_get_tls + - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) + - fixed recent sysfs/power_supply attr breakage reported by Steven Allen + - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) + - changed debian packager rules to include the compiler plugins, from Tyler Coumbes + - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) + - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values + and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. + + arch/arm/kernel/process.c | 5 +- + arch/arm/kernel/signal.c | 24 +- + arch/arm/kernel/traps.c | 7 - + arch/arm/mm/alignment.c | 8 + + arch/arm/mm/fault.c | 23 +- + arch/arm/mm/mmu.c | 2 +- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/desc.h | 2 +- + arch/x86/include/asm/div64.h | 2 +- + arch/x86/include/asm/io.h | 8 +- + arch/x86/include/asm/paravirt.h | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- + arch/x86/kernel/setup_percpu.c | 2 +- + arch/x86/mm/fault.c | 4 +- + arch/x86/mm/numa.c | 2 +- + arch/x86/mm/physaddr.c | 4 +- + drivers/ata/libahci.c | 2 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- + drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- + drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- + drivers/lguest/page_tables.c | 2 +- + drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/oprofile/oprofile_files.c | 2 +- + drivers/power/power_supply_core.c | 1 + + drivers/usb/core/message.c | 2 +- + fs/befs/endian.h | 4 +- + fs/binfmt_elf.c | 5 +- + fs/exec.c | 4 +- + fs/qnx6/qnx6.h | 4 +- + fs/sysv/sysv.h | 2 +- + fs/ubifs/io.c | 2 +- + fs/ufs/swab.h | 4 +- + include/linux/compat.h | 4 +- + include/linux/completion.h | 6 +- + include/linux/cpumask.h | 12 +- + include/linux/ctype.h | 2 +- + include/linux/err.h | 4 +- + include/linux/math64.h | 6 +- + include/linux/sched.h | 2 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/uapi/linux/byteorder/little_endian.h | 4 +- + include/uapi/linux/swab.h | 6 +- + kernel/sched/core.c | 6 +- + kernel/signal.c | 3 + + kernel/time.c | 2 +- + kernel/timer.c | 2 +- + lib/div64.c | 4 +- + mm/page-writeback.c | 2 +- + net/socket.c | 2 + + scripts/package/builddeb | 1 + + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- + tools/gcc/size_overflow_plugin.c | 1072 ++-- + 53 files changed, 6227 insertions(+), 3951 deletions(-) + +commit 09495691bb31f11ec14d9127429f9a0f3f716f22 +Author: Brad Spengler +Date: Sun Mar 17 20:51:50 2013 -0400 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit deb85b00d0f9f886e264e116313f298401ec5c59 +Author: Brad Spengler +Date: Sun Mar 17 20:03:33 2013 -0400 + + Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task + with a subject applied to it with RES_CPU. Otherwise, the limit will only + begin to be applied at fork time. + + Thanks to Bjornar Ness for the report. + + grsecurity/gracl.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 2126421f123513f604ceef2b23ba9ed516de7e58 +Author: Brad Spengler +Date: Sat Mar 16 22:07:43 2013 -0400 + + Move inode auditing prior to our refcnt dropping + + fs/namei.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 +Author: Brad Spengler +Date: Sat Mar 16 22:00:30 2013 -0400 + + Drop reference on completed path walked in RCU mode or when violating + the chroot fchdir check inside a chroot -- possible culprit for a reported + vfsmount_lock hang during unmount + + fs/namei.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 +Author: Brad Spengler +Date: Sat Mar 16 16:43:45 2013 -0400 + + add user_arg_ptr back to exec.c + + fs/exec.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 +Author: Brad Spengler +Date: Sat Mar 16 11:22:36 2013 -0400 + + Don't globally include compat.h -- with the new X32 support it + changes some definitions involving ELF binaries resulting in invalid + coredumps, as reported by KDE on the forums: + http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 + Thanks to the PaX Team for debugging + + fs/exec.c | 3 +++ + grsecurity/grsec_exec.c | 13 +++++++++++++ + include/linux/grsecurity.h | 15 --------------- + 3 files changed, 16 insertions(+), 15 deletions(-) + +commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a +Author: Brad Spengler +Date: Thu Mar 14 20:59:26 2013 -0400 + + Add peer information to /proc/net/unix from Kenan Kalajdzic: + http://marc.info/?l=linux-netdev&m=126745636809191&w=2 + + We use a "P" prefix to the inode number instead of "peer=". This + additional information can be used, for instance, to find what processes + are connected to MySQL's unix domain socket. + + net/unix/af_unix.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +commit 1cd623d11a462d151ea8a5cace4521e1724911a3 +Author: Oliver Neukum +Date: Tue Mar 12 14:52:42 2013 +0100 + + Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa + + USB: cdc-wdm: fix buffer overflow + + The buffer for responses must not overflow. + If this would happen, set a flag, drop the data and return + an error after user space has read all remaining data. + + Signed-off-by: Oliver Neukum + CC: stable@kernel.org + Signed-off-by: Greg Kroah-Hartman + + drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- + 1 files changed, 20 insertions(+), 3 deletions(-) + +commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc +Merge: 9cdf9bc db4cb92 +Author: Brad Spengler +Date: Thu Mar 14 20:23:14 2013 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/keys/compat.c + +commit db4cb924546e3fec3a59f78d056f48176eaf7100 +Author: Brad Spengler +Date: Thu Mar 14 20:22:24 2013 -0400 + + Update to pax-linux-3.8.2-test8.patch + + arch/arm/include/asm/cache.h | 2 ++ + arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- + arch/arm/mach-omap2/omap_device.c | 4 ++-- + arch/arm/mach-omap2/omap_device.h | 4 ++-- + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + 5 files changed, 19 insertions(+), 15 deletions(-) + +commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae +Merge: 3c865f9 1a45c31 +Author: Brad Spengler +Date: Thu Mar 14 20:20:54 2013 -0400 + + Merge branch 'linux-3.8.y' into pax-test + + Conflicts: + arch/arm/include/asm/delay.h + arch/arm/include/asm/pgtable.h + arch/arm/lib/delay.c + security/keys/compat.c + +commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 +Author: Al Viro +Date: Tue Mar 12 02:59:49 2013 +0000 + + Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 + + vfs: fix pipe counter breakage + + If you open a pipe for neither read nor write, the pipe code will not + add any usage counters to the pipe, causing the 'struct pipe_inode_info" + to be potentially released early. + + That doesn't normally matter, since you cannot actually use the pipe, + but the pipe release code - particularly fasync handling - still expects + the actual pipe infrastructure to all be there. And rather than adding + NULL pointer checks, let's just disallow this case, the same way we + already do for the named pipe ("fifo") case. + + This is ancient going back to pre-2.4 days, and until trinity, nobody + naver noticed. + + Reported-by: Dave Jones + Signed-off-by: Linus Torvalds + + fs/pipe.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 +Author: Mathieu Desnoyers +Date: Mon Feb 25 10:20:36 2013 -0500 + + Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 + + Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys + + Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to + compat_process_vm_rw() shows that the compatibility code requires an + explicit "access_ok()" check before calling + compat_rw_copy_check_uvector(). The same difference seems to appear when + we compare fs/read_write.c:do_readv_writev() to + fs/compat.c:compat_do_readv_writev(). + + This subtle difference between the compat and non-compat requirements + should probably be debated, as it seems to be error-prone. In fact, + there are two others sites that use this function in the Linux kernel, + and they both seem to get it wrong: + + Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() + also ends up calling compat_rw_copy_check_uvector() through + aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to + be missing. Same situation for + security/keys/compat.c:compat_keyctl_instantiate_key_iov(). + + I propose that we add the access_ok() check directly into + compat_rw_copy_check_uvector(), so callers don't have to worry about it, + and it therefore makes the compat call code similar to its non-compat + counterpart. Place the access_ok() check in the same location where + copy_from_user() can trigger a -EFAULT error in the non-compat code, so + the ABI behaviors are alike on both compat and non-compat. + + While we are here, fix compat_do_readv_writev() so it checks for + compat_rw_copy_check_uvector() negative return values. + + And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error + handling. + + Acked-by: Linus Torvalds + Acked-by: Al Viro + Signed-off-by: Mathieu Desnoyers + Signed-off-by: Linus Torvalds + + Conflicts: + + security/keys/compat.c + + fs/compat.c | 15 +++++++-------- + mm/process_vm_access.c | 8 -------- + security/keys/compat.c | 3 ++- + 3 files changed, 9 insertions(+), 17 deletions(-) + +commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 +Author: Brad Spengler +Date: Mon Mar 11 18:38:38 2013 -0400 + + Fix leak of signal handler addresses across execve, found by Emese Revfy + + kernel/signal.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 79b130c4b11c7940daf2b33d653a17666331c634 +Merge: 6480ce9 3c865f9 +Author: Brad Spengler +Date: Sun Mar 10 20:04:03 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d +Author: Brad Spengler +Date: Sun Mar 10 20:03:12 2013 -0400 + + Update to pax-linux-3.8.2-test7.patch: + - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) + - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) + + fs/binfmt_elf.c | 3 ++- + fs/exec.c | 3 +++ + include/linux/mm_types.h | 2 +- + init/main.c | 4 ++-- + mm/mmap.c | 2 +- + mm/page_alloc.c | 4 ++-- + tools/gcc/latent_entropy_plugin.c | 11 +++++++---- + 7 files changed, 18 insertions(+), 11 deletions(-) + +commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 +Merge: 4a5305e 25b3569 +Author: Brad Spengler +Date: Sun Mar 10 10:41:16 2013 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 25b356980568bed9958315bb5a551fdc610055ed +Author: Brad Spengler +Date: Sun Mar 10 10:40:48 2013 -0400 + + Update to pax-linux-3.8.2-test6.patch: + - fixed a KERNEXEC false positive on arm reported by Gu1 + - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) + - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) + - added fix from spender for some namespace breakage reported by zakalwe + - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot + + Documentation/kernel-parameters.txt | 5 +++++ + arch/arm/kernel/patch.c | 2 ++ + arch/x86/kernel/sys_i386_32.c | 5 +++-- + drivers/acpi/blacklist.c | 2 +- + drivers/video/aty/mach64_cursor.c | 1 + + init/main.c | 4 ---- + mm/page_alloc.c | 27 +++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 2 +- + security/Kconfig | 5 +++++ + tools/gcc/latent_entropy_plugin.c | 7 +++++-- + 10 files changed, 50 insertions(+), 10 deletions(-) + +commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f +Author: Brad Spengler +Date: Sat Mar 9 11:19:06 2013 -0500 + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause , + Stephen Hemminger + Subject: [PATCH 1/3] bridge: fix mdb info leaks + Date: Sat, 9 Mar 2013 16:52:19 +0100 + + The bridging code discloses heap and stack bytes via the RTM_GETMDB + netlink interface and via the notify messages send to group RTNLGRP_MDB + afer a successful add/del. + + Fix both cases by initializing all unset members/padding bytes with + memset(0). + + Cc: Stephen Hemminger + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices + Date: Sat, 9 Mar 2013 16:52:20 +0100 + + Initialize the mac address buffer with 0 as the driver specific function + will probably not fill the whole buffer. In fact, all in-kernel drivers + fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible + bytes. Therefore we currently leak 26 bytes of stack memory to userland + via the netlink interface. + + Signed-off-by: Mathias Krause + + From: Mathias Krause + To: "David S. Miller" + Cc: netdev@vger.kernel.org, Mathias Krause + Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks + Date: Sat, 9 Mar 2013 16:52:21 +0100 + + The dcb netlink interface leaks stack memory in various places: + * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, + * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., + * the same is true for CEE -- no in-kernel driver fills the whole + struct, + + Prevent all of the above stack info leaks by properly initializing the + buffers/structures involved. + + Signed-off-by: Mathias Krause + + net/bridge/br_mdb.c | 4 ++++ + net/core/rtnetlink.c | 1 + + net/dcb/dcbnl.c | 8 ++++++++ + 3 files changed, 13 insertions(+), 0 deletions(-) + +commit 601dd446f896e3a362f706943df18a68d50420a1 +Author: Brad Spengler +Date: Sat Mar 9 09:35:25 2013 -0500 + + add open/close wrappers in __patch_text() as reported by Gu1 on IRC + + arch/arm/kernel/patch.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit ae39966fd85a493e9079b357e3faa62245a41222 +Author: Peter Hurley +Date: Fri Mar 8 12:43:27 2013 -0800 + + Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 + + ipc: don't allocate a copy larger than max + + When MSG_COPY is set, a duplicate message must be allocated for the copy + before locking the queue. However, the copy could not be larger than was + sent which is limited to msg_ctlmax. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msg.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +commit 61240e99650ea3e540a03a3e994349c5086f166b +Author: Peter Hurley +Date: Fri Mar 8 12:43:26 2013 -0800 + + Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 + + ipc: fix potential oops when src msg > 4k w/ MSG_COPY + + If the src msg is > 4k, then dest->next points to the + next allocated segment; resetting it just prior to dereferencing + is bad. + + Signed-off-by: Peter Hurley + Acked-by: Stanislav Kinsbursky + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + ipc/msgutil.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) + +commit 51727f602a267f34fb2e0dc9557f1714028d51a2 +Author: Brad Spengler +Date: Fri Mar 8 22:14:06 2013 -0500 + + add missing 'else' in recent constify fixups + + net/ipv4/ip_fragment.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a38c1a640729b3d8e584d1ab98e908c221bc12cf +Merge: 1580bb3 47c3f47 +Author: Brad Spengler +Date: Fri Mar 8 18:18:37 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe +Author: Brad Spengler +Date: Fri Mar 8 18:17:22 2013 -0500 + + Update to pax-linux-3.8.2-test5.patch: + - fixed some fallout after the last round of constification changes, reported by several people + + arch/arm/common/gic.c | 4 ++-- + arch/arm/include/asm/hardware/gic.h | 3 ++- + arch/x86/include/asm/nmi.h | 2 +- + arch/x86/kernel/nmi.c | 2 +- + arch/x86/pci/irq.c | 2 +- + drivers/base/power/domain.c | 4 ++-- + drivers/cpufreq/cpufreq_governor.c | 4 ++-- + drivers/mfd/twl4030-irq.c | 1 + + drivers/video/vesafb.c | 7 +++++-- + include/linux/irq.h | 1 + + include/linux/pm_domain.h | 2 +- + kernel/sched/core.c | 4 ++++ + lib/Kconfig.debug | 4 ++-- + net/core/sysctl_net_core.c | 2 +- + net/decnet/af_decnet.c | 1 + + net/ipv4/devinet.c | 2 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/route.c | 2 +- + net/ipv4/sysctl_net_ipv4.c | 2 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- + net/ipv6/reassembly.c | 2 +- + scripts/sortextable.h | 6 +++--- + 22 files changed, 36 insertions(+), 25 deletions(-) + +commit 1580bb38b4db0bf2a46316599815e8b234edad81 +Author: Brad Spengler +Date: Thu Mar 7 22:02:59 2013 -0500 + + add an additional open/close wrapper + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 21622672d28d58e0d93a805cd1f9650a894a752a +Author: Brad Spengler +Date: Thu Mar 7 21:58:24 2013 -0500 + + fix oops at shutdown with new constify code + + kernel/sched/core.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec +Author: Brad Spengler +Date: Thu Mar 7 21:18:44 2013 -0500 + + Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally + it currently conflicts with some lock debugging options, so made as an + option to allow for debugging when necessary + + Makefile | 2 -- + lib/Kconfig.debug | 6 +++--- + security/Kconfig | 18 ++++++++++++++++++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +commit 0885b00b8373a1597b69c38032a0c9eee279303b +Author: Brad Spengler +Date: Thu Mar 7 20:55:19 2013 -0500 + + disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify + + lib/Kconfig.debug | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit c8a2617165e7127a54f293cbf57d22d50dd83abd +Author: Brad Spengler +Date: Thu Mar 7 20:30:41 2013 -0500 + + Fix error: + drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object + with cast and proper kernexec accessors + + drivers/video/vesafb.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 +Author: Brad Spengler +Date: Thu Mar 7 20:20:28 2013 -0500 + + fix typo + + grsecurity/gracl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 +Author: Brad Spengler +Date: Thu Mar 7 20:12:17 2013 -0500 + + fix compilation error -- no reason for task_pid_nr to not take a const task ptr + + include/linux/sched.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f +Author: Kees Cook +Date: Mon Feb 25 21:32:25 2013 +0000 + + Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 + + proc connector: reject unprivileged listener bumps + + While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible + for an unprivileged user to turn off notifications for all listeners by + sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as + required for a multicast bind. + + Signed-off-by: Kees Cook + Cc: Evgeniy Polyakov + Cc: Matt Helsley + Cc: stable@vger.kernel.org + Acked-by: Evgeniy Polyakov + Acked-by: Matt Helsley + Signed-off-by: David S. Miller + + drivers/connector/cn_proc.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +commit ac6014ded57101e3e608941555ff507e20c1ece3 +Author: Dan Carpenter +Date: Tue Feb 26 19:15:02 2013 +0000 + + Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a + + irda: small read beyond end of array in debug code + + charset comes from skb->data. It's a number in the 0-255 range. + If we have debugging turned on then this could cause a read beyond + the end of the array. + + Signed-off-by: Dan Carpenter + Signed-off-by: David S. Miller + + net/irda/iriap.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe +Author: Guenter Roeck +Date: Wed Feb 27 10:57:31 2013 +0000 + + Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 + + net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS + + Building sctp may fail with: + + In function ‘copy_from_user’, + inlined from ‘sctp_getsockopt_assoc_stats’ at + net/sctp/socket.c:5656:20: + arch/x86/include/asm/uaccess_32.h:211:26: error: call to + ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() + buffer size is not provably correct + + if built with W=1 due to a missing parameter size validation + before the call to copy_from_user. + + Signed-off-by: Guenter Roeck + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller + + net/sctp/socket.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c +Author: Guillaume Nault +Date: Fri Mar 1 05:02:02 2013 +0000 + + Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a + + l2tp: Restore socket refcount when sendmsg succeeds + + The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket + reference counter after successful transmissions. Any successful + sendmsg() call from userspace will then increase the reference counter + forever, thus preventing the kernel's session and tunnel data from + being freed later on. + + The problem only happens when writing directly on L2TP sockets. + PPP sockets attached to L2TP are unaffected as the PPP subsystem + uses pppol2tp_xmit() which symmetrically increase/decrease reference + counters. + + This patch adds the missing call to sock_put() before returning from + pppol2tp_sendmsg(). + + Signed-off-by: Guillaume Nault + Signed-off-by: David S. Miller + + net/l2tp/l2tp_ppp.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 98a9a5f981f5deda4059a255c1196886f2f27e2f +Author: Cong Wang +Date: Sun Mar 3 16:18:11 2013 +0000 + + Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 + + rds: limit the size allocated by rds_message_alloc() + + Dave Jones reported the following bug: + + "When fed mangled socket data, rds will trust what userspace gives it, + and tries to allocate enormous amounts of memory larger than what + kmalloc can satisfy." + + WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() + Hardware name: GA-MA78GM-S2H + Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s + Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 + Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + ---[ end trace eed6ae990d018c8b ]--- + + Reported-by: Dave Jones + Cc: Dave Jones + Cc: David S. Miller + Cc: Venkat Venkatsubra + Signed-off-by: Cong Wang + Acked-by: Venkat Venkatsubra + Signed-off-by: David S. Miller + + net/rds/message.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 +Author: Cong Wang +Date: Sun Mar 3 16:28:27 2013 +0000 + + Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e + + sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE + + Don't definite its own MAX_KMALLOC_SIZE, use the one + defined in mm. + + Cc: Vlad Yasevich + Cc: Sridhar Samudrala + Cc: Neil Horman + Cc: David S. Miller + Signed-off-by: Cong Wang + Acked-by: Neil Horman + Signed-off-by: David S. Miller + + net/sctp/ssnmap.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit 4295a024e812f903fc580c81de5e81cc149503fa +Author: Brad Spengler +Date: Thu Mar 7 17:57:49 2013 -0500 + + Upstream commit: https://lkml.org/lkml/2013/3/6/535 + + security/keys/process_keys.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 33edd486a9899a145a15586d7134636b0300aaee +Merge: 4eeeaf3 a2a2094 +Author: Brad Spengler +Date: Thu Mar 7 17:53:00 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + arch/arm/include/asm/domain.h + +commit a2a20947f5e1332e474160a39af520738b3c8c19 +Author: Brad Spengler +Date: Thu Mar 7 17:51:04 2013 -0500 + + Update to pax-linux-3.8.2-test4.patch: + fixed arm compilation problems reported by Michael Tremer + - the constify plugin got smarter that enabled, with some additional patching, + the elimination of about half the static function pointers on amd64/allmod + (up from about 18%), depending on the kernel config it can be even more (70%) + + Documentation/dontdiff | 2 + + arch/arm/include/asm/domain.h | 1 + + arch/x86/include/asm/i8259.h | 2 +- + arch/x86/include/asm/nmi.h | 4 +- + arch/x86/kernel/acpi/boot.c | 4 +- + arch/x86/kernel/apic/apic_noop.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 2 +- + arch/x86/kernel/apic/io_apic.c | 10 +- + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- + arch/x86/kernel/cpu/perf_event.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- + arch/x86/kernel/i8259.c | 6 +- + arch/x86/kernel/io_delay.c | 2 +- + arch/x86/kernel/nmi.c | 6 +- + arch/x86/kernel/nmi_selftest.c | 4 +- + arch/x86/kernel/pci-swiotlb.c | 2 +- + arch/x86/oprofile/nmi_int.c | 8 +- + arch/x86/oprofile/op_model_amd.c | 8 +- + arch/x86/oprofile/op_model_ppro.c | 7 +- + arch/x86/oprofile/op_x86_model.h | 2 +- + arch/x86/pci/irq.c | 6 +- + drivers/acpi/apei/apei-internal.h | 2 +- + drivers/acpi/bgrt.c | 6 +- + drivers/acpi/blacklist.c | 2 +- + drivers/acpi/processor_idle.c | 2 +- + drivers/acpi/sysfs.c | 4 +- + drivers/base/bus.c | 4 +- + drivers/base/node.c | 2 +- + drivers/base/syscore.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 4 +- + drivers/char/random.c | 2 +- + drivers/cpufreq/acpi-cpufreq.c | 20 ++- + drivers/cpufreq/cpufreq.c | 7 +- + drivers/cpufreq/cpufreq_governor.c | 4 +- + drivers/cpufreq/cpufreq_governor.h | 2 +- + drivers/cpufreq/p4-clockmod.c | 12 +- + drivers/cpufreq/speedstep-centrino.c | 7 +- + drivers/cpuidle/cpuidle.c | 2 +- + drivers/cpuidle/governor.c | 4 +- + drivers/cpuidle/sysfs.c | 2 +- + drivers/devfreq/devfreq.c | 4 +- + drivers/edac/edac_mc_sysfs.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 2 +- + drivers/firewire/core-device.c | 2 +- + drivers/firmware/dmi-id.c | 2 +- + drivers/firmware/efivars.c | 2 +- + drivers/firmware/google/memconsole.c | 4 +- + drivers/gpio/gpio-ich.c | 2 +- + drivers/gpu/drm/drm_drv.c | 2 +- + drivers/gpu/drm/drm_ioc32.c | 9 +- + drivers/gpu/drm/i915/i915_ioc32.c | 11 +- + drivers/gpu/drm/i915/intel_display.c | 26 ++- + drivers/gpu/drm/mga/mga_ioc32.c | 11 +- + drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- + drivers/gpu/drm/r128/r128_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- + drivers/gpu/drm/udl/udl_fb.c | 1 - + drivers/hwmon/acpi_power_meter.c | 4 +- + drivers/hwmon/applesmc.c | 2 +- + drivers/hwmon/asus_atk0110.c | 10 +- + drivers/hwmon/ibmaem.c | 2 +- + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + drivers/iio/industrialio-core.c | 2 +- + drivers/input/mouse/psmouse.h | 2 +- + drivers/iommu/iommu.c | 2 +- + drivers/leds/leds-clevo-mail.c | 2 +- + drivers/leds/leds-ss4200.c | 2 +- + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- + drivers/mfd/twl4030-irq.c | 8 +- + drivers/mfd/twl6030-irq.c | 10 +- + drivers/misc/c2port/core.c | 4 +- + drivers/mtd/sm_ftl.c | 2 +- + drivers/net/bonding/bond_main.c | 2 +- + drivers/net/macvlan.c | 16 +- + drivers/net/vxlan.c | 2 +- + drivers/pci/hotplug/acpiphp_ibm.c | 4 +- + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/pci-sysfs.c | 6 +- + drivers/pci/pci.h | 2 +- + drivers/platform/x86/msi-laptop.c | 14 +- + drivers/platform/x86/sony-laptop.c | 2 +- + drivers/power/power_supply.h | 4 +- + drivers/power/power_supply_core.c | 6 +- + drivers/power/power_supply_sysfs.c | 6 +- + drivers/rtc/rtc-cmos.c | 4 +- + drivers/rtc/rtc-ds1307.c | 2 +- + drivers/rtc/rtc-m48t59.c | 4 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/staging/iio/iio_hwmon.c | 2 +- + drivers/usb/storage/usb.h | 2 +- + drivers/video/aty/atyfb_base.c | 8 +- + drivers/video/aty/mach64_cursor.c | 4 +- + drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/fb_defio.c | 6 +- + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- + drivers/video/nvidia/nvidia.c | 27 ++- + drivers/video/s1d13xxxfb.c | 6 +- + drivers/video/smscufx.c | 4 +- + drivers/video/udlfb.c | 4 +- + drivers/video/uvesafb.c | 14 +- + fs/exec.c | 6 +- + fs/ext4/super.c | 2 +- + fs/jfs/super.c | 4 +- + fs/nfs/callback_xdr.c | 2 +- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfs4xdr.c | 6 +- + fs/nls/nls_base.c | 18 +- + fs/nls/nls_euc-jp.c | 6 +- + fs/nls/nls_koi8-ru.c | 6 +- + fs/proc/proc_sysctl.c | 18 +- + include/drm/drmP.h | 12 +- + include/keys/asymmetric-subtype.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 2 +- + include/linux/configfs.h | 2 +- + include/linux/cpufreq.h | 3 +- + include/linux/cpuidle.h | 5 +- + include/linux/devfreq.h | 2 +- + include/linux/device.h | 7 +- + include/linux/extcon.h | 2 +- + include/linux/fb.h | 2 +- + include/linux/fscache.h | 2 +- + include/linux/genl_magic_func.h | 2 +- + include/linux/hwmon-sysfs.h | 5 +- + include/linux/iommu.h | 2 +- + include/linux/irq.h | 2 +- + include/linux/key-type.h | 2 +- + include/linux/kobject.h | 1 + + include/linux/kobject_ns.h | 2 +- + include/linux/list.h | 14 +- + include/linux/mod_devicetable.h | 2 +- + include/linux/module.h | 5 +- + include/linux/net.h | 2 +- + include/linux/netfilter.h | 2 +- + include/linux/nls.h | 2 +- + include/linux/pci_hotplug.h | 3 +- + include/linux/platform_data/usb-exynos.h | 2 +- + include/linux/pnp.h | 2 +- + include/linux/ppp-comp.h | 2 +- + include/linux/rculist.h | 16 ++ + include/linux/sched.h | 2 +- + include/linux/sock_diag.h | 2 +- + include/linux/sunrpc/clnt.h | 2 +- + include/linux/sunrpc/svc.h | 2 +- + include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swiotlb.h | 3 +- + include/linux/syscore_ops.h | 2 +- + include/linux/sysctl.h | 6 +- + include/linux/sysfs.h | 10 +- + include/linux/sysrq.h | 1 + + include/linux/xattr.h | 2 +- + include/net/9p/transport.h | 2 +- + include/net/bluetooth/l2cap.h | 2 +- + include/net/genetlink.h | 2 +- + include/net/ip.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/llc_c_ac.h | 2 +- + include/net/llc_c_ev.h | 4 +- + include/net/llc_c_st.h | 2 +- + include/net/llc_s_ac.h | 2 +- + include/net/llc_s_st.h | 2 +- + include/net/mac80211.h | 2 +- + include/net/net_namespace.h | 2 +- + include/net/netns/conntrack.h | 6 +- + include/net/rtnetlink.h | 2 +- + include/net/sctp/sm.h | 4 +- + include/net/sctp/structs.h | 2 +- + include/net/xfrm.h | 4 +- + ipc/ipc_sysctl.c | 10 +- + ipc/mq_sysctl.c | 2 +- + kernel/kmod.c | 2 +- + kernel/ksysfs.c | 2 +- + kernel/module.c | 4 +- + kernel/pid_namespace.c | 2 +- + kernel/rcutree_plugin.h | 2 +- + kernel/sched/core.c | 39 ++-- + kernel/smpboot.c | 4 +- + kernel/softirq.c | 2 +- + kernel/sysctl.c | 2 +- + kernel/utsname_sysctl.c | 2 +- + kernel/watchdog.c | 2 +- + lib/Kconfig.debug | 2 +- + lib/kobject.c | 4 +- + lib/list_debug.c | 57 ++++- + lib/swiotlb.c | 2 +- + mm/hugetlb.c | 16 +- + mm/memory-failure.c | 2 +- + mm/slab_common.c | 2 +- + net/9p/mod.c | 4 +- + net/ax25/sysctl_net_ax25.c | 2 +- + net/core/neighbour.c | 2 +- + net/core/net-sysfs.c | 2 +- + net/core/net_namespace.c | 8 +- + net/core/rtnetlink.c | 11 +- + net/core/sock_diag.c | 9 +- + net/core/sysctl_net_core.c | 15 +- + net/ipv4/af_inet.c | 8 +- + net/ipv4/devinet.c | 12 +- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/ip_fragment.c | 9 +- + net/ipv4/ip_gre.c | 6 +- + net/ipv4/ip_vti.c | 4 +- + net/ipv4/ipip.c | 4 +- + net/ipv4/route.c | 14 +- + net/ipv4/sysctl_net_ipv4.c | 43 ++-- + net/ipv6/addrconf.c | 4 +- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_gre.c | 6 +- + net/ipv6/ip6_tunnel.c | 4 +- + net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- + net/ipv6/reassembly.c | 11 +- + net/ipv6/route.c | 2 +- + net/ipv6/sit.c | 4 +- + net/ipv6/sysctl_net_ipv6.c | 2 +- + net/netfilter/ipset/ip_set_core.c | 2 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 +- + net/netfilter/ipvs/ip_vs_lblc.c | 2 +- + net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- + net/netfilter/nf_conntrack_acct.c | 2 +- + net/netfilter/nf_conntrack_ecache.c | 2 +- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_proto.c | 2 +- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nf_conntrack_timestamp.c | 2 +- + net/netfilter/nf_log.c | 10 +- + net/netfilter/nf_sockopt.c | 4 +- + net/netlink/genetlink.c | 16 +- + net/phonet/sysctl.c | 2 +- + net/rds/rds.h | 2 +- + net/sctp/ipv6.c | 6 +- + net/sctp/protocol.c | 10 +- + net/sctp/sm_sideeffect.c | 2 +- + net/sctp/sysctl.c | 4 +- + net/sunrpc/clnt.c | 4 +- + net/sunrpc/svc.c | 4 +- + net/unix/sysctl_net_unix.c | 2 +- + net/xfrm/xfrm_policy.c | 11 +- + net/xfrm/xfrm_state.c | 29 ++- + net/xfrm/xfrm_sysctl.c | 2 +- + security/apparmor/lsm.c | 2 +- + security/keys/key.c | 18 +- + security/yama/yama_lsm.c | 22 +- + tools/gcc/Makefile | 4 +- + tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ + tools/gcc/size_overflow_plugin.c | 7 +- + 248 files changed, 994 insertions(+), 668 deletions(-) + +commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b +Author: Brad Spengler +Date: Wed Mar 6 12:58:21 2013 -0500 + + Make slab_state __read_only, it's only written to during init + + mm/slab_common.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a +Author: Brad Spengler +Date: Wed Mar 6 12:31:35 2013 -0500 + + Make two new helper functions: + gr_is_global_root() and gr_is_global_nonroot() + + grsecurity/gracl.c | 10 +++++----- + grsecurity/gracl_segv.c | 2 +- + grsecurity/grsec_link.c | 4 ++-- + grsecurity/grsec_sig.c | 10 +++++----- + grsecurity/grsec_tpe.c | 6 +++--- + include/linux/uidgid.h | 2 ++ + 6 files changed, 18 insertions(+), 16 deletions(-) + +commit d45d88eddd4998b280b1e5b5384289ee11ca7088 +Author: Brad Spengler +Date: Wed Mar 6 12:14:41 2013 -0500 + + convert remaining task->pid to task_pid_nr(task) + + grsecurity/gracl.c | 22 +++++++++++----------- + grsecurity/gracl_shm.c | 2 +- + grsecurity/grsec_chroot.c | 4 ++-- + grsecurity/grsec_sig.c | 4 ++-- + 4 files changed, 16 insertions(+), 16 deletions(-) + +commit c877f2ece03ee2232dd281c1977ae59507297124 +Author: Brad Spengler +Date: Tue Mar 5 17:29:54 2013 -0500 + + compat-log is only used anymore by vm86-on-64bit and allows unlimited + spamming of the kernel log buffer (and since it includes the changable + process name, can avoid syslog log deduplication) + Turn it off by default + + fs/compat.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 7c1964c4b7276889d7967bee70e46918cdca1b14 +Author: Brad Spengler +Date: Mon Mar 4 17:19:10 2013 -0500 + + fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP + is enabled, introduced with recent userns support + + init/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 +Author: Brad Spengler +Date: Sun Mar 3 18:46:12 2013 -0500 + + Prevent TOMOYO from auto-loading modules by unprivileged users + (Only reachable if TOMOYO is actually used) + + security/tomoyo/mount.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 79e142f9455b398759ff9d93d4963a21b98dddda +Author: Brad Spengler +Date: Sun Mar 3 18:28:45 2013 -0500 + + For now, don't permit any special access to /proc in a user namespace + Later we can go back and allow a userns-uid0 special access to a /proc + with a non-global pid namespace + + fs/proc/base.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 8b91fb393049ce5f3c0a86f62247409853fd9700 +Merge: d931eb8 603ef05 +Author: Brad Spengler +Date: Sun Mar 3 17:42:09 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b +Author: Brad Spengler +Date: Sun Mar 3 17:41:31 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/mach-omap2/wd_timer.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +commit b4c9ce81fdd7839a150c97873c710c479e788280 +Author: Brad Spengler +Date: Sun Mar 3 17:39:53 2013 -0500 + + Fix compilation error on ARM reported by Michael Tremer + + arch/arm/kernel/armksyms.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit d931eb81ab3da46896268fd61373a6aa7bbea930 +Merge: bfa7f44 5948f93 +Author: Brad Spengler +Date: Sun Mar 3 17:34:36 2013 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 +Merge: ab30472 19b00d2 +Author: Brad Spengler +Date: Sun Mar 3 17:34:08 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 +Author: Brad Spengler +Date: Sun Mar 3 15:12:12 2013 -0500 + + Initial support for user namespaces, as we previously didn't allow + the option to be enabled at all. + + RBAC will act on the global uids/gids only, so all uids/gids in user + namespaces will be converted + + Because Eric Biederman is insulted that I didn't support his + backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN + check in for user namespaces, so this is generally irrelevant. + + fs/exec.c | 6 +- + fs/proc/base.c | 2 +- + fs/proc/proc_net.c | 4 +- + grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- + grsecurity/gracl_cap.c | 4 +- + grsecurity/gracl_ip.c | 16 +++--- + grsecurity/gracl_segv.c | 12 +++- + grsecurity/gracl_shm.c | 4 +- + grsecurity/grsec_disabled.c | 10 ++-- + grsecurity/grsec_fifo.c | 6 +- + grsecurity/grsec_init.c | 24 ++++---- + grsecurity/grsec_log.c | 3 - + grsecurity/grsec_tpe.c | 6 +- + include/linux/grinternal.h | 12 ++-- + include/linux/grsecurity.h | 12 ++-- + include/linux/uidgid.h | 3 + + init/Kconfig | 2 - + ipc/shm.c | 2 +- + kernel/cred.c | 5 +- + kernel/kallsyms.c | 2 +- + kernel/kmod.c | 6 +- + kernel/sys.c | 12 ++-- + 22 files changed, 166 insertions(+), 115 deletions(-) + +commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff +Author: Linus Torvalds +Date: Wed Feb 27 08:36:04 2013 -0800 + + Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 + + mm: do not grow the stack vma just because of an overrun on preceding vma + + The stack vma is designed to grow automatically (marked with VM_GROWSUP + or VM_GROWSDOWN depending on architecture) when an access is made beyond + the existing boundary. However, particularly if you have not limited + your stack at all ("ulimit -s unlimited"), this can cause the stack to + grow even if the access was really just one past *another* segment. + + And that's wrong, especially since we first grow the segment, but then + immediately later enforce the stack guard page on the last page of the + segment. So _despite_ first growing the stack segment as a result of + the access, the kernel will then make the access cause a SIGSEGV anyway! + + So do the same logic as the guard page check does, and consider an + access to within one page of the next segment to be a bad access, rather + than growing the stack to abut the next segment. + + Reported-and-tested-by: Heiko Carstens + Signed-off-by: Linus Torvalds + + mm/mmap.c | 27 +++++++++++++++++++++++++++ + 1 files changed, 27 insertions(+), 0 deletions(-) + +commit 5596211af754867ca825f58e6e0300a8439950fe +Author: H. Peter Anvin +Date: Wed Feb 27 12:46:40 2013 -0800 + + Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c + + x86: Make sure we can boot in the case the BDA contains pure garbage + + On non-BIOS platforms it is possible that the BIOS data area contains + garbage instead of being zeroed or something equivalent (firmware + people: we are talking of 1.5K here, so please do the sane thing.) + + We need on the order of 20-30K of low memory in order to boot, which + may grow up to < 64K in the future. We probably want to avoid the + lowest of the low memory. At the same time, it seems extremely + unlikely that a legitimate EBDA would ever reach down to the 128K + (which would require it to be over half a megabyte in size.) Thus, + pick 128K as the cutoff for "this is insane, ignore." We may still + end up reserving a bunch of extra memory on the low megabyte, but that + is not really a major issue these days. In the worst case we lose + 512K of RAM. + + This code really should be merged with trim_bios_range() in + arch/x86/kernel/setup.c, but that is a bigger patch for a later merge + window. + + Reported-by: Darren Hart + Signed-off-by: H. Peter Anvin + Cc: Matt Fleming + Cc: + Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org + + arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- + 1 files changed, 34 insertions(+), 19 deletions(-) + +commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea +Author: Wei Yongjun +Date: Wed Feb 27 17:05:46 2013 -0800 + + Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 + + memstick: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Maxim Levitsky + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + drivers/memstick/host/r592.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 +Author: Xi Wang +Date: Wed Feb 27 17:05:21 2013 -0800 + + Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 + + sysctl: fix null checking in bin_dn_node_address() + + The null check of `strchr() + 1' is broken, which is always non-null, + leading to OOB read. Instead, check the result of strchr(). + + Signed-off-by: Xi Wang + Cc: "Eric W. Biederman" + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + kernel/sysctl_binary.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +commit 7ca96db0817416fd40761e7437d1939fc0731380 +Author: Tejun Heo +Date: Wed Feb 27 17:03:34 2013 -0800 + + Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 + + idr: fix a subtle bug in idr_get_next() + + The iteration logic of idr_get_next() is borrowed mostly verbatim from + idr_for_each(). It walks down the tree looking for the slot matching + the current ID. If the matching slot is not found, the ID is + incremented by the distance of single slot at the given level and + repeats. + + The implementation assumes that during the whole iteration id is aligned + to the layer boundaries of the level closest to the leaf, which is true + for all iterations starting from zero or an existing element and thus is + fine for idr_for_each(). + + However, idr_get_next() may be given any point and if the starting id + hits in the middle of a non-existent layer, increment to the next layer + will end up skipping the same offset into it. For example, an IDR with + IDs filled between [64, 127] would look like the following. + + [ 0 64 ... ] + /----/ | + | | + NULL [ 64 ... 127 ] + + If idr_get_next() is called with 63 as the starting point, it will try + to follow down the pointer from 0. As it is NULL, it will then try to + proceed to the next slot in the same level by adding the slot distance + at that level which is 64 - making the next try 127. It goes around the + loop and finds and returns 127 skipping [64, 126]. + + Note that this bug also triggers in idr_for_each_entry() loop which + deletes during iteration as deletions can make layers go away leaving + the iteration with unaligned ID into missing layers. + + Fix it by ensuring proceeding to the next slot doesn't carry over the + unaligned offset - ie. use round_up(id + 1, slot_distance) instead of + id += slot_distance. + + Signed-off-by: Tejun Heo + Reported-by: David Teigland + Cc: KAMEZAWA Hiroyuki + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + lib/idr.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +commit 745362f28034f54242ba2e64eaa7374ab9869613 +Author: Brad Spengler +Date: Fri Mar 1 20:31:42 2013 -0500 + + Fix dentry use-after-free after failed complete_walk() with RBAC enabled + Many thanks to zakalwe from #grsecurity for the report and debugging help + + fs/namei.c | 8 +++----- + 1 files changed, 3 insertions(+), 5 deletions(-) + +commit b53b3b14330920c6f7cfb74c8508a3026e1be620 +Author: Brad Spengler +Date: Thu Feb 28 18:29:26 2013 -0500 + + Fix bad git merge + + fs/namespace.c | 8 -------- + 1 files changed, 0 insertions(+), 8 deletions(-) + +commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede +Merge: 1cce1dd ab30472 +Author: Brad Spengler +Date: Thu Feb 28 17:45:14 2013 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + net/core/sock_diag.c + +commit ab3047280e1dfb43f1b301a296123757b4ac4f6e +Merge: 4b61d21 4c91a0e +Author: Brad Spengler +Date: Thu Feb 28 17:43:56 2013 -0500 + + Merge branch 'linux-3.8.y' into pax-test + +commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 +Author: Brad Spengler +Date: Wed Feb 27 22:20:22 2013 -0500 + + add compiler.h to sysrq.h to fix compilation problem reported by micu on forums + + include/linux/sysrq.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 +Author: Brad Spengler +Date: Wed Feb 27 17:52:31 2013 -0500 + + declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel + + kernel/printk.c | 12 +++++++----- + 1 files changed, 7 insertions(+), 5 deletions(-) + +commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 +Author: Brad Spengler +Date: Wed Feb 27 17:23:46 2013 -0500 + + Fix upstream vulnerability from addition of a /dev/kmsg device + while neglecting to add the same set of existing permission checks + from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. + A temporary workaround without this patch would be to + chmod 0600 /dev/kmsg (and is likely a good idea anyway). + + Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek + Initially reported to Redhat bugzilla by Christian Kujau: + https://bugzilla.redhat.com/show_bug.cgi?id=903192 + + kernel/printk.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 66c04806f5660988c3cb4855e60de294e77e3d0e +Author: David Howells +Date: Thu Feb 21 12:00:25 2013 +0000 + + Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f + + KEYS: Revert one application of "Fix unreachable code" patch + + A patch to fix some unreachable code in search_my_process_keyrings() got + applied twice by two different routes upstream as commits e67eab39bee2 + and b010520ab3d2 (both "fix unreachable code"). + + Unfortunately, the second application removed something it shouldn't + have and this wasn't detected by GIT. This is due to the patch not + having sufficient lines of context to distinguish the two places of + application. + + The effect of this is relatively minor: inside the kernel, the keyring + search routines may search multiple keyrings and then prioritise the + errors if no keys or negative keys are found in any of them. With the + extra deletion, the presence of a negative key in the thread keyring + (causing ENOKEY) is incorrectly overridden by an error searching the + process keyring. + + So revert the second application of the patch. + + Signed-off-by: David Howells + Cc: Jiri Kosina + Cc: Andrew Morton + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + security/keys/process_keys.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 954b0c8a95b08c09c3d15ec38106ce403bf714da +Author: Wei Yongjun +Date: Thu Feb 21 16:42:43 2013 -0800 + + Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a + + configfs: move the dereference below the NULL test + + The dereference should be moved below the NULL test. + + spatch with a semantic match is used to found this. + (http://coccinelle.lip6.fr/) + + Signed-off-by: Wei Yongjun + Cc: Joel Becker + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + fs/configfs/dir.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 +Author: Nicolas Pitre +Date: Sun Feb 24 20:06:09 2013 -0500 + + Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 + + tty vt: fix character insertion overflow + + Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on + command line edition") broke insert_char() in multiple ways. Then + commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") + partially fixed it. However, the buffer being moved is still too large + and overflowing beyond the end of the current line, corrupting existing + characters on the next line. + + Example test case: + + echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" + + Expected result: + + ab c + de + + Current result: + + ab c + e + + Needless to say that this is very annoying when inserting words in the + middle of paragraphs with certain text editors. + + Signed-off-by: Nicolas Pitre + Cc: Jean-François Moine + Cc: Greg Kroah-Hartman + Cc: + Signed-off-by: Linus Torvalds + + drivers/tty/vt/vt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 6cda35071669b4aabde081bd039e0ffea36f997a +Author: Robin Holt +Date: Fri Feb 22 16:35:34 2013 -0800 + + Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 + + mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result of a + filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + + Additionally, the list traversal in __mmu_notifier_release() is not + protected by the by the mmu_notifier_mm->hlist_lock which can result in + callouts to the ->release() notifier from both mmu_notifier_unregister() + and __mmu_notifier_release(). + + -stable suggestions: + + The stable trees prior to 3.7.y need commits 21a92735f660 and + 70400303ce0c cherry-picked in that order prior to cherry-picking this + commit. The 3.7.y tree already has those two commits. + + Signed-off-by: Robin Holt + Cc: Andrea Arcangeli + Cc: Wanpeng Li + Cc: Xiao Guangrong + Cc: Avi Kivity + Cc: Hugh Dickins + Cc: Marcelo Tosatti + Cc: Sagi Grimberg + Cc: Haggai Eran + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- + 1 files changed, 42 insertions(+), 40 deletions(-) + +commit bf5167ed78ba6131c6874887f714bda50c2cab83 +Author: Mike Galbraith +Date: Mon Jan 28 12:19:25 2013 +0100 + + Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 + + sched: Fix select_idle_sibling() bouncing cow syndrome + + If the previous CPU is cache affine and idle, select it. + + The current implementation simply traverses the sd_llc domain, + taking the first idle CPU encountered, which walks buddy pairs + hand in hand over the package, inflicting excruciating pain. + + 1 tbench pair (worst case) in a 10 core + SMT package: + + pre 15.22 MB/sec 1 procs + post 252.01 MB/sec 1 procs + + Signed-off-by: Mike Galbraith + Cc: Peter Zijlstra + Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net + Signed-off-by: Ingo Molnar + + kernel/sched/fair.c | 21 +++++++-------------- + 1 files changed, 7 insertions(+), 14 deletions(-) + +commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c +Author: Eric W. Biederman +Date: Fri Dec 28 18:58:39 2012 -0800 + + Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f + + userns: Avoid recursion in put_user_ns + + When freeing a deeply nested user namespace free_user_ns calls + put_user_ns on it's parent which may in turn call free_user_ns again. + When -fno-optimize-sibling-calls is passed to gcc one stack frame per + user namespace is left on the stack, potentially overflowing the + kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls + so we can't count on gcc to optimize this code. + + Remove struct kref and use a plain atomic_t. Making the code more + flexible and easier to comprehend. Make the loop in free_user_ns + explict to guarantee that the stack does not overflow with + CONFIG_FRAME_POINTER enabled. + + I have tested this fix with a simple program that uses unshare to + create a deeply nested user namespace structure and then calls exit. + With 1000 nesteuser namespaces before this change running my test + program causes the kernel to die a horrible death. With 10,000,000 + nested user namespaces after this change my test program runs to + completion and causes no harm. + + Acked-by: Serge Hallyn + Pointed-out-by: Vasily Kulikov + Signed-off-by: "Eric W. Biederman" + + include/linux/user_namespace.h | 10 +++++----- + kernel/user.c | 4 +--- + kernel/user_namespace.c | 17 +++++++++-------- + 3 files changed, 15 insertions(+), 16 deletions(-) + +commit 81501c7106ccc186c94806f4db954626295b5ebe +Author: Brad Spengler +Date: Tue Feb 26 17:12:30 2013 -0500 + + Pass the same flags to kern_path_create as the original function + + fs/namei.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +commit a677c8eee35afe48868f92c7d6745bfe809cd481 +Author: Al Viro +Date: Fri Feb 22 22:45:42 2013 -0500 + + Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 + + get rid of unprotected dereferencing of mnt->mnt_ns + + It's safe only under namespace_sem or vfsmount_lock; all places + in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use + current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in + there). + + Cc: stable@vger.kernel.org + Signed-off-by: Al Viro + + fs/namespace.c | 29 +++++++++++++++++------------ + 1 files changed, 17 insertions(+), 12 deletions(-) + +commit 89298124d0c96dc34a60377e7a1308f8f532ff75 +Author: Greg Thelen +Date: Fri Feb 22 16:36:01 2013 -0800 + + Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 + + tmpfs: fix use-after-free of mempolicy object + + The tmpfs remount logic preserves filesystem mempolicy if the mpol=M + option is not specified in the remount request. A new policy can be + specified if mpol=M is given. + + Before this patch remounting an mpol bound tmpfs without specifying + mpol= mount option in the remount request would set the filesystem's + mempolicy object to a freed mempolicy object. + + To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: + # mkdir /tmp/x + + # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 + + # mount -o remount,size=200M nodev /tmp/x + + # grep /tmp/x /proc/mounts + nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 + # note ? garbage in mpol=... output above + + # dd if=/dev/zero of=/tmp/x/f count=1 + # panic here + + Panic: + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [< (null)>] (null) + [...] + Oops: 0010 [#1] SMP DEBUG_PAGEALLOC + Call Trace: + mpol_shared_policy_init+0xa5/0x160 + shmem_get_inode+0x209/0x270 + shmem_mknod+0x3e/0xf0 + shmem_create+0x18/0x20 + vfs_create+0xb5/0x130 + do_last+0x9a1/0xea0 + path_openat+0xb3/0x4d0 + do_filp_open+0x42/0xa0 + do_sys_open+0xfe/0x1e0 + compat_sys_open+0x1b/0x20 + cstar_dispatch+0x7/0x1f + + Non-debug kernels will not crash immediately because referencing the + dangling mpol will not cause a fault. Instead the filesystem will + reference a freed mempolicy object, which will cause unpredictable + behavior. + + The problem boils down to a dropped mpol reference below if + shmem_parse_options() does not allocate a new mpol: + + config = *sbinfo + shmem_parse_options(data, &config, true) + mpol_put(sbinfo->mpol) + sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ + + This patch avoids the crash by not releasing the mempolicy if + shmem_parse_options() doesn't create a new mpol. + + How far back does this issue go? I see it in both 2.6.36 and 3.3. I did + not look back further. + + Signed-off-by: Greg Thelen + Acked-by: Hugh Dickins + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + mm/shmem.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 +Author: Brad Spengler +Date: Sat Feb 23 11:08:05 2013 -0500 + + Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY + with a family greater or equal then AF_MAX -- the array size of + sock_diag_handlers[]. The current code does not test for this + condition therefore is vulnerable to an out-of-bound access opening + doors for a privilege escalation. + + Signed-off-by: Mathias Krause + + The sock_diag_lock_handler() and sock_diag_unlock_handler() actually + make the code less readable. Get rid of them and make the lock usage + and access to sock_diag_handlers[] clear on the first sight. + + Signed-off-by: Mathias Krause + + net/core/sock_diag.c | 27 ++++++++++----------------- + 1 files changed, 10 insertions(+), 17 deletions(-) + +commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 +Author: Brad Spengler +Date: Sat Feb 23 10:58:52 2013 -0500 + + Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined + + arch/arm/include/asm/domain.h | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +commit 7b729586eb81f344fdedf0942fab0acc738a6725 +Author: Brad Spengler +Date: Fri Feb 22 19:02:51 2013 -0500 + + Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. + + kernel/fork.c | 17 +++++++++++++++++ + 1 files changed, 17 insertions(+), 0 deletions(-) + +commit fadc560d0c486af88da83177735f5515e88acdcc +Author: Brad Spengler +Date: Thu Feb 21 23:06:48 2013 -0500 + + put is_hugetlbfs_mnt inside ifdefs + + grsecurity/gracl.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +commit 8252176922d405484f986eb2cc350b7cd3ae586e +Author: Brad Spengler +Date: Thu Feb 21 23:02:07 2013 -0500 + + remove unused label + + kernel/module.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +commit dad4a980f0b625059e215d13da728aa7fd02a374 +Author: Brad Spengler +Date: Thu Feb 21 23:00:52 2013 -0500 + + compile fix + + fs/open.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 +Author: Brad Spengler +Date: Thu Feb 21 22:57:49 2013 -0500 + + remove kmalloc_array_error for the same reasons as kcalloc_error + + include/linux/slab.h | 9 --------- + 1 files changed, 0 insertions(+), 9 deletions(-) + +commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a +Author: Brad Spengler +Date: Thu Feb 21 22:49:35 2013 -0500 + + Initial port of grsecurity for Linux 3.8 + + Documentation/kernel-parameters.txt | 4 + + Makefile | 10 +- + arch/alpha/include/asm/cache.h | 4 +- + arch/alpha/kernel/osf_sys.c | 14 +- + arch/arm/include/asm/cache.h | 2 + + arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/kernel/process.c | 4 +- + arch/arm/kernel/ptrace.c | 9 + + arch/arm/kernel/traps.c | 7 +- + arch/arm/mm/fault.c | 27 +- + arch/arm/mm/mmap.c | 6 +- + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/include/asm/cache.h | 3 +- + arch/cris/include/arch-v10/arch/cache.h | 3 +- + arch/cris/include/arch-v32/arch/cache.h | 3 +- + arch/frv/include/asm/cache.h | 3 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/hexagon/include/asm/cache.h | 6 +- + arch/ia64/include/asm/cache.h | 3 +- + arch/ia64/kernel/sys_ia64.c | 3 +- + arch/ia64/mm/hugetlbpage.c | 3 +- + arch/m32r/include/asm/cache.h | 4 +- + arch/m68k/include/asm/cache.h | 4 +- + arch/microblaze/include/asm/cache.h | 3 +- + arch/mips/include/asm/cache.h | 3 +- + arch/mips/include/asm/thread_info.h | 9 +- + arch/mips/kernel/ptrace.c | 9 + + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/mm/mmap.c | 3 +- + arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- + arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- + arch/openrisc/include/asm/cache.h | 4 +- + arch/parisc/include/asm/cache.h | 5 +- + arch/parisc/kernel/sys_parisc.c | 19 +- + arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/thread_info.h | 8 +- + arch/powerpc/kernel/process.c | 10 +- + arch/powerpc/kernel/ptrace.c | 14 + + arch/powerpc/kernel/traps.c | 5 + + arch/powerpc/mm/slice.c | 8 +- + arch/s390/include/asm/cache.h | 4 +- + arch/score/include/asm/cache.h | 4 +- + arch/sh/include/asm/cache.h | 3 +- + arch/sh/mm/mmap.c | 6 +- + arch/sparc/include/asm/cache.h | 4 +- + arch/sparc/include/asm/thread_info_64.h | 9 +- + arch/sparc/kernel/process_32.c | 6 +- + arch/sparc/kernel/process_64.c | 8 +- + arch/sparc/kernel/ptrace_64.c | 14 + + arch/sparc/kernel/sys_sparc_64.c | 6 +- + arch/sparc/kernel/syscalls.S | 8 +- + arch/sparc/kernel/traps_32.c | 8 +- + arch/sparc/kernel/traps_64.c | 28 +- + arch/sparc/kernel/unaligned_64.c | 2 +- + arch/sparc/mm/fault_64.c | 2 +- + arch/sparc/mm/hugetlbpage.c | 3 +- + arch/tile/include/asm/cache.h | 3 +- + arch/um/include/asm/cache.h | 3 +- + arch/unicore32/include/asm/cache.h | 6 +- + arch/x86/Kconfig | 5 +- + arch/x86/Kconfig.debug | 2 +- + arch/x86/ia32/ia32_aout.c | 2 + + arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/kernel/dumpstack.c | 8 + + arch/x86/kernel/entry_32.S | 2 +- + arch/x86/kernel/entry_64.S | 2 +- + arch/x86/kernel/ioport.c | 13 + + arch/x86/kernel/ptrace.c | 14 + + arch/x86/kernel/smpboot.c | 3 + + arch/x86/kernel/sys_i386_32.c | 14 +- + arch/x86/kernel/sys_x86_64.c | 3 +- + arch/x86/kernel/verify_cpu.S | 1 + + arch/x86/kernel/vm86_32.c | 16 + + arch/x86/mm/fault.c | 12 +- + arch/x86/mm/hugetlbpage.c | 3 +- + arch/x86/mm/init.c | 66 +- + arch/x86/net/bpf_jit_comp.c | 126 +- + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- + arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + arch/xtensa/variants/s6000/include/variant/core.h | 3 +- + crypto/ablkcipher.c | 12 +- + crypto/aead.c | 9 +- + crypto/ahash.c | 2 +- + crypto/blkcipher.c | 6 +- + crypto/crypto_user.c | 38 +- + crypto/pcompress.c | 3 +- + crypto/rng.c | 2 +- + crypto/shash.c | 3 +- + drivers/block/cciss.c | 2 + + drivers/char/Kconfig | 4 +- + drivers/char/genrtc.c | 1 + + drivers/char/mem.c | 17 + + drivers/char/random.c | 12 + + drivers/gpu/drm/drm_info.c | 4 + + drivers/hid/hid-wiimote-debug.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 +- + drivers/message/fusion/mptbase.c | 5 + + drivers/net/phy/mdio-bitbang.c | 1 + + drivers/pci/proc.c | 9 + + drivers/rtc/rtc-dev.c | 3 + + drivers/tty/sysrq.c | 2 +- + drivers/tty/vt/keyboard.c | 22 +- + drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- + drivers/xen/xenfs/xenstored.c | 5 + + fs/attr.c | 1 + + fs/autofs4/waitq.c | 9 + + fs/binfmt_aout.c | 7 + + fs/binfmt_elf.c | 6 + + fs/btrfs/inode.c | 10 +- + fs/btrfs/ioctl.c | 6 +- + fs/compat.c | 18 + + fs/coredump.c | 10 +- + fs/debugfs/inode.c | 4 + + fs/exec.c | 155 +- + fs/ext2/balloc.c | 4 +- + fs/ext3/balloc.c | 4 +- + fs/ext4/balloc.c | 4 +- + fs/fcntl.c | 5 + + fs/file.c | 4 + + fs/filesystems.c | 5 + + fs/fs_struct.c | 26 +- + fs/hugetlbfs/inode.c | 5 +- + fs/namei.c | 269 ++- + fs/namespace.c | 24 + + fs/open.c | 38 + + fs/pipe.c | 2 +- + fs/proc/Kconfig | 10 +- + fs/proc/array.c | 59 +- + fs/proc/base.c | 168 +- + fs/proc/cmdline.c | 4 + + fs/proc/devices.c | 4 + + fs/proc/fd.c | 17 +- + fs/proc/inode.c | 17 + + fs/proc/internal.h | 3 + + fs/proc/kcore.c | 3 + + fs/proc/proc_net.c | 12 + + fs/proc/proc_sysctl.c | 43 +- + fs/proc/root.c | 8 + + fs/proc/task_mmu.c | 75 +- + fs/readdir.c | 19 + + fs/select.c | 2 + + fs/seq_file.c | 12 +- + fs/stat.c | 19 +- + fs/sysfs/dir.c | 12 + + fs/utimes.c | 7 + + fs/xattr.c | 19 +- + grsecurity/Kconfig | 1021 +++++ + grsecurity/Makefile | 38 + + grsecurity/gracl.c | 4017 ++++++++++++++++++++ + grsecurity/gracl_alloc.c | 105 + + grsecurity/gracl_cap.c | 110 + + grsecurity/gracl_fs.c | 431 +++ + grsecurity/gracl_ip.c | 384 ++ + grsecurity/gracl_learn.c | 207 + + grsecurity/gracl_res.c | 68 + + grsecurity/gracl_segv.c | 299 ++ + grsecurity/gracl_shm.c | 40 + + grsecurity/grsec_chdir.c | 19 + + grsecurity/grsec_chroot.c | 357 ++ + grsecurity/grsec_disabled.c | 434 +++ + grsecurity/grsec_exec.c | 174 + + grsecurity/grsec_fifo.c | 24 + + grsecurity/grsec_fork.c | 23 + + grsecurity/grsec_init.c | 283 ++ + grsecurity/grsec_link.c | 58 + + grsecurity/grsec_log.c | 329 ++ + grsecurity/grsec_mem.c | 40 + + grsecurity/grsec_mount.c | 62 + + grsecurity/grsec_pax.c | 36 + + grsecurity/grsec_ptrace.c | 30 + + grsecurity/grsec_sig.c | 222 ++ + grsecurity/grsec_sock.c | 244 ++ + grsecurity/grsec_sysctl.c | 469 +++ + grsecurity/grsec_time.c | 16 + + grsecurity/grsec_tpe.c | 73 + + grsecurity/grsum.c | 61 + + include/linux/capability.h | 5 + + include/linux/cred.h | 3 + + include/linux/fs.h | 10 + + include/linux/fsnotify.h | 6 + + include/linux/gracl.h | 319 ++ + include/linux/gralloc.h | 9 + + include/linux/grdefs.h | 140 + + include/linux/grinternal.h | 215 ++ + include/linux/grmsg.h | 111 + + include/linux/grsecurity.h | 257 ++ + include/linux/grsock.h | 19 + + include/linux/kallsyms.h | 14 +- + include/linux/kmod.h | 2 + + include/linux/netfilter/xt_gradm.h | 9 + + include/linux/printk.h | 3 +- + include/linux/proc_fs.h | 12 + + include/linux/sched.h | 66 +- + include/linux/security.h | 1 + + include/linux/seq_file.h | 3 + + include/linux/shm.h | 4 + + include/linux/sysctl.h | 2 + + include/linux/thread_info.h | 2 + + include/linux/vermagic.h | 9 +- + include/trace/events/fs.h | 53 + + include/uapi/linux/personality.h | 1 + + init/Kconfig | 5 +- + init/main.c | 14 + + ipc/mqueue.c | 1 + + ipc/shm.c | 28 + + kernel/capability.c | 39 +- + kernel/cgroup.c | 2 +- + kernel/compat.c | 1 + + kernel/configs.c | 11 + + kernel/cred.c | 109 +- + kernel/exit.c | 10 +- + kernel/fork.c | 24 +- + kernel/futex.c | 1 + + kernel/kallsyms.c | 9 + + kernel/kcmp.c | 4 + + kernel/kmod.c | 71 +- + kernel/kprobes.c | 4 +- + kernel/ksysfs.c | 2 + + kernel/lockdep_proc.c | 10 +- + kernel/module.c | 80 +- + kernel/panic.c | 4 +- + kernel/pid.c | 19 +- + kernel/posix-timers.c | 8 + + kernel/printk.c | 5 + + kernel/ptrace.c | 20 +- + kernel/resource.c | 10 + + kernel/sched/core.c | 6 +- + kernel/signal.c | 37 +- + kernel/sys.c | 38 +- + kernel/sysctl.c | 39 +- + kernel/taskstats.c | 6 + + kernel/time.c | 5 + + kernel/time/timekeeping.c | 3 + + kernel/time/timer_list.c | 12 + + kernel/time/timer_stats.c | 10 +- + lib/Kconfig.debug | 5 +- + lib/is_single_threaded.c | 3 + + lib/vsprintf.c | 35 +- + localversion-grsec | 1 + + mm/Kconfig | 4 +- + mm/filemap.c | 1 + + mm/kmemleak.c | 4 +- + mm/mempolicy.c | 12 +- + mm/migrate.c | 3 +- + mm/mlock.c | 3 + + mm/mmap.c | 62 +- + mm/mprotect.c | 8 + + mm/page_alloc.c | 6 + + mm/process_vm_access.c | 6 + + mm/shmem.c | 2 +- + mm/slab.c | 2 +- + mm/slub.c | 14 +- + mm/vmalloc.c | 4 + + mm/vmstat.c | 18 +- + net/core/dev.c | 9 + + net/core/sock_diag.c | 7 + + net/ipv4/inet_hashtables.c | 5 + + net/ipv4/ip_sockglue.c | 3 +- + net/ipv4/tcp_input.c | 4 +- + net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_minisocks.c | 9 +- + net/ipv4/tcp_timer.c | 11 + + net/ipv4/udp.c | 24 + + net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/udp.c | 7 + + net/netfilter/Kconfig | 10 + + net/netfilter/Makefile | 1 + + net/netfilter/nf_conntrack_core.c | 8 + + net/netfilter/xt_gradm.c | 51 + + net/netrom/af_netrom.c | 2 +- + net/phonet/af_phonet.c | 4 +- + net/sctp/proc.c | 3 +- + net/socket.c | 62 +- + net/sysctl_net.c | 2 +- + net/unix/af_unix.c | 19 + + security/Kconfig | 320 ++- + security/apparmor/lsm.c | 2 +- + security/commoncap.c | 29 + + security/min_addr.c | 2 + + security/security.c | 2 - + security/selinux/hooks.c | 2 - + security/yama/Kconfig | 2 +- + tools/gcc/Makefile | 2 +- + 286 files changed, 15083 insertions(+), 2067 deletions(-) + +commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 +Author: Brad Spengler +Date: Wed Feb 20 21:00:42 2013 -0500 + + Initial import of pax-linux-3.8-test3.patch + + Documentation/dontdiff | 43 +- + Documentation/kernel-parameters.txt | 7 + + Makefile | 97 +- + arch/alpha/include/asm/atomic.h | 10 + + arch/alpha/include/asm/elf.h | 7 + + arch/alpha/include/asm/pgalloc.h | 6 + + arch/alpha/include/asm/pgtable.h | 11 + + arch/alpha/kernel/module.c | 2 +- + arch/alpha/kernel/osf_sys.c | 10 +- + arch/alpha/mm/fault.c | 141 +- + arch/arm/Kconfig | 2 +- + arch/arm/include/asm/atomic.h | 421 +++- + arch/arm/include/asm/cache.h | 3 +- + arch/arm/include/asm/cacheflush.h | 2 +- + arch/arm/include/asm/checksum.h | 14 +- + arch/arm/include/asm/cmpxchg.h | 2 + + arch/arm/include/asm/delay.h | 8 +- + arch/arm/include/asm/domain.h | 32 +- + arch/arm/include/asm/elf.h | 13 +- + arch/arm/include/asm/fncpy.h | 2 + + arch/arm/include/asm/futex.h | 10 + + arch/arm/include/asm/kmap_types.h | 2 +- + arch/arm/include/asm/mach/dma.h | 2 +- + arch/arm/include/asm/mach/map.h | 7 +- + arch/arm/include/asm/outercache.h | 2 +- + arch/arm/include/asm/page.h | 2 +- + arch/arm/include/asm/pgalloc.h | 22 +- + arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + + arch/arm/include/asm/pgtable-2level.h | 1 + + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + + arch/arm/include/asm/pgtable-3level.h | 2 + + arch/arm/include/asm/pgtable.h | 56 +- + arch/arm/include/asm/proc-fns.h | 2 +- + arch/arm/include/asm/processor.h | 5 +- + arch/arm/include/asm/smp.h | 2 +- + arch/arm/include/asm/thread_info.h | 6 +- + arch/arm/include/asm/uaccess.h | 92 +- + arch/arm/include/uapi/asm/ptrace.h | 2 +- + arch/arm/kernel/armksyms.c | 4 +- + arch/arm/kernel/entry-armv.S | 107 +- + arch/arm/kernel/entry-common.S | 41 +- + arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/fiq.c | 2 + + arch/arm/kernel/head.S | 6 +- + arch/arm/kernel/hw_breakpoint.c | 2 +- + arch/arm/kernel/module.c | 29 +- + arch/arm/kernel/perf_event_cpu.c | 2 +- + arch/arm/kernel/process.c | 10 +- + arch/arm/kernel/setup.c | 22 +- + arch/arm/kernel/smp.c | 2 +- + arch/arm/kernel/traps.c | 8 +- + arch/arm/kernel/vmlinux.lds.S | 20 +- + arch/arm/lib/clear_user.S | 6 +- + arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/lib/copy_page.S | 1 + + arch/arm/lib/copy_to_user.S | 6 +- + arch/arm/lib/csumpartialcopyuser.S | 4 +- + arch/arm/lib/delay.c | 14 +- + arch/arm/lib/uaccess_with_memcpy.c | 2 +- + arch/arm/mach-kirkwood/common.c | 19 +- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- + arch/arm/mach-omap2/omap_hwmod.c | 4 +- + arch/arm/mach-ux500/include/mach/setup.h | 7 - + arch/arm/mm/Kconfig | 3 +- + arch/arm/mm/fault.c | 78 + + arch/arm/mm/fault.h | 12 + + arch/arm/mm/init.c | 41 + + arch/arm/mm/ioremap.c | 4 +- + arch/arm/mm/mmap.c | 36 +- + arch/arm/mm/mmu.c | 186 +- + arch/arm/mm/proc-v7-2level.S | 3 + + arch/arm/plat-omap/sram.c | 2 + + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- + arch/arm64/kernel/debug-monitors.c | 2 +- + arch/arm64/kernel/hw_breakpoint.c | 2 +- + arch/avr32/include/asm/elf.h | 8 +- + arch/avr32/include/asm/kmap_types.h | 4 +- + arch/avr32/mm/fault.c | 27 + + arch/frv/include/asm/atomic.h | 10 + + arch/frv/include/asm/kmap_types.h | 2 +- + arch/frv/mm/elf-fdpic.c | 7 +- + arch/ia64/include/asm/atomic.h | 10 + + arch/ia64/include/asm/elf.h | 7 + + arch/ia64/include/asm/pgalloc.h | 12 + + arch/ia64/include/asm/pgtable.h | 13 +- + arch/ia64/include/asm/spinlock.h | 2 +- + arch/ia64/include/asm/uaccess.h | 28 +- + arch/ia64/kernel/err_inject.c | 2 +- + arch/ia64/kernel/mca.c | 2 +- + arch/ia64/kernel/module.c | 48 +- + arch/ia64/kernel/palinfo.c | 2 +- + arch/ia64/kernel/salinfo.c | 2 +- + arch/ia64/kernel/sys_ia64.c | 13 +- + arch/ia64/kernel/topology.c | 2 +- + arch/ia64/kernel/vmlinux.lds.S | 2 +- + arch/ia64/mm/fault.c | 32 +- + arch/ia64/mm/hugetlbpage.c | 2 +- + arch/ia64/mm/init.c | 13 + + arch/m32r/lib/usercopy.c | 6 + + arch/mips/include/asm/atomic.h | 14 + + arch/mips/include/asm/elf.h | 11 +- + arch/mips/include/asm/exec.h | 2 +- + arch/mips/include/asm/page.h | 2 +- + arch/mips/include/asm/pgalloc.h | 5 + + arch/mips/kernel/binfmt_elfn32.c | 7 + + arch/mips/kernel/binfmt_elfo32.c | 7 + + arch/mips/kernel/process.c | 12 - + arch/mips/mm/fault.c | 17 + + arch/mips/mm/mmap.c | 51 +- + arch/parisc/include/asm/atomic.h | 10 + + arch/parisc/include/asm/elf.h | 7 + + arch/parisc/include/asm/pgalloc.h | 6 + + arch/parisc/include/asm/pgtable.h | 11 + + arch/parisc/include/asm/uaccess.h | 4 +- + arch/parisc/kernel/module.c | 50 +- + arch/parisc/kernel/sys_parisc.c | 6 +- + arch/parisc/kernel/traps.c | 4 +- + arch/parisc/mm/fault.c | 140 +- + arch/powerpc/include/asm/atomic.h | 10 + + arch/powerpc/include/asm/elf.h | 19 +- + arch/powerpc/include/asm/exec.h | 2 +- + arch/powerpc/include/asm/kmap_types.h | 2 +- + arch/powerpc/include/asm/mman.h | 2 +- + arch/powerpc/include/asm/page.h | 8 +- + arch/powerpc/include/asm/page_64.h | 7 +- + arch/powerpc/include/asm/pgalloc-64.h | 7 + + arch/powerpc/include/asm/pgtable.h | 1 + + arch/powerpc/include/asm/pte-hash32.h | 1 + + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/include/asm/uaccess.h | 142 +- + arch/powerpc/kernel/exceptions-64e.S | 4 +- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/module_32.c | 13 +- + arch/powerpc/kernel/process.c | 55 - + arch/powerpc/kernel/signal_32.c | 2 +- + arch/powerpc/kernel/signal_64.c | 2 +- + arch/powerpc/kernel/sysfs.c | 2 +- + arch/powerpc/kernel/vdso.c | 5 +- + arch/powerpc/lib/usercopy_64.c | 18 - + arch/powerpc/mm/fault.c | 54 +- + arch/powerpc/mm/mmap_64.c | 16 + + arch/powerpc/mm/mmu_context_nohash.c | 2 +- + arch/powerpc/mm/numa.c | 2 +- + arch/powerpc/mm/slice.c | 23 +- + arch/powerpc/platforms/powermac/smp.c | 2 +- + arch/s390/include/asm/atomic.h | 10 + + arch/s390/include/asm/elf.h | 13 +- + arch/s390/include/asm/exec.h | 2 +- + arch/s390/include/asm/uaccess.h | 15 +- + arch/s390/kernel/module.c | 22 +- + arch/s390/kernel/process.c | 36 - + arch/s390/mm/mmap.c | 24 + + arch/score/include/asm/exec.h | 2 +- + arch/score/kernel/process.c | 5 - + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- + arch/sh/mm/mmap.c | 22 +- + arch/sparc/include/asm/atomic_64.h | 106 +- + arch/sparc/include/asm/cache.h | 2 +- + arch/sparc/include/asm/elf_32.h | 7 + + arch/sparc/include/asm/elf_64.h | 7 + + arch/sparc/include/asm/pgalloc_32.h | 1 + + arch/sparc/include/asm/pgalloc_64.h | 1 + + arch/sparc/include/asm/pgtable_32.h | 15 +- + arch/sparc/include/asm/pgtsrmmu.h | 5 + + arch/sparc/include/asm/spinlock_64.h | 35 +- + arch/sparc/include/asm/thread_info_32.h | 2 + + arch/sparc/include/asm/thread_info_64.h | 2 + + arch/sparc/include/asm/uaccess.h | 8 + + arch/sparc/include/asm/uaccess_32.h | 27 +- + arch/sparc/include/asm/uaccess_64.h | 19 +- + arch/sparc/kernel/Makefile | 2 +- + arch/sparc/kernel/sys_sparc_32.c | 2 +- + arch/sparc/kernel/sys_sparc_64.c | 48 +- + arch/sparc/kernel/sysfs.c | 2 +- + arch/sparc/kernel/traps_64.c | 13 +- + arch/sparc/lib/Makefile | 2 +- + arch/sparc/lib/atomic_64.S | 136 +- + arch/sparc/lib/ksyms.c | 6 + + arch/sparc/mm/Makefile | 2 +- + arch/sparc/mm/fault_32.c | 292 ++ + arch/sparc/mm/fault_64.c | 486 +++ + arch/sparc/mm/hugetlbpage.c | 21 +- + arch/tile/include/asm/atomic_64.h | 10 + + arch/tile/include/asm/uaccess.h | 4 +- + arch/um/Makefile | 4 + + arch/um/include/asm/kmap_types.h | 2 +- + arch/um/include/asm/page.h | 3 + + arch/um/include/asm/pgtable-3level.h | 1 + + arch/um/kernel/process.c | 16 - + arch/x86/Kconfig | 10 +- + arch/x86/Kconfig.cpu | 6 +- + arch/x86/Kconfig.debug | 6 +- + arch/x86/Makefile | 10 + + arch/x86/boot/Makefile | 3 + + arch/x86/boot/bitops.h | 4 +- + arch/x86/boot/boot.h | 4 +- + arch/x86/boot/compressed/Makefile | 3 + + arch/x86/boot/compressed/eboot.c | 2 - + arch/x86/boot/compressed/head_32.S | 7 +- + arch/x86/boot/compressed/head_64.S | 4 +- + arch/x86/boot/compressed/misc.c | 4 +- + arch/x86/boot/cpucheck.c | 28 +- + arch/x86/boot/header.S | 6 +- + arch/x86/boot/memory.c | 2 +- + arch/x86/boot/video-vesa.c | 1 + + arch/x86/boot/video.c | 2 +- + arch/x86/crypto/aes-x86_64-asm_64.S | 4 + + arch/x86/crypto/aesni-intel_asm.S | 31 + + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + + arch/x86/crypto/sha1_ssse3_asm.S | 3 + + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + + arch/x86/ia32/ia32_signal.c | 14 +- + arch/x86/ia32/ia32entry.S | 141 +- + arch/x86/ia32/sys_ia32.c | 12 +- + arch/x86/include/asm/alternative-asm.h | 39 + + arch/x86/include/asm/alternative.h | 4 +- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/include/asm/apm.h | 4 +- + arch/x86/include/asm/atomic.h | 307 ++- + arch/x86/include/asm/atomic64_32.h | 100 + + arch/x86/include/asm/atomic64_64.h | 202 ++- + arch/x86/include/asm/bitops.h | 2 +- + arch/x86/include/asm/boot.h | 7 +- + arch/x86/include/asm/cache.h | 5 +- + arch/x86/include/asm/cacheflush.h | 2 +- + arch/x86/include/asm/checksum_32.h | 12 +- + arch/x86/include/asm/cmpxchg.h | 35 + + arch/x86/include/asm/cpufeature.h | 4 +- + arch/x86/include/asm/desc.h | 65 +- + arch/x86/include/asm/desc_defs.h | 6 + + arch/x86/include/asm/elf.h | 31 +- + arch/x86/include/asm/emergency-restart.h | 2 +- + arch/x86/include/asm/fpu-internal.h | 6 +- + arch/x86/include/asm/futex.h | 16 +- + arch/x86/include/asm/hw_irq.h | 4 +- + arch/x86/include/asm/io.h | 13 +- + arch/x86/include/asm/irqflags.h | 5 + + arch/x86/include/asm/kprobes.h | 9 +- + arch/x86/include/asm/local.h | 142 +- + arch/x86/include/asm/mman.h | 15 + + arch/x86/include/asm/mmu.h | 16 +- + arch/x86/include/asm/mmu_context.h | 76 +- + arch/x86/include/asm/module.h | 17 +- + arch/x86/include/asm/page_64_types.h | 2 +- + arch/x86/include/asm/paravirt.h | 44 +- + arch/x86/include/asm/paravirt_types.h | 17 +- + arch/x86/include/asm/pgalloc.h | 23 + + arch/x86/include/asm/pgtable-2level.h | 2 + + arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable.h | 110 +- + arch/x86/include/asm/pgtable_32.h | 14 +- + arch/x86/include/asm/pgtable_32_types.h | 15 +- + arch/x86/include/asm/pgtable_64.h | 19 +- + arch/x86/include/asm/pgtable_64_types.h | 5 + + arch/x86/include/asm/pgtable_types.h | 36 +- + arch/x86/include/asm/processor.h | 39 +- + arch/x86/include/asm/ptrace.h | 26 +- + arch/x86/include/asm/realmode.h | 4 +- + arch/x86/include/asm/reboot.h | 10 +- + arch/x86/include/asm/rwsem.h | 60 +- + arch/x86/include/asm/segment.h | 24 +- + arch/x86/include/asm/smp.h | 14 +- + arch/x86/include/asm/spinlock.h | 36 +- + arch/x86/include/asm/stackprotector.h | 4 +- + arch/x86/include/asm/stacktrace.h | 32 +- + arch/x86/include/asm/switch_to.h | 4 +- + arch/x86/include/asm/thread_info.h | 83 +- + arch/x86/include/asm/uaccess.h | 96 +- + arch/x86/include/asm/uaccess_32.h | 106 +- + arch/x86/include/asm/uaccess_64.h | 232 +- + arch/x86/include/asm/word-at-a-time.h | 2 +- + arch/x86/include/asm/x86_init.h | 10 +- + arch/x86/include/asm/xsave.h | 10 +- + arch/x86/include/uapi/asm/e820.h | 2 +- + arch/x86/kernel/Makefile | 2 +- + arch/x86/kernel/acpi/sleep.c | 4 + + arch/x86/kernel/acpi/wakeup_32.S | 6 +- + arch/x86/kernel/alternative.c | 65 +- + arch/x86/kernel/apic/apic.c | 6 +- + arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/bigsmp_32.c | 2 +- + arch/x86/kernel/apic/es7000_32.c | 5 +- + arch/x86/kernel/apic/io_apic.c | 8 +- + arch/x86/kernel/apic/numaq_32.c | 3 +- + arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/summit_32.c | 2 +- + arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_phys.c | 2 +- + arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- + arch/x86/kernel/apm_32.c | 19 +- + arch/x86/kernel/asm-offsets.c | 20 + + arch/x86/kernel/asm-offsets_64.c | 1 + + arch/x86/kernel/cpu/Makefile | 4 - + arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/common.c | 75 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- + arch/x86/kernel/cpu/mcheck/mce.c | 29 +- + arch/x86/kernel/cpu/mcheck/p5.c | 3 + + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + + arch/x86/kernel/cpu/mtrr/main.c | 2 +- + arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- + arch/x86/kernel/cpu/perf_event.c | 4 +- + arch/x86/kernel/cpu/perf_event_intel.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + arch/x86/kernel/cpuid.c | 2 +- + arch/x86/kernel/crash.c | 4 +- + arch/x86/kernel/doublefault_32.c | 8 +- + arch/x86/kernel/dumpstack.c | 30 +- + arch/x86/kernel/dumpstack_32.c | 34 +- + arch/x86/kernel/dumpstack_64.c | 63 +- + arch/x86/kernel/early_printk.c | 1 + + arch/x86/kernel/entry_32.S | 354 ++- + arch/x86/kernel/entry_64.S | 512 +++- + arch/x86/kernel/ftrace.c | 14 +- + arch/x86/kernel/head32.c | 4 +- + arch/x86/kernel/head_32.S | 237 ++- + arch/x86/kernel/head_64.S | 158 +- + arch/x86/kernel/i386_ksyms_32.c | 8 + + arch/x86/kernel/i387.c | 2 +- + arch/x86/kernel/i8259.c | 2 +- + arch/x86/kernel/ioport.c | 2 +- + arch/x86/kernel/irq.c | 10 +- + arch/x86/kernel/irq_32.c | 69 +- + arch/x86/kernel/irq_64.c | 2 +- + arch/x86/kernel/kdebugfs.c | 2 +- + arch/x86/kernel/kgdb.c | 25 +- + arch/x86/kernel/kprobes-opt.c | 12 +- + arch/x86/kernel/kprobes.c | 30 +- + arch/x86/kernel/kvm.c | 2 +- + arch/x86/kernel/ldt.c | 31 +- + arch/x86/kernel/machine_kexec_32.c | 6 +- + arch/x86/kernel/microcode_core.c | 2 +- + arch/x86/kernel/microcode_intel.c | 4 +- + arch/x86/kernel/module.c | 76 +- + arch/x86/kernel/msr.c | 2 +- + arch/x86/kernel/nmi.c | 11 + + arch/x86/kernel/paravirt-spinlocks.c | 2 +- + arch/x86/kernel/paravirt.c | 43 +- + arch/x86/kernel/pci-iommu_table.c | 2 +- + arch/x86/kernel/process.c | 57 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 15 +- + arch/x86/kernel/ptrace.c | 25 +- + arch/x86/kernel/pvclock.c | 8 +- + arch/x86/kernel/reboot.c | 44 +- + arch/x86/kernel/relocate_kernel_64.S | 4 +- + arch/x86/kernel/setup.c | 14 +- + arch/x86/kernel/setup_percpu.c | 27 +- + arch/x86/kernel/signal.c | 15 +- + arch/x86/kernel/smp.c | 2 +- + arch/x86/kernel/smpboot.c | 15 +- + arch/x86/kernel/step.c | 10 +- + arch/x86/kernel/sys_i386_32.c | 247 ++ + arch/x86/kernel/sys_x86_64.c | 19 +- + arch/x86/kernel/tboot.c | 14 +- + arch/x86/kernel/time.c | 10 +- + arch/x86/kernel/tls.c | 7 +- + arch/x86/kernel/traps.c | 64 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/kernel/vm86_32.c | 6 +- + arch/x86/kernel/vmlinux.lds.S | 148 +- + arch/x86/kernel/vsyscall_64.c | 12 +- + arch/x86/kernel/x8664_ksyms_64.c | 2 - + arch/x86/kernel/x86_init.c | 8 +- + arch/x86/kernel/xsave.c | 2 + + arch/x86/kvm/cpuid.c | 21 +- + arch/x86/kvm/emulate.c | 4 +- + arch/x86/kvm/lapic.c | 2 +- + arch/x86/kvm/paging_tmpl.h | 2 +- + arch/x86/kvm/svm.c | 8 + + arch/x86/kvm/vmx.c | 47 +- + arch/x86/kvm/x86.c | 10 +- + arch/x86/lguest/boot.c | 3 +- + arch/x86/lib/atomic64_386_32.S | 164 + + arch/x86/lib/atomic64_cx8_32.S | 103 +- + arch/x86/lib/checksum_32.S | 100 +- + arch/x86/lib/clear_page_64.S | 5 +- + arch/x86/lib/cmpxchg16b_emu.S | 2 + + arch/x86/lib/copy_page_64.S | 24 +- + arch/x86/lib/copy_user_64.S | 47 +- + arch/x86/lib/copy_user_nocache_64.S | 20 +- + arch/x86/lib/csum-copy_64.S | 2 + + arch/x86/lib/csum-wrappers_64.c | 4 +- + arch/x86/lib/getuser.S | 68 +- + arch/x86/lib/insn.c | 6 +- + arch/x86/lib/iomap_copy_64.S | 2 + + arch/x86/lib/memcpy_64.S | 18 +- + arch/x86/lib/memmove_64.S | 34 +- + arch/x86/lib/memset_64.S | 7 +- + arch/x86/lib/mmx_32.c | 243 +- + arch/x86/lib/msr-reg.S | 18 +- + arch/x86/lib/putuser.S | 90 +- + arch/x86/lib/rwlock.S | 42 + + arch/x86/lib/rwsem.S | 6 +- + arch/x86/lib/thunk_64.S | 2 + + arch/x86/lib/usercopy_32.c | 376 ++- + arch/x86/lib/usercopy_64.c | 25 +- + arch/x86/mm/extable.c | 25 +- + arch/x86/mm/fault.c | 555 +++- + arch/x86/mm/gup.c | 2 +- + arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/hugetlbpage.c | 30 +- + arch/x86/mm/init.c | 92 +- + arch/x86/mm/init_32.c | 122 +- + arch/x86/mm/init_64.c | 48 +- + arch/x86/mm/iomap_32.c | 4 + + arch/x86/mm/ioremap.c | 12 +- + arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- + arch/x86/mm/mmap.c | 41 +- + arch/x86/mm/mmio-mod.c | 10 +- + arch/x86/mm/pageattr-test.c | 2 +- + arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pat.c | 12 +- + arch/x86/mm/pf_in.c | 10 +- + arch/x86/mm/pgtable.c | 137 +- + arch/x86/mm/pgtable_32.c | 3 + + arch/x86/mm/setup_nx.c | 7 + + arch/x86/mm/tlb.c | 4 + + arch/x86/net/bpf_jit.S | 14 + + arch/x86/net/bpf_jit_comp.c | 37 +- + arch/x86/oprofile/backtrace.c | 8 +- + arch/x86/pci/amd_bus.c | 2 +- + arch/x86/pci/mrst.c | 4 +- + arch/x86/pci/pcbios.c | 144 +- + arch/x86/platform/efi/efi_32.c | 19 + + arch/x86/platform/efi/efi_stub_32.S | 64 +- + arch/x86/platform/efi/efi_stub_64.S | 8 + + arch/x86/platform/mrst/mrst.c | 6 +- + arch/x86/platform/olpc/olpc_dt.c | 2 +- + arch/x86/power/cpu.c | 4 +- + arch/x86/realmode/init.c | 8 +- + arch/x86/realmode/rm/Makefile | 3 + + arch/x86/realmode/rm/header.S | 4 +- + arch/x86/realmode/rm/trampoline_32.S | 12 +- + arch/x86/realmode/rm/trampoline_64.S | 2 +- + arch/x86/tools/relocs.c | 95 +- + arch/x86/vdso/Makefile | 2 +- + arch/x86/vdso/vdso32-setup.c | 23 +- + arch/x86/vdso/vma.c | 29 +- + arch/x86/xen/enlighten.c | 47 +- + arch/x86/xen/mmu.c | 9 + + arch/x86/xen/smp.c | 18 +- + arch/x86/xen/xen-asm_32.S | 12 +- + arch/x86/xen/xen-head.S | 11 + + arch/x86/xen/xen-ops.h | 2 - + block/blk-iopoll.c | 4 +- + block/blk-map.c | 2 +- + block/blk-softirq.c | 4 +- + block/bsg.c | 12 +- + block/compat_ioctl.c | 2 +- + block/partitions/efi.c | 8 +- + block/scsi_ioctl.c | 27 +- + crypto/cryptd.c | 4 +- + drivers/acpi/apei/cper.c | 8 +- + drivers/acpi/ec_sys.c | 12 +- + drivers/acpi/processor_driver.c | 2 +- + drivers/ata/libata-core.c | 8 +- + drivers/ata/pata_arasan_cf.c | 4 +- + drivers/atm/adummy.c | 2 +- + drivers/atm/ambassador.c | 8 +- + drivers/atm/atmtcp.c | 14 +- + drivers/atm/eni.c | 10 +- + drivers/atm/firestream.c | 8 +- + drivers/atm/fore200e.c | 14 +- + drivers/atm/he.c | 18 +- + drivers/atm/horizon.c | 4 +- + drivers/atm/idt77252.c | 36 +- + drivers/atm/iphase.c | 34 +- + drivers/atm/lanai.c | 12 +- + drivers/atm/nicstar.c | 46 +- + drivers/atm/solos-pci.c | 4 +- + drivers/atm/suni.c | 4 +- + drivers/atm/uPD98402.c | 16 +- + drivers/atm/zatm.c | 6 +- + drivers/base/devtmpfs.c | 2 +- + drivers/base/power/wakeup.c | 8 +- + drivers/block/cciss.c | 28 +- + drivers/block/cciss.h | 2 +- + drivers/block/cpqarray.c | 28 +- + drivers/block/cpqarray.h | 2 +- + drivers/block/drbd/drbd_int.h | 6 +- + drivers/block/drbd/drbd_main.c | 8 +- + drivers/block/drbd/drbd_receiver.c | 18 +- + drivers/block/loop.c | 2 +- + drivers/cdrom/cdrom.c | 9 +- + drivers/cdrom/gdrom.c | 1 - + drivers/char/agp/frontend.c | 2 +- + drivers/char/hpet.c | 2 +- + drivers/char/ipmi/ipmi_msghandler.c | 8 +- + drivers/char/ipmi/ipmi_si_intf.c | 8 +- + drivers/char/mem.c | 41 +- + drivers/char/nvram.c | 2 +- + drivers/char/pcmcia/synclink_cs.c | 18 +- + drivers/char/random.c | 8 +- + drivers/char/sonypi.c | 9 +- + drivers/char/tpm/tpm.c | 2 +- + drivers/char/tpm/tpm_acpi.c | 3 +- + drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/virtio_console.c | 4 +- + drivers/clocksource/arm_generic.c | 2 +- + drivers/cpufreq/cpufreq.c | 2 +- + drivers/cpufreq/cpufreq_stats.c | 2 +- + drivers/dma/sh/shdma.c | 2 +- + drivers/edac/edac_pci_sysfs.c | 20 +- + drivers/edac/mce_amd.h | 2 +- + drivers/firewire/core-card.c | 2 +- + drivers/firewire/core-cdev.c | 3 +- + drivers/firewire/core-transaction.c | 1 + + drivers/firewire/core.h | 1 + + drivers/firmware/dmi_scan.c | 7 +- + drivers/firmware/efivars.c | 2 +- + drivers/gpio/gpio-vr41xx.c | 2 +- + drivers/gpu/drm/drm_crtc_helper.c | 2 +- + drivers/gpu/drm/drm_drv.c | 4 +- + drivers/gpu/drm/drm_fops.c | 18 +- + drivers/gpu/drm/drm_global.c | 14 +- + drivers/gpu/drm/drm_info.c | 14 +- + drivers/gpu/drm/drm_ioc32.c | 4 +- + drivers/gpu/drm/drm_ioctl.c | 2 +- + drivers/gpu/drm/drm_lock.c | 4 +- + drivers/gpu/drm/drm_stub.c | 2 +- + drivers/gpu/drm/i810/i810_dma.c | 8 +- + drivers/gpu/drm/i810/i810_drv.h | 4 +- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.h | 6 +- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- + drivers/gpu/drm/i915/i915_irq.c | 22 +- + drivers/gpu/drm/i915/intel_display.c | 9 +- + drivers/gpu/drm/mga/mga_drv.h | 4 +- + drivers/gpu/drm/mga/mga_irq.c | 8 +- + drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- + drivers/gpu/drm/r128/r128_cce.c | 2 +- + drivers/gpu/drm/r128/r128_drv.h | 4 +- + drivers/gpu/drm/r128/r128_irq.c | 4 +- + drivers/gpu/drm/r128/r128_state.c | 4 +- + drivers/gpu/drm/radeon/mkregtable.c | 4 +- + drivers/gpu/drm/radeon/radeon_device.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- + drivers/gpu/drm/radeon/radeon_irq.c | 6 +- + drivers/gpu/drm/radeon/radeon_state.c | 4 +- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- + drivers/gpu/drm/radeon/rs690.c | 4 +- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- + drivers/gpu/drm/via/via_drv.h | 4 +- + drivers/gpu/drm/via/via_irq.c | 18 +- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- + drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- + drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- + drivers/hid/hid-core.c | 4 +- + drivers/hv/channel.c | 4 +- + drivers/hv/hv.c | 2 +- + drivers/hv/hyperv_vmbus.h | 2 +- + drivers/hv/vmbus_drv.c | 4 +- + drivers/hwmon/coretemp.c | 2 +- + drivers/hwmon/sht15.c | 12 +- + drivers/hwmon/via-cputemp.c | 2 +- + drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- + drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- + drivers/ide/ide-cd.c | 2 +- + drivers/infiniband/core/cm.c | 32 +- + drivers/infiniband/core/fmr_pool.c | 20 +- + drivers/infiniband/hw/cxgb4/mem.c | 4 +- + drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- + drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- + drivers/infiniband/hw/nes/nes.c | 4 +- + drivers/infiniband/hw/nes/nes.h | 40 +- + drivers/infiniband/hw/nes/nes_cm.c | 62 +- + drivers/infiniband/hw/nes/nes_mgt.c | 8 +- + drivers/infiniband/hw/nes/nes_nic.c | 40 +- + drivers/infiniband/hw/nes/nes_verbs.c | 10 +- + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/input/gameport/gameport.c | 4 +- + drivers/input/input.c | 4 +- + drivers/input/joystick/sidewinder.c | 1 + + drivers/input/joystick/xpad.c | 4 +- + drivers/input/mousedev.c | 2 +- + drivers/input/serio/serio.c | 4 +- + drivers/isdn/capi/capi.c | 10 +- + drivers/isdn/gigaset/interface.c | 8 +- + drivers/isdn/hardware/avm/b1.c | 4 +- + drivers/isdn/i4l/isdn_tty.c | 22 +- + drivers/isdn/icn/icn.c | 2 +- + drivers/lguest/core.c | 10 +- + drivers/lguest/x86/core.c | 12 +- + drivers/lguest/x86/switcher_32.S | 27 +- + drivers/md/bitmap.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-raid1.c | 16 +- + drivers/md/dm-stripe.c | 10 +- + drivers/md/dm-table.c | 2 +- + drivers/md/dm-thin-metadata.c | 4 +- + drivers/md/dm.c | 16 +- + drivers/md/md.c | 26 +- + drivers/md/md.h | 6 +- + drivers/md/persistent-data/dm-space-map.h | 1 + + drivers/md/raid1.c | 4 +- + drivers/md/raid10.c | 16 +- + drivers/md/raid5.c | 10 +- + drivers/media/dvb-core/dvbdev.c | 2 +- + drivers/media/dvb-frontends/dib3000.h | 2 +- + drivers/media/platform/omap/omap_vout.c | 11 +- + drivers/media/platform/s5p-tv/mixer.h | 2 +- + drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- + drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- + drivers/media/platform/s5p-tv/mixer_video.c | 24 +- + drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- + drivers/media/radio/radio-cadet.c | 2 + + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + drivers/message/fusion/mptsas.c | 34 +- + drivers/message/fusion/mptscsih.c | 19 +- + drivers/message/i2o/i2o_proc.c | 51 +- + drivers/message/i2o/iop.c | 8 +- + drivers/mfd/janz-cmodio.c | 1 + + drivers/misc/kgdbts.c | 4 +- + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- + drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- + drivers/misc/sgi-gru/gruhandles.c | 4 +- + drivers/misc/sgi-gru/gruprocfs.c | 8 +- + drivers/misc/sgi-gru/grutables.h | 154 +- + drivers/misc/sgi-xp/xp.h | 2 +- + drivers/misc/sgi-xp/xpc.h | 3 +- + drivers/misc/sgi-xp/xpc_main.c | 4 +- + drivers/mmc/core/mmc_ops.c | 2 +- + drivers/mmc/host/dw_mmc.h | 2 +- + drivers/mmc/host/sdhci-s3c.c | 8 +- + drivers/mtd/devices/doc2000.c | 2 +- + drivers/mtd/nand/denali.c | 1 + + drivers/mtd/nftlmount.c | 1 + + drivers/net/ethernet/8390/ax88796.c | 4 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- + drivers/net/ethernet/broadcom/tg3.h | 1 + + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 2 + + drivers/net/ethernet/faraday/ftmac100.c | 2 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- + drivers/net/ethernet/realtek/r8169.c | 8 +- + drivers/net/ethernet/sfc/ptp.c | 2 +- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- + drivers/net/hyperv/hyperv_net.h | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 +- + drivers/net/ieee802154/fakehard.c | 2 +- + drivers/net/macvlan.c | 2 +- + drivers/net/macvtap.c | 2 +- + drivers/net/ppp/ppp_generic.c | 4 +- + drivers/net/team/team.c | 2 +- + drivers/net/tun.c | 5 +- + drivers/net/usb/hso.c | 23 +- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- + drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- + drivers/net/wireless/ath/ath9k/hw.h | 4 +- + drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- + drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- + drivers/net/wireless/mac80211_hwsim.c | 32 +- + drivers/net/wireless/rndis_wlan.c | 2 +- + drivers/net/wireless/rt2x00/rt2x00.h | 2 +- + drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- + drivers/net/wireless/ti/wl1251/sdio.c | 12 +- + drivers/net/wireless/ti/wl12xx/main.c | 8 +- + drivers/net/wireless/ti/wl18xx/main.c | 6 +- + drivers/oprofile/buffer_sync.c | 8 +- + drivers/oprofile/event_buffer.c | 2 +- + drivers/oprofile/oprof.c | 2 +- + drivers/oprofile/oprofile_stats.c | 10 +- + drivers/oprofile/oprofile_stats.h | 10 +- + drivers/oprofile/oprofilefs.c | 2 +- + drivers/oprofile/timer_int.c | 2 +- + drivers/parport/procfs.c | 4 +- + drivers/pci/hotplug/cpcihp_generic.c | 6 +- + drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- + drivers/pci/hotplug/cpqphp_nvram.c | 4 + + drivers/pci/pcie/aspm.c | 6 +- + drivers/pci/probe.c | 2 +- + drivers/platform/x86/thinkpad_acpi.c | 70 +- + drivers/pnp/pnpbios/bioscalls.c | 14 +- + drivers/pnp/resource.c | 4 +- + drivers/power/pda_power.c | 7 +- + drivers/regulator/max8660.c | 6 +- + drivers/regulator/max8973-regulator.c | 8 +- + drivers/regulator/mc13892-regulator.c | 6 +- + drivers/scsi/bfa/bfa.h | 2 +- + drivers/scsi/bfa/bfa_fcpim.h | 2 +- + drivers/scsi/bfa/bfa_ioc.h | 4 +- + drivers/scsi/hosts.c | 4 +- + drivers/scsi/hpsa.c | 30 +- + drivers/scsi/hpsa.h | 2 +- + drivers/scsi/libfc/fc_exch.c | 50 +- + drivers/scsi/libsas/sas_ata.c | 2 +- + drivers/scsi/lpfc/lpfc.h | 8 +- + drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- + drivers/scsi/lpfc/lpfc_init.c | 6 +- + drivers/scsi/lpfc/lpfc_scsi.c | 16 +- + drivers/scsi/pmcraid.c | 20 +- + drivers/scsi/pmcraid.h | 8 +- + drivers/scsi/qla2xxx/qla_attr.c | 4 +- + drivers/scsi/qla2xxx/qla_gbl.h | 4 +- + drivers/scsi/qla2xxx/qla_os.c | 6 +- + drivers/scsi/qla4xxx/ql4_def.h | 2 +- + drivers/scsi/qla4xxx/ql4_os.c | 6 +- + drivers/scsi/scsi.c | 2 +- + drivers/scsi/scsi_lib.c | 6 +- + drivers/scsi/scsi_sysfs.c | 2 +- + drivers/scsi/scsi_tgt_lib.c | 2 +- + drivers/scsi/scsi_transport_fc.c | 8 +- + drivers/scsi/scsi_transport_iscsi.c | 6 +- + drivers/scsi/scsi_transport_srp.c | 6 +- + drivers/scsi/sd.c | 2 +- + drivers/scsi/sg.c | 2 +- + drivers/spi/spi.c | 2 +- + drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/ramster/tmem.c | 54 +- + drivers/staging/rtl8712/rtl871x_io.h | 2 +- + drivers/staging/sbe-2t3e3/netdev.c | 2 +- + drivers/staging/usbip/vhci.h | 2 +- + drivers/staging/usbip/vhci_hcd.c | 6 +- + drivers/staging/usbip/vhci_rx.c | 2 +- + drivers/staging/vt6655/hostap.c | 7 +- + drivers/staging/vt6656/hostap.c | 7 +- + drivers/staging/zcache/tmem.c | 4 +- + drivers/staging/zcache/tmem.h | 2 + + drivers/target/target_core_device.c | 2 +- + drivers/target/target_core_transport.c | 2 +- + drivers/tty/cyclades.c | 6 +- + drivers/tty/hvc/hvc_console.c | 14 +- + drivers/tty/hvc/hvcs.c | 21 +- + drivers/tty/ipwireless/tty.c | 27 +- + drivers/tty/moxa.c | 2 +- + drivers/tty/n_gsm.c | 4 +- + drivers/tty/n_tty.c | 3 +- + drivers/tty/pty.c | 4 +- + drivers/tty/rocket.c | 6 +- + drivers/tty/serial/kgdboc.c | 32 +- + drivers/tty/serial/samsung.c | 9 +- + drivers/tty/serial/serial_core.c | 8 +- + drivers/tty/synclink.c | 34 +- + drivers/tty/synclink_gt.c | 28 +- + drivers/tty/synclinkmp.c | 34 +- + drivers/tty/tty_io.c | 2 +- + drivers/tty/tty_ldisc.c | 10 +- + drivers/tty/tty_port.c | 22 +- + drivers/uio/uio.c | 21 +- + drivers/usb/atm/cxacru.c | 2 +- + drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/core/devices.c | 6 +- + drivers/usb/core/hcd.c | 4 +- + drivers/usb/core/sysfs.c | 2 +- + drivers/usb/core/usb.c | 2 +- + drivers/usb/early/ehci-dbgp.c | 16 +- + drivers/usb/gadget/u_serial.c | 22 +- + drivers/usb/serial/console.c | 6 +- + drivers/usb/wusbcore/wa-hc.h | 4 +- + drivers/usb/wusbcore/wa-xfer.c | 2 +- + drivers/video/aty/aty128fb.c | 2 +- + drivers/video/fbcmap.c | 3 +- + drivers/video/fbmem.c | 6 +- + drivers/video/i810/i810_accel.c | 1 + + drivers/video/udlfb.c | 32 +- + drivers/video/uvesafb.c | 39 +- + drivers/video/vesafb.c | 51 +- + drivers/video/via/via_clock.h | 2 +- + fs/9p/vfs_inode.c | 2 +- + fs/Kconfig.binfmt | 2 +- + fs/aio.c | 11 +- + fs/autofs4/waitq.c | 2 +- + fs/befs/linuxvfs.c | 2 +- + fs/binfmt_aout.c | 23 +- + fs/binfmt_elf.c | 604 ++++- + fs/binfmt_flat.c | 6 + + fs/bio.c | 6 +- + fs/block_dev.c | 2 +- + fs/btrfs/ctree.c | 9 +- + fs/btrfs/relocation.c | 2 +- + fs/btrfs/super.c | 2 +- + fs/cachefiles/bind.c | 6 +- + fs/cachefiles/daemon.c | 8 +- + fs/cachefiles/internal.h | 12 +- + fs/cachefiles/namei.c | 2 +- + fs/cachefiles/proc.c | 12 +- + fs/cachefiles/rdwr.c | 2 +- + fs/ceph/dir.c | 2 +- + fs/cifs/cifs_debug.c | 12 +- + fs/cifs/cifsfs.c | 8 +- + fs/cifs/cifsglob.h | 54 +- + fs/cifs/link.c | 2 +- + fs/cifs/misc.c | 4 +- + fs/cifs/smb1ops.c | 80 +- + fs/cifs/smb2ops.c | 84 +- + fs/cifs/smb2pdu.c | 3 +- + fs/coda/cache.c | 10 +- + fs/compat.c | 6 +- + fs/compat_binfmt_elf.c | 2 + + fs/compat_ioctl.c | 8 +- + fs/configfs/dir.c | 10 +- + fs/coredump.c | 24 +- + fs/dcache.c | 2 +- + fs/ecryptfs/inode.c | 4 +- + fs/ecryptfs/miscdev.c | 2 +- + fs/ecryptfs/read_write.c | 4 +- + fs/exec.c | 356 ++- + fs/ext4/ext4.h | 20 +- + fs/ext4/mballoc.c | 44 +- + fs/fhandle.c | 3 +- + fs/fifo.c | 22 +- + fs/fs_struct.c | 8 +- + fs/fscache/cookie.c | 36 +- + fs/fscache/internal.h | 196 +- + fs/fscache/object.c | 28 +- + fs/fscache/operation.c | 30 +- + fs/fscache/page.c | 110 +- + fs/fscache/stats.c | 344 +- + fs/fuse/cuse.c | 10 +- + fs/fuse/dev.c | 2 +- + fs/fuse/dir.c | 2 +- + fs/gfs2/inode.c | 2 +- + fs/hugetlbfs/inode.c | 13 +- + fs/inode.c | 4 +- + fs/jffs2/erase.c | 3 +- + fs/jffs2/wbuf.c | 3 +- + fs/jfs/super.c | 2 +- + fs/libfs.c | 10 +- + fs/lockd/clntproc.c | 4 +- + fs/locks.c | 8 +- + fs/namei.c | 15 +- + fs/namespace.c | 2 +- + fs/nfs/inode.c | 6 +- + fs/nfsd/vfs.c | 6 +- + fs/notify/fanotify/fanotify_user.c | 4 +- + fs/notify/notification.c | 4 +- + fs/ntfs/dir.c | 2 +- + fs/ntfs/file.c | 4 +- + fs/ocfs2/localalloc.c | 2 +- + fs/ocfs2/ocfs2.h | 10 +- + fs/ocfs2/suballoc.c | 12 +- + fs/ocfs2/super.c | 20 +- + fs/pipe.c | 33 +- + fs/proc/array.c | 20 + + fs/proc/kcore.c | 32 +- + fs/proc/meminfo.c | 2 +- + fs/proc/nommu.c | 2 +- + fs/proc/self.c | 2 +- + fs/proc/task_mmu.c | 39 +- + fs/proc/task_nommu.c | 4 +- + fs/quota/netlink.c | 4 +- + fs/readdir.c | 2 +- + fs/reiserfs/do_balan.c | 2 +- + fs/reiserfs/procfs.c | 2 +- + fs/reiserfs/reiserfs.h | 4 +- + fs/seq_file.c | 2 +- + fs/splice.c | 36 +- + fs/sysfs/file.c | 10 +- + fs/sysfs/symlink.c | 2 +- + fs/udf/misc.c | 2 +- + fs/xattr_acl.c | 4 +- + fs/xfs/xfs_bmap.c | 2 +- + fs/xfs/xfs_dir2_sf.c | 10 +- + fs/xfs/xfs_ioctl.c | 2 +- + fs/xfs/xfs_iops.c | 2 +- + include/asm-generic/4level-fixup.h | 2 + + include/asm-generic/atomic-long.h | 210 ++ + include/asm-generic/atomic.h | 2 +- + include/asm-generic/atomic64.h | 12 + + include/asm-generic/cache.h | 4 +- + include/asm-generic/emergency-restart.h | 2 +- + include/asm-generic/kmap_types.h | 4 +- + include/asm-generic/local.h | 13 + + include/asm-generic/pgtable-nopmd.h | 18 +- + include/asm-generic/pgtable-nopud.h | 15 +- + include/asm-generic/pgtable.h | 8 + + include/asm-generic/vmlinux.lds.h | 10 +- + include/crypto/algapi.h | 2 +- + include/drm/drmP.h | 5 +- + include/drm/drm_crtc_helper.h | 2 +- + include/drm/ttm/ttm_memory.h | 2 +- + include/linux/atmdev.h | 2 +- + include/linux/binfmts.h | 1 + + include/linux/blkdev.h | 2 +- + include/linux/blktrace_api.h | 2 +- + include/linux/cache.h | 4 + + include/linux/cdrom.h | 1 - + include/linux/cleancache.h | 2 +- + include/linux/compiler-gcc4.h | 20 + + include/linux/compiler.h | 72 +- + include/linux/cpu.h | 2 +- + include/linux/crypto.h | 6 +- + include/linux/decompress/mm.h | 2 +- + include/linux/dma-mapping.h | 2 +- + include/linux/dmaengine.h | 4 +- + include/linux/efi.h | 1 + + include/linux/elf.h | 2 + + include/linux/filter.h | 4 + + include/linux/frontswap.h | 2 +- + include/linux/fs.h | 3 +- + include/linux/fs_struct.h | 2 +- + include/linux/fscache-cache.h | 4 +- + include/linux/fsnotify.h | 2 +- + include/linux/ftrace_event.h | 2 +- + include/linux/genhd.h | 2 +- + include/linux/gfp.h | 12 +- + include/linux/highmem.h | 12 + + include/linux/i2c.h | 1 + + include/linux/i2o.h | 2 +- + include/linux/if_pppox.h | 2 +- + include/linux/init.h | 33 +- + include/linux/init_task.h | 7 + + include/linux/interrupt.h | 8 +- + include/linux/kgdb.h | 6 +- + include/linux/kobject.h | 2 +- + include/linux/kref.h | 2 +- + include/linux/kvm_host.h | 4 +- + include/linux/libata.h | 2 +- + include/linux/list.h | 3 + + include/linux/mm.h | 91 +- + include/linux/mm_types.h | 22 +- + include/linux/mmiotrace.h | 4 +- + include/linux/mmzone.h | 2 +- + include/linux/mod_devicetable.h | 4 +- + include/linux/module.h | 55 +- + include/linux/moduleloader.h | 18 +- + include/linux/moduleparam.h | 4 +- + include/linux/namei.h | 6 +- + include/linux/netdevice.h | 3 +- + include/linux/netfilter/ipset/ip_set.h | 2 +- + include/linux/netfilter/nfnetlink.h | 2 +- + include/linux/notifier.h | 3 +- + include/linux/oprofile.h | 4 +- + include/linux/perf_event.h | 10 +- + include/linux/pipe_fs_i.h | 6 +- + include/linux/platform_data/usb-ehci-s5p.h | 2 +- + include/linux/pm_runtime.h | 2 +- + include/linux/poison.h | 4 +- + include/linux/power/smartreflex.h | 2 +- + include/linux/random.h | 5 + + include/linux/reboot.h | 14 +- + include/linux/regset.h | 3 +- + include/linux/relay.h | 2 +- + include/linux/rio.h | 2 +- + include/linux/rmap.h | 4 +- + include/linux/sched.h | 64 +- + include/linux/seq_file.h | 1 + + include/linux/skbuff.h | 12 +- + include/linux/slab.h | 36 +- + include/linux/slab_def.h | 33 +- + include/linux/slob_def.h | 4 +- + include/linux/slub_def.h | 10 +- + include/linux/sonet.h | 2 +- + include/linux/sunrpc/clnt.h | 8 +- + include/linux/sunrpc/svc_rdma.h | 18 +- + include/linux/sysrq.h | 2 +- + include/linux/thread_info.h | 7 + + include/linux/tty.h | 4 +- + include/linux/tty_driver.h | 2 +- + include/linux/tty_ldisc.h | 2 +- + include/linux/types.h | 16 + + include/linux/uaccess.h | 6 +- + include/linux/unaligned/access_ok.h | 12 +- + include/linux/usb.h | 2 +- + include/linux/usb/renesas_usbhs.h | 2 +- + include/linux/vermagic.h | 21 +- + include/linux/vmalloc.h | 11 +- + include/linux/vmstat.h | 20 +- + include/media/v4l2-dev.h | 2 +- + include/media/v4l2-ioctl.h | 1 - + include/net/caif/cfctrl.h | 6 +- + include/net/flow.h | 2 +- + include/net/gro_cells.h | 6 +- + include/net/inet_connection_sock.h | 2 +- + include/net/inetpeer.h | 8 +- + include/net/ip_fib.h | 2 +- + include/net/ip_vs.h | 4 +- + include/net/irda/ircomm_tty.h | 1 + + include/net/iucv/af_iucv.h | 2 +- + include/net/neighbour.h | 2 +- + include/net/net_namespace.h | 6 +- + include/net/netdma.h | 2 +- + include/net/netlink.h | 2 +- + include/net/netns/ipv4.h | 2 +- + include/net/protocol.h | 4 +- + include/net/sctp/sctp.h | 6 +- + include/net/sctp/structs.h | 4 +- + include/net/sock.h | 6 +- + include/net/tcp.h | 8 +- + include/net/xfrm.h | 4 +- + include/rdma/iw_cm.h | 2 +- + include/scsi/libfc.h | 3 +- + include/scsi/scsi_device.h | 6 +- + include/scsi/scsi_transport_fc.h | 3 +- + include/sound/soc.h | 4 +- + include/target/target_core_base.h | 2 +- + include/trace/events/irq.h | 4 +- + include/uapi/linux/a.out.h | 8 + + include/uapi/linux/byteorder/little_endian.h | 24 +- + include/uapi/linux/elf.h | 28 + + include/uapi/linux/screen_info.h | 3 +- + include/uapi/linux/sysctl.h | 6 +- + include/uapi/linux/xattr.h | 4 + + include/video/udlfb.h | 8 +- + include/video/uvesafb.h | 1 + + init/Kconfig | 2 +- + init/Makefile | 3 + + init/do_mounts.c | 14 +- + init/do_mounts.h | 8 +- + init/do_mounts_initrd.c | 22 +- + init/do_mounts_md.c | 6 +- + init/init_task.c | 4 + + init/initramfs.c | 40 +- + init/main.c | 78 +- + ipc/msg.c | 11 +- + ipc/sem.c | 11 +- + ipc/shm.c | 17 +- + kernel/acct.c | 2 +- + kernel/audit.c | 8 +- + kernel/auditsc.c | 4 +- + kernel/capability.c | 3 + + kernel/compat.c | 40 +- + kernel/debug/debug_core.c | 16 +- + kernel/debug/kdb/kdb_main.c | 4 +- + kernel/events/core.c | 28 +- + kernel/exit.c | 4 +- + kernel/fork.c | 167 +- + kernel/futex.c | 9 + + kernel/gcov/base.c | 7 +- + kernel/hrtimer.c | 4 +- + kernel/jump_label.c | 5 + + kernel/kallsyms.c | 39 +- + kernel/kexec.c | 3 +- + kernel/kmod.c | 2 +- + kernel/kprobes.c | 8 +- + kernel/lockdep.c | 7 +- + kernel/module.c | 333 ++- + kernel/mutex-debug.c | 12 +- + kernel/mutex-debug.h | 4 +- + kernel/mutex.c | 7 +- + kernel/notifier.c | 17 +- + kernel/panic.c | 3 +- + kernel/pid.c | 2 +- + kernel/posix-cpu-timers.c | 4 +- + kernel/posix-timers.c | 20 +- + kernel/power/process.c | 12 +- + kernel/profile.c | 14 +- + kernel/ptrace.c | 6 +- + kernel/rcutiny.c | 4 +- + kernel/rcutiny_plugin.h | 2 +- + kernel/rcutorture.c | 56 +- + kernel/rcutree.c | 72 +- + kernel/rcutree.h | 24 +- + kernel/rcutree_plugin.h | 18 +- + kernel/rcutree_trace.c | 22 +- + kernel/rtmutex-tester.c | 24 +- + kernel/sched/auto_group.c | 4 +- + kernel/sched/core.c | 2 +- + kernel/sched/fair.c | 4 +- + kernel/signal.c | 12 +- + kernel/smp.c | 2 +- + kernel/softirq.c | 16 +- + kernel/srcu.c | 6 +- + kernel/stop_machine.c | 2 +- + kernel/sys.c | 12 +- + kernel/sysctl.c | 37 +- + kernel/sysctl_binary.c | 14 +- + kernel/time/alarmtimer.c | 2 +- + kernel/time/tick-broadcast.c | 2 +- + kernel/time/timer_stats.c | 10 +- + kernel/timer.c | 4 +- + kernel/trace/blktrace.c | 6 +- + kernel/trace/ftrace.c | 20 +- + kernel/trace/ring_buffer.c | 76 +- + kernel/trace/trace.c | 6 +- + kernel/trace/trace_events.c | 25 +- + kernel/trace/trace_mmiotrace.c | 8 +- + kernel/trace/trace_output.c | 12 +- + kernel/trace/trace_stack.c | 2 +- + lib/Makefile | 2 +- + lib/bitmap.c | 8 +- + lib/bug.c | 2 + + lib/debugobjects.c | 2 +- + lib/devres.c | 4 +- + lib/dma-debug.c | 4 +- + lib/inflate.c | 2 +- + lib/ioremap.c | 4 +- + lib/list_debug.c | 89 +- + lib/radix-tree.c | 2 +- + lib/strncpy_from_user.c | 2 +- + lib/strnlen_user.c | 2 +- + lib/vsprintf.c | 12 +- + mm/Kconfig | 6 +- + mm/filemap.c | 2 +- + mm/fremap.c | 5 + + mm/highmem.c | 7 +- + mm/hugetlb.c | 54 + + mm/internal.h | 1 + + mm/maccess.c | 4 +- + mm/madvise.c | 41 + + mm/memory-failure.c | 18 +- + mm/memory.c | 404 ++- + mm/mempolicy.c | 26 + + mm/mlock.c | 16 +- + mm/mmap.c | 573 +++- + mm/mprotect.c | 138 +- + mm/mremap.c | 44 +- + mm/nommu.c | 11 +- + mm/page-writeback.c | 2 +- + mm/page_alloc.c | 14 +- + mm/percpu.c | 2 +- + mm/process_vm_access.c | 14 +- + mm/rmap.c | 38 +- + mm/shmem.c | 19 +- + mm/slab.c | 104 +- + mm/slab.h | 5 +- + mm/slab_common.c | 9 +- + mm/slob.c | 200 +- + mm/slub.c | 98 +- + mm/sparse-vmemmap.c | 4 +- + mm/sparse.c | 2 +- + mm/swap.c | 3 + + mm/swapfile.c | 12 +- + mm/util.c | 6 + + mm/vmalloc.c | 82 +- + mm/vmstat.c | 12 +- + net/8021q/vlan.c | 5 +- + net/9p/trans_fd.c | 2 +- + net/atm/atm_misc.c | 8 +- + net/atm/lec.h | 2 +- + net/atm/proc.c | 6 +- + net/atm/resources.c | 4 +- + net/batman-adv/bat_iv_ogm.c | 8 +- + net/batman-adv/hard-interface.c | 4 +- + net/batman-adv/soft-interface.c | 4 +- + net/batman-adv/types.h | 6 +- + net/batman-adv/unicast.c | 2 +- + net/bluetooth/hci_sock.c | 2 +- + net/bluetooth/l2cap_core.c | 6 +- + net/bluetooth/l2cap_sock.c | 12 +- + net/bluetooth/rfcomm/sock.c | 4 +- + net/bluetooth/rfcomm/tty.c | 10 +- + net/bridge/netfilter/ebtables.c | 6 +- + net/caif/cfctrl.c | 11 +- + net/can/af_can.c | 2 +- + net/can/gw.c | 6 +- + net/compat.c | 34 +- + net/core/datagram.c | 2 +- + net/core/dev.c | 16 +- + net/core/flow.c | 8 +- + net/core/iovec.c | 4 +- + net/core/rtnetlink.c | 2 +- + net/core/scm.c | 8 +- + net/core/sock.c | 24 +- + net/decnet/sysctl_net_decnet.c | 4 +- + net/ipv4/ah4.c | 2 +- + net/ipv4/esp4.c | 2 +- + net/ipv4/fib_frontend.c | 6 +- + net/ipv4/fib_semantics.c | 2 +- + net/ipv4/inetpeer.c | 4 +- + net/ipv4/ip_fragment.c | 2 +- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ipcomp.c | 2 +- + net/ipv4/ipconfig.c | 6 +- + net/ipv4/netfilter/arp_tables.c | 12 +- + net/ipv4/netfilter/ip_tables.c | 12 +- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 14 +- + net/ipv4/route.c | 2 +- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_probe.c | 2 +- + net/ipv4/udp.c | 10 +- + net/ipv6/addrconf.c | 2 +- + net/ipv6/ip6_gre.c | 2 +- + net/ipv6/ipv6_sockglue.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 12 +- + net/ipv6/raw.c | 19 +- + net/ipv6/udp.c | 8 +- + net/irda/ircomm/ircomm_tty.c | 18 +- + net/iucv/af_iucv.c | 4 +- + net/iucv/iucv.c | 2 +- + net/key/af_key.c | 4 +- + net/mac80211/cfg.c | 4 +- + net/mac80211/ieee80211_i.h | 3 +- + net/mac80211/iface.c | 14 +- + net/mac80211/main.c | 2 +- + net/mac80211/pm.c | 6 +- + net/mac80211/rate.c | 2 +- + net/mac80211/rc80211_pid_debugfs.c | 2 +- + net/mac80211/util.c | 2 +- + net/netfilter/ipvs/ip_vs_conn.c | 6 +- + net/netfilter/ipvs/ip_vs_core.c | 4 +- + net/netfilter/ipvs/ip_vs_ctl.c | 10 +- + net/netfilter/ipvs/ip_vs_sync.c | 6 +- + net/netfilter/ipvs/ip_vs_xmit.c | 4 +- + net/netfilter/nfnetlink_log.c | 4 +- + net/netfilter/xt_statistic.c | 8 +- + net/netlink/af_netlink.c | 4 +- + net/packet/af_packet.c | 12 +- + net/phonet/pep.c | 6 +- + net/phonet/socket.c | 2 +- + net/rds/cong.c | 6 +- + net/rds/ib.h | 2 +- + net/rds/ib_cm.c | 2 +- + net/rds/ib_recv.c | 4 +- + net/rds/iw.h | 2 +- + net/rds/iw_cm.c | 2 +- + net/rds/iw_recv.c | 4 +- + net/rds/tcp.c | 2 +- + net/rds/tcp_send.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/rxrpc/ar-ack.c | 14 +- + net/rxrpc/ar-call.c | 2 +- + net/rxrpc/ar-connection.c | 2 +- + net/rxrpc/ar-connevent.c | 2 +- + net/rxrpc/ar-input.c | 4 +- + net/rxrpc/ar-internal.h | 8 +- + net/rxrpc/ar-local.c | 2 +- + net/rxrpc/ar-output.c | 4 +- + net/rxrpc/ar-peer.c | 2 +- + net/rxrpc/ar-proc.c | 4 +- + net/rxrpc/ar-transport.c | 2 +- + net/rxrpc/rxkad.c | 4 +- + net/sctp/ipv6.c | 2 +- + net/sctp/protocol.c | 8 +- + net/sctp/socket.c | 2 + + net/socket.c | 34 +- + net/sunrpc/sched.c | 4 +- + net/sunrpc/xprtrdma/svc_rdma.c | 38 +- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- + net/tipc/link.c | 6 +- + net/tipc/msg.c | 2 +- + net/tipc/subscr.c | 2 +- + net/wireless/wext-core.c | 19 +- + net/xfrm/xfrm_policy.c | 16 +- + net/xfrm/xfrm_state.c | 4 +- + scripts/Makefile.build | 2 +- + scripts/Makefile.clean | 3 +- + scripts/Makefile.host | 28 +- + scripts/basic/fixdep.c | 12 +- + scripts/gcc-plugin.sh | 17 + + scripts/link-vmlinux.sh | 2 +- + scripts/mod/file2alias.c | 14 +- + scripts/mod/modpost.c | 25 +- + scripts/mod/modpost.h | 6 +- + scripts/mod/sumversion.c | 2 +- + scripts/pnmtologo.c | 6 +- + security/Kconfig | 654 ++++- + security/integrity/ima/ima.h | 4 +- + security/integrity/ima/ima_api.c | 2 +- + security/integrity/ima/ima_fs.c | 4 +- + security/integrity/ima/ima_queue.c | 2 +- + security/keys/compat.c | 2 +- + security/keys/keyctl.c | 8 +- + security/keys/keyring.c | 6 +- + security/security.c | 9 +- + security/selinux/hooks.c | 2 +- + security/selinux/include/xfrm.h | 2 +- + security/smack/smack_lsm.c | 2 +- + security/tomoyo/tomoyo.c | 2 +- + sound/aoa/codecs/onyx.c | 7 +- + sound/aoa/codecs/onyx.h | 1 + + sound/core/oss/pcm_oss.c | 18 +- + sound/core/pcm_compat.c | 2 +- + sound/core/pcm_native.c | 4 +- + sound/core/seq/seq_device.c | 8 +- + sound/drivers/mts64.c | 14 +- + sound/drivers/opl4/opl4_lib.c | 2 +- + sound/drivers/portman2x4.c | 3 +- + sound/firewire/amdtp.c | 4 +- + sound/firewire/amdtp.h | 2 +- + sound/firewire/isight.c | 10 +- + sound/firewire/scs1x.c | 8 +- + sound/oss/sb_audio.c | 2 +- + sound/oss/swarm_cs4297a.c | 6 +- + sound/pci/ymfpci/ymfpci.h | 2 +- + sound/pci/ymfpci/ymfpci_main.c | 12 +- + tools/gcc/.gitignore | 1 + + tools/gcc/Makefile | 43 + + tools/gcc/checker_plugin.c | 171 + + tools/gcc/colorize_plugin.c | 151 + + tools/gcc/constify_plugin.c | 359 +++ + tools/gcc/generate_size_overflow_hash.sh | 94 + + tools/gcc/kallocstat_plugin.c | 170 + + tools/gcc/kernexec_plugin.c | 465 +++ + tools/gcc/latent_entropy_plugin.c | 321 ++ + tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ + tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ + tools/gcc/stackleak_plugin.c | 327 ++ + tools/perf/util/include/asm/alternative-asm.h | 3 + + virt/kvm/kvm_main.c | 32 +- + 1311 files changed, 26668 insertions(+), 6394 deletions(-) +commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b +Merge: 0949bd4 fc53d63 +Author: Brad Spengler +Date: Thu Mar 22 19:03:44 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit fc53d6338964741b368070ec5c935bc579b8c2a6 +Author: Brad Spengler +Date: Thu Mar 22 19:02:45 2012 -0400 + + Update to pax-linux-3.2.12-test33.patch + +commit 0949bd46a6455b308f66ad7c993bfee62412db35 +Author: Brad Spengler +Date: Thu Mar 22 16:56:09 2012 -0400 + + Use current_umask() instead of current->fs->umask + +commit 22f6432d0fe733619cfcb523782ed7d80c46d645 +Author: Brad Spengler +Date: Wed Mar 21 19:42:42 2012 -0400 + + compile fix + +commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef +Author: Brad Spengler +Date: Wed Mar 21 19:34:56 2012 -0400 + + Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain + uses of domains with particular hash collisions + +commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 +Author: Brad Spengler +Date: Tue Mar 20 20:25:49 2012 -0400 + + zero kernel_role + +commit b00953b43c69238d181d21121ef1577c988d5f6b +Author: Brad Spengler +Date: Tue Mar 20 19:29:34 2012 -0400 + + zero real_root after releasing it + +commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 +Merge: b724f59 273f98e +Author: Brad Spengler +Date: Tue Mar 20 19:11:26 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 273f98e58cdac555d3b5dce5c1ca168349f95878 +Author: Brad Spengler +Date: Tue Mar 20 19:10:52 2012 -0400 + + Temporary workaround for (most) size_overflow plugin false-positives + Increase randomization for brk-managed heap to 21 bits + Update to pax-linux-3.2.12-test32.patch + +commit b724f59125304460c2af8bd4b02921993afbb5d3 +Author: Brad Spengler +Date: Tue Mar 20 18:58:53 2012 -0400 + + compile fix + +commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f +Author: Brad Spengler +Date: Tue Mar 20 18:52:23 2012 -0400 + + Require default and kernel role + +commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 +Author: Brad Spengler +Date: Tue Mar 20 18:47:28 2012 -0400 + + Allow policies without special roles + don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) + +commit 402ec3d24d66d38403dc543c84851f5e72d39e22 +Merge: 8e012dc f14661a +Author: Brad Spengler +Date: Mon Mar 19 18:06:59 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/namei.c + +commit f14661aaf202155c97f66626cea0269017bb7775 +Merge: eae671f 058b017 +Author: Brad Spengler +Date: Mon Mar 19 18:05:44 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 +Author: Ryusuke Konishi +Date: Fri Mar 16 17:08:39 2012 -0700 + + nilfs2: fix NULL pointer dereference in nilfs_load_super_block() + + According to the report from Slicky Devil, nilfs caused kernel oops at + nilfs_load_super_block function during mount after he shrank the + partition without resizing the filesystem: + + BUG: unable to handle kernel NULL pointer dereference at 00000048 + IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] + *pde = 00000000 + Oops: 0000 [#1] PREEMPT SMP + ... + Call Trace: + [] init_nilfs+0x4b/0x2e0 [nilfs2] + [] nilfs_mount+0x447/0x5b0 [nilfs2] + [] mount_fs+0x36/0x180 + [] vfs_kern_mount+0x51/0xa0 + [] do_kern_mount+0x3e/0xe0 + [] do_mount+0x169/0x700 + [] sys_mount+0x6b/0xa0 + [] sysenter_do_call+0x12/0x28 + Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 + 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 + 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 + EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc + CR2: 0000000000000048 + + This turned out due to a defect in an error path which runs if the + calculated location of the secondary super block was invalid. + + This patch fixes it and eliminates the reported oops. + + Reported-by: Slicky Devil + Signed-off-by: Ryusuke Konishi + Tested-by: Slicky Devil + Cc: [2.6.30+] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 +Author: Haogang Chen +Date: Fri Mar 16 17:08:38 2012 -0700 + + nilfs2: clamp ns_r_segments_percentage to [1, 99] + + ns_r_segments_percentage is read from the disk. Bogus or malicious + value could cause integer overflow and malfunction due to meaningless + disk usage calculation. This patch reports error when mounting such + bogus volumes. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit e1a90645643f9b0194a5984ec8febd06360d5c8b +Author: Eric Dumazet +Date: Sat Mar 10 09:20:21 2012 +0000 + + tcp: fix syncookie regression + + commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) + added a serious regression on synflood handling. + + Simon Kirby discovered a successful connection was delayed by 20 seconds + before being responsive. + + In my tests, I discovered that xmit frames were lost, and needed ~4 + retransmits and a socket dst rebuild before being really sent. + + In case of syncookie initiated connection, we use a different path to + initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. + + As ip_queue_xmit() now depends on inet flow being setup, fix this by + copying the temp flowi4 we use in cookie_v4_check(). + + Reported-by: Simon Kirby + Bisected-by: Simon Kirby + Signed-off-by: Eric Dumazet + Tested-by: Eric Dumazet + Signed-off-by: David S. Miller + +commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 +Author: Stanislav Kinsbursky +Date: Mon Mar 12 02:59:41 2012 +0000 + + tun: don't hold network namespace by tun sockets + + v3: added previously removed sock_put() to the tun_release() callback, because + sk_release_kernel() doesn't drop the socket reference. + + v2: sk_release_kernel() used for socket release. Dummy tun_release() is + required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() + call. + + TUN was designed to destroy it's socket on network namesapce shutdown. But this + will never happen for persistent device, because it's socket holds network + namespace. + This patch removes of holding network namespace by TUN socket and replaces it + by creating socket in init_net and then changing it's net it to desired one. On + shutdown socket is moved back to init_net prior to final put. + + Signed-off-by: Stanislav Kinsbursky + Signed-off-by: David S. Miller + +commit 46ae7374bd387c58d673a9e58852a9fd31042c5c +Author: Tyler Hicks +Date: Mon Dec 12 10:02:30 2011 -0600 + + vfs: Correctly set the dir i_mutex lockdep class + + 9a7aa12f3911853a introduced additional logic around setting the i_mutex + lockdep class for directory inodes. The idea was that some filesystems + may want their own special lockdep class for different directory + inodes and calling unlock_new_inode() should not clobber one of + those special classes. + + I believe that the added conditional, around the *negated* return value + of lockdep_match_class(), caused directory inodes to be placed in the + wrong lockdep class. + + inode_init_always() sets the i_mutex lockdep class with i_mutex_key for + all inodes. If the filesystem did not change the class during inode + initialization, then the conditional mentioned above was false and the + directory inode was incorrectly left in the non-directory lockdep class. + If the filesystem did set a special lockdep class, then the conditional + mentioned above was true and that class was clobbered with + i_mutex_dir_key. + + This patch removes the negation from the conditional so that the i_mutex + lockdep class is properly set for directory inodes. Special classes are + preserved and directory inodes with unmodified classes are set with + i_mutex_dir_key. + + Signed-off-by: Tyler Hicks + Reviewed-by: Jan Kara + Signed-off-by: Al Viro + +commit 603590b0d2eca61ce26499eac9c563bc567a18c9 +Author: Jan Kara +Date: Mon Feb 20 17:54:00 2012 +0100 + + udf: Fix deadlock in udf_release_file() + + udf_release_file() can be called from munmap() path with mmap_sem held. Thus + we cannot take i_mutex there because that ranks above mmap_sem. Luckily, + i_mutex is not needed in udf_release_file() anymore since protection by + i_data_sem is enough to protect from races with write and truncate. + + Reported-by: Al Viro + Reviewed-by: Namjae Jeon + Signed-off-by: Jan Kara + Signed-off-by: Al Viro + +commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:33 2012 +0100 + + vfs: fix double put after complete_walk() + + complete_walk() already puts nd->path, no need to do it again at cleanup time. + + This would result in Oopses if triggered, apparently the codepath is not too + well exercised. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + +commit 13885ba2b18400f3ef6540497d30f1af896605e5 +Author: Miklos Szeredi +Date: Tue Mar 6 13:56:34 2012 +0100 + + vfs: fix return value from do_last() + + complete_walk() returns either ECHILD or ESTALE. do_last() turns this into + ECHILD unconditionally. If not in RCU mode, this error will reach userspace + which is complete nonsense. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Al Viro + + Conflicts: + + fs/namei.c + +commit f5ab7572c99ffb58953eb1070622307e904c3b7f +Author: Al Viro +Date: Sat Mar 10 17:07:28 2012 -0500 + + restore smp_mb() in unlock_new_inode() + + wait_on_inode() doesn't have ->i_lock + + Signed-off-by: Al Viro + +commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 +Author: David S. Miller +Date: Tue Mar 13 18:19:51 2012 -0700 + + sparc32: Add -Av8 to assembler command line. + + Newer version of binutils are more strict about specifying the + correct options to enable certain classes of instructions. + + The sparc32 build is done for v7 in order to support sun4c systems + which lack hardware integer multiply and divide instructions. + + So we have to pass -Av8 when building the assembler routines that + use these instructions and get patched into the kernel when we find + out that we have a v8 capable cpu. + + Reported-by: Paul Gortmaker + Signed-off-by: David S. Miller + +commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 +Author: Thomas Gleixner +Date: Fri Mar 9 20:55:10 2012 +0100 + + x86: Derandom delay_tsc for 64 bit + + Commit f0fbf0abc093 ("x86: integrate delay functions") converted + delay_tsc() into a random delay generator for 64 bit. The reason is + that it merged the mostly identical versions of delay_32.c and + delay_64.c. Though the subtle difference of the result was: + + static void delay_tsc(unsigned long loops) + { + - unsigned bclock, now; + + unsigned long bclock, now; + + Now the function uses rdtscl() which returns the lower 32bit of the + TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 + bit this fails when the lower 32bit are close to wrap around when + bclock is read, because the following check + + if ((now - bclock) >= loops) + break; + + evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 + because the unsigned long (now - bclock) of these values results in + 0xffffffff00000001 which is definitely larger than the loops + value. That explains Tvortkos observation: + + "Because I am seeing udelay(500) (_occasionally_) being short, and + that by delaying for some duration between 0us (yep) and 491us." + + Make those variables explicitely u32 again, so this works for both 32 + and 64 bit. + + Reported-by: Tvrtko Ursulin + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org # >= 2.6.27 + Signed-off-by: Linus Torvalds + +commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf +Author: Al Viro +Date: Thu Mar 8 17:51:19 2012 +0000 + + aio: fix the "too late munmap()" race + + Current code has put_ioctx() called asynchronously from aio_fput_routine(); + that's done *after* we have killed the request that used to pin ioctx, + so there's nothing to stop io_destroy() waiting in wait_for_all_aios() + from progressing. As the result, we can end up with async call of + put_ioctx() being the last one and possibly happening during exit_mmap() + or elf_core_dump(), neither of which expects stray munmap() being done + to them... + + We do need to prevent _freeing_ ioctx until aio_fput_routine() is done + with that, but that's all we care about - neither io_destroy() nor + exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() + does really_put_req(), so the ioctx teardown won't be done until then + and we don't care about the contents of ioctx past that point. + + Since actual freeing of these suckers is RCU-delayed, we don't need to + bump ioctx refcount when request goes into list for async removal. + All we need is rcu_read_lock held just over the ->ctx_lock-protected + area in aio_fput_routine(). + + Signed-off-by: Al Viro + Reviewed-by: Jeff Moyer + Acked-by: Benjamin LaHaise + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 002124c055afbf09b52226af65621999e8316448 +Author: Al Viro +Date: Wed Mar 7 05:16:35 2012 +0000 + + aio: fix io_setup/io_destroy race + + Have ioctx_alloc() return an extra reference, so that caller would drop it + on success and not bother with re-grabbing it on failure exit. The current + code is obviously broken - io_destroy() from another thread that managed + to guess the address io_setup() would've returned would free ioctx right + under us; gets especially interesting if aio_context_t * we pass to + io_setup() points to PROT_READ mapping, so put_user() fails and we end + up doing io_destroy() on kioctx another thread has just got freed... + + Signed-off-by: Al Viro + Acked-by: Benjamin LaHaise + Reviewed-by: Jeff Moyer + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 +Author: Dan Carpenter +Date: Thu Mar 15 15:17:12 2012 -0700 + + drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode + + strict_strtoul() writes a long but ->gamma_mode only has space to store an + int, so on 64 bit systems we end up scribbling over ->gamma_table_count as + well. I've changed it to use kstrtouint() instead. + + Signed-off-by: Dan Carpenter + Acked-by: Inki Dae + Signed-off-by: Florian Tobias Schandinat + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit cf83f735a5571f4341ee6eab947a1f7d833cea6e +Merge: e4b05b6 eae671f +Author: Brad Spengler +Date: Fri Mar 16 21:04:27 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit eae671fafe93f04685c04a089cc13efebc05d600 +Author: Brad Spengler +Date: Fri Mar 16 20:58:01 2012 -0400 + + Update to pax-linux-3.2.11-test31.patch + Introduction of the size_overflow plugin from Emese Revfy + Many thanks to Emese for her hard work :) + +commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 +Merge: e55aa68 258c015 +Author: Brad Spengler +Date: Thu Mar 15 20:59:19 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea +Author: Brad Spengler +Date: Thu Mar 15 20:59:05 2012 -0400 + + fix ARM compilation + +commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 +Merge: 8f95ea9 55b7573 +Author: Brad Spengler +Date: Wed Mar 14 19:33:41 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca +Author: Brad Spengler +Date: Wed Mar 14 19:33:15 2012 -0400 + + Update to pax-linux-3.2.10-test28.patch + +commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 +Merge: c8786a2 886ac5e +Author: Brad Spengler +Date: Tue Mar 13 17:38:13 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) + +commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 +Author: Brad Spengler +Date: Tue Mar 13 17:37:44 2012 -0400 + + Update to pax-linux-3.2.10-test26.patch + +commit c8786a2abed5e5327f68efa520c04db99bb6a63a +Merge: 219c982 c061fcf +Author: Brad Spengler +Date: Tue Mar 13 17:25:06 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit c061fcfa6b78f3774800821144d8ac2d94d7da3e +Merge: 89373d2 3f4b3b2 +Author: Brad Spengler +Date: Tue Mar 13 17:25:02 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f +Merge: 54e19a3 89373d2 +Author: Brad Spengler +Date: Mon Mar 12 17:23:57 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 +Merge: a778588 7459f11 +Author: Brad Spengler +Date: Mon Mar 12 17:23:49 2012 -0400 + + Merge branch 'linux-3.2.y' into pax-test + +commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 +Merge: c4650f1 a778588 +Author: Brad Spengler +Date: Mon Mar 12 16:51:25 2012 -0400 + + Merge branch 'pax-test' into grsec-test + +commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 +Author: Brad Spengler +Date: Mon Mar 12 16:51:12 2012 -0400 + + Update to pax-linux-3.2.9-test24.patch + +commit c4650f14b13f84735fe3de06a1f3ff5776473eff +Merge: fb2abee 1015790 +Author: Brad Spengler +Date: Sun Mar 11 21:08:28 2012 -0400 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + security/Kconfig + +commit 101579028a736c224e590c7e12a7357018c424e1 +Author: Brad Spengler +Date: Sun Mar 11 21:07:27 2012 -0400 + + Update to pax-linux-3.2.9-test22.patch + +commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 +Author: Brad Spengler +Date: Sun Mar 11 11:02:17 2012 -0400 + + Allow 4096 CPUs + +commit 96bae28cbe6a41d48e3b56e5904814096e956000 +Author: Brad Spengler +Date: Sun Mar 11 10:25:58 2012 -0400 + + Use a per-cpu 48-bit counter instead of a global atomic64 + Initialize each counter to have the cpu number in the lower 16 bits + instead of incrementing the counter each time by 1, perform the increments + above the cpu number so that wrapping/exhausting the counter doesn't corrupt + any state + idea from PaX Team + +commit b975688101da6e966aebb1bc6b8c5c5983974f9c +Author: Brad Spengler +Date: Sat Mar 10 20:33:12 2012 -0500 + + Special vnsec edition! :) + Further reduce argv/env allowance for suid/sgid apps to 512KB + Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) + Clear 3GB personality on suid/sgid binaries + Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) + with the main purpose of throwing off program stack -> arg/env alignment + Update documentation + +commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 +Author: Brad Spengler +Date: Sat Mar 10 19:54:47 2012 -0500 + + Resolve skbuff.h warnings that turn into errors during compilation in + the grsecurity directory with -Werror + +commit 2023210ad43a944033fcacc660ce410888f562ee +Merge: ece4383 5f66adf +Author: Brad Spengler +Date: Fri Mar 9 19:48:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e +Author: Brad Spengler +Date: Fri Mar 9 19:47:06 2012 -0500 + + Add colorize plugin + +commit ece4383e5e91c92d138c4df84225a70b552f4d69 +Merge: a366d0e ab4a5a1 +Author: Brad Spengler +Date: Fri Mar 9 17:56:46 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea +Author: Brad Spengler +Date: Fri Mar 9 17:56:26 2012 -0500 + + Update to pax-linux-3.2.9-test21.patch + +commit a366d0ed963ce93fce10121c1100989d5f064e75 +Author: Mikulas Patocka +Date: Sun Mar 4 19:52:03 2012 -0500 + + mm: fix find_vma_prev + + Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory + management on PA-RISC. + + After application of the patch, programs that allocate big arrays on the + stack crash with segfault, for example, this will crash if compiled + without optimization: + + int main() + { + char array[200000]; + array[199999] = 0; + return 0; + } + + The reason is that PA-RISC has up-growing stack and the stack is usually + the last memory area. In the above example, a page fault happens above + the stack. + + Previously, if we passed too high address to find_vma_prev, it returned + NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" + change, it stores NULL in *pprev. Consequently, the stack area is not + found and it is not expanded, as it used to be before the change. + + This patch restores the old behavior and makes it return the last VMA in + *pprev if the requested address is higher than address of any other VMA. + + Signed-off-by: Mikulas Patocka + Acked-by: KOSAKI Motohiro + Signed-off-by: Linus Torvalds + +commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 +Author: Hugh Dickins +Date: Tue Mar 6 12:28:52 2012 -0800 + + mmap: EINVAL not ENOMEM when rejecting VM_GROWS + + Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP + from shared anonymous: hoist the file case's -EINVAL up for both. + + Signed-off-by: Hugh Dickins + Signed-off-by: Linus Torvalds + +commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c +Author: Al Viro +Date: Mon Mar 5 06:38:42 2012 +0000 + + aout: move setup_arg_pages() prior to reading/mapping the binary + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 +Author: Jan Beulich +Date: Mon Mar 5 16:49:24 2012 +0000 + + vsprintf: make %pV handling compatible with kasprintf() + + kasprintf() (and potentially other functions that I didn't run across so + far) want to evaluate argument lists twice. Caring to do so for the + primary list is obviously their job, but they can't reasonably be + expected to check the format string for instances of %pV, which however + need special handling too: On architectures like x86-64 (as opposed to + e.g. ix86), using the same argument list twice doesn't produce the + expected results, as an internally managed cursor gets updated during + the first run. + + Fix the problem by always acting on a copy of the original list when + handling %pV. + + Signed-off-by: Jan Beulich + Signed-off-by: Linus Torvalds + +commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb +Author: Al Viro +Date: Mon Mar 5 06:39:47 2012 +0000 + + VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs + + Signed-off-by: Al Viro + Signed-off-by: Linus Torvalds + +commit a831bd53764695ea680cc1fa3c98759a610ed2ac +Author: Christian König +Date: Tue Feb 28 23:19:20 2012 +0100 + + drm/radeon: fix uninitialized variable + + Without this fix the driver randomly treats + textures as arrays and I'm really wondering + why gcc isn't complaining about it. + + Signed-off-by: Christian König + Reviewed-by: Jerome Glisse + Signed-off-by: Dave Airlie + +commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc +Author: H. Peter Anvin +Date: Fri Mar 2 10:43:48 2012 -0800 + + regset: Prevent null pointer reference on readonly regsets + + The regset common infrastructure assumed that regsets would always + have .get and .set methods, but not necessarily .active methods. + Unfortunately people have since written regsets without .set methods. + + Rather than putting in stub functions everywhere, handle regsets with + null .get or .set methods explicitly. + + Signed-off-by: H. Peter Anvin + Reviewed-by: Oleg Nesterov + Acked-by: Roland McGrath + Cc: + Signed-off-by: Linus Torvalds + +commit 072ddd99401c79b53c6bf6bff9deb93022124c79 +Author: Brad Spengler +Date: Mon Mar 5 18:12:57 2012 -0500 + + Fix compiler errors reported on forums + +commit 1606774b48af24e6f99d99c624c0e447d4b66474 +Merge: 3127bd5 4ca2ffd +Author: Brad Spengler +Date: Mon Mar 5 17:31:35 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 +Author: Brad Spengler +Date: Mon Mar 5 17:31:21 2012 -0500 + + Update to pax-linux-3.2.9-test20.patch + +commit 3127bd581a292966b1057c7433219dac188c3720 +Author: Brad Spengler +Date: Fri Mar 2 21:30:37 2012 -0500 + + Fix memory leak on logged exec_id check failure in /proc/pid/statm + Thanks to Djalal Harouni for the report + +commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 +Merge: 0a56be8 9aa8288 +Author: Brad Spengler +Date: Fri Mar 2 18:38:22 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c +Author: Brad Spengler +Date: Fri Mar 2 18:37:43 2012 -0500 + + Update to pax-linux-3.2.9-test19.patch + +commit 0a56be884bbd7ce733cac0b879c45383494d73b0 +Merge: 9e66745 3f5c52a +Author: Brad Spengler +Date: Thu Mar 1 20:18:01 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 +Author: Brad Spengler +Date: Thu Mar 1 20:16:56 2012 -0500 + + Update to pax-linux-3.2.9-test18.patch + +commit ae53ec231d12719a36bf871f8c5841020ed692ee +Merge: b255baf 44fb317 +Author: Brad Spengler +Date: Thu Mar 1 20:15:31 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 9e667456c03eadea2f305be761abe4de9a5877a3 +Merge: 5e4e200 b255baf +Author: Brad Spengler +Date: Mon Feb 27 20:53:59 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit b255baf50365d39b406f43aab2c64745607baaa2 +Merge: 340ce90 1de504e +Author: Brad Spengler +Date: Mon Feb 27 20:53:29 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + Update to pax-linux-3.2.8-test17.patch + + Conflicts: + arch/x86/include/asm/i387.h + arch/x86/kernel/process_32.c + arch/x86/kernel/traps.c + +commit 5e4e200ac530452884b625cb75de240e1e98c731 +Merge: 44306d7 340ce90 +Author: Brad Spengler +Date: Mon Feb 27 18:02:13 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec +Author: Brad Spengler +Date: Mon Feb 27 18:01:48 2012 -0500 + + Update to pax-linux-3.2.7-test17.patch + +commit 44306d7b3097f77e73040dd25f4f6750751bae7a +Merge: 29d0b07 521c411 +Author: Brad Spengler +Date: Sun Feb 26 19:04:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + Makefile + +commit 521c411bb4ca66ce01146fde8bac9dd22414076d +Author: Brad Spengler +Date: Sun Feb 26 19:03:33 2012 -0500 + + Update to pax-linux-3.2.7-test16.patch + +commit 29d0b07290bb9a10cdfcc3c30058e16265330dea +Author: Brad Spengler +Date: Sun Feb 26 17:12:44 2012 -0500 + + fix typo + +commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef +Merge: f45b3be caa8f83 +Author: Brad Spengler +Date: Sat Feb 25 20:59:27 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit caa8f83456c4d0b204beefffaa1d1993f2348d08 +Author: Brad Spengler +Date: Sat Feb 25 20:59:12 2012 -0500 + + Update to pax-linux-3.2.7-test15.patch + +commit f45b3be34a345502a302e736af9a65742ddef7cb +Merge: 62f35fd 9f1309b +Author: Brad Spengler +Date: Sat Feb 25 11:40:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 +Author: Brad Spengler +Date: Sat Feb 25 11:39:57 2012 -0500 + + Update to pax-linux-3.2.7-test14.patch + +commit 62f35fdbecc58f2988fe13638d907b87a15776bb +Author: Brad Spengler +Date: Sat Feb 25 09:08:55 2012 -0500 + + We could log on attempted exploits of writing /proc/self/mem, but the current + log function declares the access a read, so just swap the ordering for now + +commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 +Author: Brad Spengler +Date: Sat Feb 25 08:46:14 2012 -0500 + + Log /proc/pid/mem attempts + +commit 674471e581893a94d475acac3e3c4496209b3ac9 +Author: Brad Spengler +Date: Sat Feb 25 08:15:00 2012 -0500 + + Make use of f_version for protecting /proc file structs (fine since we're not a directory + or seq_file) + +commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f +Author: Brad Spengler +Date: Fri Feb 24 20:02:19 2012 -0500 + + Fix ia64 compilation + +commit 50dfea412fd395e0183c2ade368efa525d38b267 +Merge: 12db845 4c6f99b +Author: Brad Spengler +Date: Fri Feb 24 19:00:53 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 4c6f99bf338e03966356b147d0360cb3b522a44f +Author: Brad Spengler +Date: Fri Feb 24 19:00:36 2012 -0500 + + (6:57:09 PM) pipacs: but you can be proactive + (Fix other-arch atomic64/REFCOUNT compilation failures) + +commit 12db8453f6bb0a756f369c9151668ba1249bc478 +Author: Brad Spengler +Date: Thu Feb 23 21:10:12 2012 -0500 + + Remove unnecessary copies, as suggested by solar + +commit cc02cab84368467ea03cb35f861a8a7092d91ab4 +Author: Brad Spengler +Date: Thu Feb 23 20:59:35 2012 -0500 + + Make global_exec_counter static, as suggested by solar + +commit e642091a475ebb3a30e81f85e7751233d0c2af43 +Author: Brad Spengler +Date: Thu Feb 23 19:00:26 2012 -0500 + + sync with stable tree + +commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 +Author: Brad Spengler +Date: Thu Feb 23 18:48:47 2012 -0500 + + Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod + Remove handling of old kludge in chmod/fchmod + +commit 815cb62f2ca7b58efc39778b3a855feb675ab56c +Author: Brad Spengler +Date: Thu Feb 23 18:18:49 2012 -0500 + + Apply umask checks to chmod/fchmod as well, as requested by sponsor + Union the enforced umask with the existing one to produce minimal privilege + Change umask type to u16 + +commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 +Author: Brad Spengler +Date: Wed Feb 22 18:16:11 2012 -0500 + + Add per-role umask enforcement to RBAC, requested by a sponsor + +commit ad5ac943fe58199f1cc475912a39edb157acb77b +Merge: dda0bb5 41722e3 +Author: Brad Spengler +Date: Mon Feb 20 20:04:42 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 41722e342e116d95f3d3556d66c97c888d752d39 +Author: Brad Spengler +Date: Mon Feb 20 20:04:00 2012 -0500 + + Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with + KERNEXEC plugin + +commit dda0bb57137846a476a866c60db2681aaf6052c0 +Merge: 4fd554e d70927a +Author: Brad Spengler +Date: Mon Feb 20 20:01:41 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit d70927afec977d489a54c106a3c3ddc32e953050 +Merge: 1daebf1 9d0231c +Author: Brad Spengler +Date: Mon Feb 20 20:01:33 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 4fd554e3a097b22c5049fcdc423897477deff5ef +Author: Brad Spengler +Date: Mon Feb 20 09:17:57 2012 -0500 + + Fix wrong logic on capability checks for switching roles, broke policies + Thanks to Richard Kojedzinszky for reporting + +commit 12f97d52ac603f24344f8d71569c412a307e9422 +Author: Brad Spengler +Date: Thu Feb 16 21:20:10 2012 -0500 + + sparc64 compile fix + +commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 +Author: Brad Spengler +Date: Thu Feb 16 18:38:32 2012 -0500 + + Update configuration help and name for GRKERNSEC_PROC_MEMMAP + +commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb +Author: Brad Spengler +Date: Thu Feb 16 18:18:01 2012 -0500 + + optimize the check a bit + +commit 03159050f64989be44ae03be769cbed62a7cd2e5 +Author: Brad Spengler +Date: Thu Feb 16 18:00:45 2012 -0500 + + smile VUPEN :D + (limit argv+env to 1MB for suid/sgid binaries) + +commit dd759d8800d225a397e4de49fe729c7d601298d2 +Author: Brad Spengler +Date: Thu Feb 16 17:49:33 2012 -0500 + + Address Space Protection -> Memory Protections (suggested on IRC for consistency) + +commit 4de635bda8ebfb85312e3bf851bdbff93de400da +Author: Brad Spengler +Date: Thu Feb 16 17:45:06 2012 -0500 + + Change the long long type for exec_id to the proper u64 + +commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa +Author: Dan Carpenter +Date: Thu Feb 9 00:46:47 2012 +0000 + + isdn: type bug in isdn_net_header() + + We use len to store the return value from eth_header(). eth_header() + can return -ETH_HLEN (-14). We want to pass this back instead of + truncating it to 65522 and returning that. + + Signed-off-by: Dan Carpenter + Acked-by: Neil Horman + Signed-off-by: David S. Miller + +commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 +Author: Heiko Carstens +Date: Sat Feb 4 10:47:10 2012 +0100 + + exec: fix use-after-free bug in setup_new_exec() + + Setting the task name is done within setup_new_exec() by accessing + bprm->filename. However this happens after flush_old_exec(). + This may result in a use after free bug, flush_old_exec() may + "complete" vfork_done, which will wake up the parent which in turn + may free the passed in filename. + To fix this add a new tcomm field in struct linux_binprm which + contains the now early generated task name until it is used. + + Fixes this bug on s390: + + Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 + Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) + Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) + Call Trace: + ([<0000000000282e2c>] setup_new_exec+0x38/0x374) + [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 + [<0000000000280a42>] search_binary_handler+0x38e/0x5bc + [<0000000000282b6c>] do_execve_common+0x410/0x514 + [<0000000000282cb6>] do_execve+0x46/0x58 + [<00000000005bce58>] kernel_execve+0x28/0x70 + [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 + [<00000000005bc8da>] kernel_thread_starter+0x6/0xc + [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc + Last Breaking-Event-Address: + [<00000000002830f0>] setup_new_exec+0x2fc/0x374 + + Kernel panic - not syncing: Fatal exception: panic_on_oops + + Reported-by: Sebastian Ott + Signed-off-by: Heiko Carstens + Signed-off-by: Linus Torvalds + +commit d758ee9f5230893dabb5aab737b3109684bde196 +Author: Dan Carpenter +Date: Fri Feb 10 09:03:58 2012 +0100 + + relay: prevent integer overflow in relay_open() + + "subbuf_size" and "n_subbufs" come from the user and they need to be + capped to prevent an integer overflow. + + Signed-off-by: Dan Carpenter + Cc: stable@kernel.org + Signed-off-by: Jens Axboe + +commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c +Merge: b1baadf 1daebf1 +Author: Brad Spengler +Date: Mon Feb 13 17:47:04 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/proc/base.c + +commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 +Merge: 1413df2 c2db2e2 +Author: Brad Spengler +Date: Mon Feb 13 17:45:54 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d +Author: Brad Spengler +Date: Sun Feb 12 16:44:05 2012 -0500 + + add missing declaration + +commit 3981059c35e8463002517935c28f3d74b8e3703c +Author: Brad Spengler +Date: Sun Feb 12 16:36:04 2012 -0500 + + Require CAP_SETUID/CAP_SETGID in a subject in order to change roles + in addition to existing checks (this handles the setresuid ruid = euid case) + +commit 0beab03263c773f463412c350ad9064b44b6ede0 +Author: Brad Spengler +Date: Sun Feb 12 16:13:40 2012 -0500 + + Revert setreuid changes when RBAC is enabled, breaks freeradius + I'll fix the learning issue Lavish reported a different way through + gradm modifications + + This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. + +commit 0c61cb1cfbbfec7d07647268c922d51434d22621 +Author: Brad Spengler +Date: Sat Feb 11 14:22:46 2012 -0500 + + copy exec_id on fork + +commit 000c08e0890630086b2ed04084050ed856a7ec31 +Author: Brad Spengler +Date: Fri Feb 10 20:00:36 2012 -0500 + + compile fix + +commit 54b8c8f54484e5ee18040657827158bc4b63bccc +Author: Brad Spengler +Date: Fri Feb 10 19:19:52 2012 -0500 + + Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP + denies reading of sensitive /proc/pid entries where the file descriptor + was opened in a different task than the one performing the read + +commit dd19579049186e2648b9ae5e42af04cfda7ab2dc +Author: Brad Spengler +Date: Fri Feb 10 17:43:24 2012 -0500 + + Remove duplicate signal check + +commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 +Merge: 4eba97e 1413df2 +Author: Brad Spengler +Date: Wed Feb 8 19:24:34 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 +Author: Brad Spengler +Date: Wed Feb 8 19:24:08 2012 -0500 + + Merge changes from pax-linux-3.2.4-test11.patch + +commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 +Merge: 0e058dd 8dd90a2 +Author: Brad Spengler +Date: Mon Feb 6 17:50:12 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 +Author: Brad Spengler +Date: Mon Feb 6 17:49:07 2012 -0500 + + Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free + +commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc +Merge: 7e4169c 6133971 +Author: Brad Spengler +Date: Mon Feb 6 17:48:57 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 +Author: Brad Spengler +Date: Sun Feb 5 19:24:45 2012 -0500 + + We now allow configurations with no PaX markings, giving the system no way to override the defaults + +commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 +Author: Brad Spengler +Date: Sun Feb 5 10:01:23 2012 -0500 + + Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory + +commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 +Author: Brad Spengler +Date: Sat Feb 4 21:01:16 2012 -0500 + + Improve security of ptrace-based monitoring/sandboxing + See: + http://article.gmane.org/gmane.linux.kernel.lsm/15156 + +commit ca4ca5a1027b41f9528794e52a53ce9c47926101 +Author: Brad Spengler +Date: Fri Feb 3 20:42:55 2012 -0500 + + fix typo + +commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 +Author: Brad Spengler +Date: Fri Feb 3 20:25:38 2012 -0500 + + Reported by lavish on IRC: + If a suid/sgid binary did not learn any setuid/setgid call during learning, + we would not any CAP_SETUID/CAP_SETGID capability to the task, nor + any restrictions on uid/gid changes. uid and gid can however be changed + within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to + euid/egid. + + My fix: + POSIX doesn't specify whether unprivileged users can perform the above + setresuid/setresgid as an unprivileged user, though Linux has historically + permitted them. Modify this behavior when RBAC is enabled to require + CAP_SETUID/CAP_SETGID for these operations. + + Thanks to Lavish for the report! + + Conflicts: + + kernel/sys.c + +commit e55be1f30908f1ad4450cb0558cde71ff5c7247f +Merge: ba586eb 7e4169c +Author: Brad Spengler +Date: Fri Feb 3 20:10:21 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e4169c6c880ec9641f1178c88545913c8a21e1f +Author: Brad Spengler +Date: Fri Feb 3 20:10:05 2012 -0500 + + Merge changes from pax-linux-3.2.4-test9.patch + +commit ba586ebbcd0ed781e38a99c580a757a00347c6eb +Author: Christopher Yeoh +Date: Thu Feb 2 11:34:09 2012 +1030 + + Fix race in process_vm_rw_core + + This fixes the race in process_vm_core found by Oleg (see + + http://article.gmane.org/gmane.linux.kernel/1235667/ + + for details). + + This has been updated since I last sent it as the creation of the new + mm_access() function did almost exactly the same thing as parts of the + previous version of this patch did. + + In order to use mm_access() even when /proc isn't enabled, we move it to + kernel/fork.c where other related process mm access functions already + are. + + Signed-off-by: Chris Yeoh + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + mm/process_vm_access.c + +commit b9194d60fb9fe579f5c34817ed822abde18939a0 +Author: Oleg Nesterov +Date: Tue Jan 31 17:15:11 2012 +0100 + + proc: make sure mem_open() doesn't pin the target's memory + + Once /proc/pid/mem is opened, the memory can't be released until + mem_release() even if its owner exits. + + Change mem_open() to do atomic_inc(mm_count) + mmput(), this only + pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) + before access_remote_vm(), this verifies that this mm is still alive. + + I am not sure what should mem_rw() return if atomic_inc_not_zero() + fails. With this patch it returns zero to match the "mm == NULL" case, + may be it should return -EINVAL like it did before e268337d. + + Perhaps it makes sense to add the additional fatal_signal_pending() + check into the main loop, to ensure we do not hold this memory if + the target task was oom-killed. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:38 2012 +0100 + + proc: mem_release() should check mm != NULL + + mem_release() can hit mm == NULL, add the necessary check. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + +commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 +Author: Oleg Nesterov +Date: Tue Jan 31 17:14:54 2012 +0100 + + note: redisabled mem_write + + proc: unify mem_read() and mem_write() + + No functional changes, cleanup and preparation. + + mem_read() and mem_write() are very similar. Move this code into the + new common helper, mem_rw(), which takes the additional "int write" + argument. + + Cc: stable@kernel.org + Signed-off-by: Oleg Nesterov + Signed-off-by: Linus Torvalds + + Conflicts: + + fs/proc/base.c + +commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 +Merge: 3903f01 01fee18 +Author: Brad Spengler +Date: Fri Feb 3 19:50:40 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 01fee1851aef26b898ccba5312cabf1f919b74cb +Author: Brad Spengler +Date: Fri Feb 3 19:49:46 2012 -0500 + + Merge changes from pax-linux-3.2.4-test8.patch + +commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 +Merge: 201c0db 141936c +Author: Brad Spengler +Date: Fri Feb 3 19:49:01 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test + +commit 3903f0172ecadf7a575ba3535402a1506133640a +Author: Brad Spengler +Date: Mon Jan 30 23:26:44 2012 -0500 + + Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT + + We'll whitelist required directories for compatibility instead of requiring + that people disable the feature entirely if they use SELinux, fuse, etc + + Conflicts: + + fs/sysfs/mount.c + +commit e3618feaa7e63807f1b88c199882075b3ec9bd05 +Author: Brad Spengler +Date: Sun Jan 29 01:12:19 2012 -0500 + + perform RBAC check if TPE is on but match fails, matches previous behavior + +commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 +Author: Brad Spengler +Date: Sat Jan 28 13:17:06 2012 -0500 + + log more information about the reason for a TPE denial for novice users, requested by a sponsor + +commit efefd67008cbad8a8591e2484410966a300a39a5 +Author: Brad Spengler +Date: Fri Jan 27 19:58:53 2012 -0500 + + merge upstream sha512 changes + +commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 +Author: Brad Spengler +Date: Fri Jan 27 19:49:07 2012 -0500 + + drop lock on error in xfs_readlink + + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 + +commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a +Author: Li Wang +Date: Thu Jan 19 09:44:36 2012 +0800 + + eCryptfs: Infinite loop due to overflow in ecryptfs_write() + + ecryptfs_write() can enter an infinite loop when truncating a file to a + size larger than 4G. This only happens on architectures where size_t is + represented by 32 bits. + + This was caused by a size_t overflow due to it incorrectly being used to + store the result of a calculation which uses potentially large values of + type loff_t. + + [tyhicks@canonical.com: rewrite subject and commit message] + Signed-off-by: Li Wang + Signed-off-by: Yunchuan Wen + Reviewed-by: Cong Wang + Cc: + Signed-off-by: Tyler Hicks + +commit a7607747d0f74f357d78bb796d70635dd05f46e8 +Author: Tyler Hicks +Date: Thu Jan 19 20:33:44 2012 -0600 + + eCryptfs: Check inode changes in setattr + + Most filesystems call inode_change_ok() very early in ->setattr(), but + eCryptfs didn't call it at all. It allowed the lower filesystem to make + the call in its ->setattr() function. Then, eCryptfs would copy the + appropriate inode attributes from the lower inode to the eCryptfs inode. + + This patch changes that and actually calls inode_change_ok() on the + eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call + would happen earlier in ecryptfs_setattr(), but there are some possible + inode initialization steps that must happen first. + + Since the call was already being made on the lower inode, the change in + functionality should be minimal, except for the case of a file extending + truncate call. In that case, inode_newsize_ok() was never being + called on the eCryptfs inode. Rather than inode_newsize_ok() catching + maximum file size errors early on, eCryptfs would encrypt zeroed pages + and write them to the lower filesystem until the lower filesystem's + write path caught the error in generic_write_checks(). This patch + introduces a new function, called ecryptfs_inode_newsize_ok(), which + checks if the new lower file size is within the appropriate limits when + the truncate operation will be growing the lower file. + + In summary this change prevents eCryptfs truncate operations (and the + resulting page encryptions), which would exceed the lower filesystem + limits or FSIZE rlimits, from ever starting. + + Signed-off-by: Tyler Hicks + Reviewed-by: Li Wang + Cc: + +commit 0d96f190a39505254ace4e9330219aaeda9b64e3 +Author: Tyler Hicks +Date: Wed Jan 18 18:30:04 2012 -0600 + + eCryptfs: Make truncate path killable + + ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a + page, zeroes out the appropriate portions, and then encrypts the page + before writing it to the lower filesystem. It was unkillable and due to + the lack of sparse file support could result in tying up a large portion + of system resources, while encrypting pages of zeros, with no way for + the truncate operation to be stopped from userspace. + + This patch adds the ability for ecryptfs_write() to detect a pending + fatal signal and return as gracefully as possible. The intent is to + leave the lower file in a useable state, while still allowing a user to + break out of the encryption loop. If a pending fatal signal is detected, + the eCryptfs inode size is updated to reflect the modified inode size + and then -EINTR is returned. + + Signed-off-by: Tyler Hicks + Cc: + +commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f +Author: Tyler Hicks +Date: Tue Jan 24 10:02:22 2012 -0600 + + eCryptfs: Fix oops when printing debug info in extent crypto functions + + If pages passed to the eCryptfs extent-based crypto functions are not + mapped and the module parameter ecryptfs_verbosity=1 was specified at + loading time, a NULL pointer dereference will occur. + + Note that this wouldn't happen on a production system, as you wouldn't + pass ecryptfs_verbosity=1 on a production system. It leaks private + information to the system logs and is for debugging only. + + The debugging info printed in these messages is no longer very useful + and rather than doing a kmap() in these debugging paths, it will be + better to simply remove the debugging paths completely. + + https://launchpad.net/bugs/913651 + + Signed-off-by: Tyler Hicks + Reported-by: Daniel DeFreez + Cc: + +commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c +Author: Tyler Hicks +Date: Thu Jan 12 11:30:44 2012 +0100 + + eCryptfs: Sanitize write counts of /dev/ecryptfs + + A malicious count value specified when writing to /dev/ecryptfs may + result in a a very large kernel memory allocation. + + This patch peeks at the specified packet payload size, adds that to the + size of the packet headers and compares the result with the write count + value. The resulting maximum memory allocation size is approximately 532 + bytes. + + Signed-off-by: Tyler Hicks + Reported-by: Sasha Levin + Cc: + +commit 96dcb7282d323813181a1791f51c0ab7696b675b +Merge: 6c09fa5 201c0db +Author: Brad Spengler +Date: Fri Jan 27 19:44:15 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 201c0dbf177527367676028151e36d340923f033 +Author: Brad Spengler +Date: Fri Jan 27 19:43:24 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors + on loading modules with empty sections + +commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b +Author: Brad Spengler +Date: Fri Jan 27 19:42:13 2012 -0500 + + compile fix + +commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 +Author: Brad Spengler +Date: Fri Jan 27 19:39:28 2012 -0500 + + use LSM flags instead of duplicating checks + +commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 +Merge: 44b9f11 558718b +Author: Brad Spengler +Date: Fri Jan 27 18:56:23 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 558718b2217beff69edf60f34a6f9893d910e9ac +Author: Brad Spengler +Date: Fri Jan 27 18:56:04 2012 -0500 + + Merge changes from pax-linux-3.2.2-test6.patch + +commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 +Author: Brad Spengler +Date: Fri Jan 27 18:53:55 2012 -0500 + + don't increase the size of task_struct when unnecessary + change ptrace_readexec log message + +commit a9c9626e054adb885883aa64f85506852894dd33 +Author: Brad Spengler +Date: Fri Jan 27 18:16:28 2012 -0500 + + Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- + the protection applies to all unreadable binaries. + +commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f +Merge: 7b3f3af 05a1349 +Author: Brad Spengler +Date: Wed Jan 25 20:52:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + block/scsi_ioctl.c + drivers/scsi/sd.c + fs/proc/base.c + +commit 05a134966efb9cb9346ad3422888969ffc79ac1d +Author: Brad Spengler +Date: Wed Jan 25 20:47:36 2012 -0500 + + Resync with pax-linux-3.2.2-test5.patch + +commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a +Merge: c6d443d 3499d64 +Author: Brad Spengler +Date: Wed Jan 25 20:45:16 2012 -0500 + + Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) + + Conflicts: + ipc/shm.c + +commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 +Author: Brad Spengler +Date: Tue Jan 24 19:42:01 2012 -0500 + + Add two new features, one is automatic by enabling CONFIG_GRKERNSEC + (may be changed if it breaks some userland), the other has its own + config option + + First feature requires CAP_SYS_ADMIN to write to any sysctl entry via + the syscall or /proc/sys. + + Second feature requires read access to a suid/sgid binary in order + to ptrace it, preventing infoleaking of binaries in situations where + the admin has specified 4711 or 2711 perms. Feature has been + given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and + a sysctl entry of ptrace_readexec + +commit 11a7bb25c411c9dccfdca5718639b4becdffd388 +Author: Brad Spengler +Date: Sun Jan 22 14:37:10 2012 -0500 + + Compilation fixes + +commit cd400e21c7c352baba47d6f375297a7847afb33a +Author: Brad Spengler +Date: Sun Jan 22 14:20:27 2012 -0500 + + Initial port of grsecurity 2.2.2 for Linux 3.2.1 + Note that the new syscalls added to this kernel for remote process read/write + are subject to ptrace hardening/other relevant RBAC features + /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default + as well + pax_track_stack has been removed from support for this kernel -- if you're running this kernel + you should be using a version of gcc with plugin support + +commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f +Author: Brad Spengler +Date: Sun Jan 22 11:47:31 2012 -0500 + + Import pax-linux-3.2.1-test5.patch +commit bfd7db842f835f9837cd43644459b3a95b0b488d +Author: Brad Spengler +Date: Sun Jan 22 11:02:02 2012 -0500 + + Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) + instead of returning -EACCES + thanks to Wraith from irc for the report + +commit 873ac13576506cd48ddb527c2540f274e249da50 +Merge: 34083dd 8a44fcc +Author: Brad Spengler +Date: Fri Jan 20 18:04:02 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 +Author: Brad Spengler +Date: Fri Jan 20 18:02:15 2012 -0500 + + Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch + Denies executable shared memory when MPROTECT is active + Fixes ia32 emulation crash on 64bit host introduced in a recent patch + +commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b +Author: Brad Spengler +Date: Thu Jan 19 20:23:14 2012 -0500 + + Introduce new GRKERNSEC_SETXID implementation + We're not able to change the credentials of other threads in the process until at most + one syscall after the first thread does it, since we mark the threads as needing rescheduling + and such work occurs on syscall exit. + This does however ensure that we're only modifying the current task's credentials + which upholds RCU expectations + + Many thanks to corsac for testing + +commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 +Author: Brad Spengler +Date: Thu Jan 19 17:42:48 2012 -0500 + + Simplify backport + +commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 +Author: Brad Spengler +Date: Thu Jan 19 17:08:16 2012 -0500 + + Commit the latest silent fix for a local privilege escalation from Linus + Also disable writing to /proc/pid/mem + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc + +commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c +Merge: 0394a3f 7e6299b +Author: Brad Spengler +Date: Wed Jan 18 20:22:09 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7e6299b4733c082dde930375dd207b63237751ec +Merge: 83555fb 9bb1282 +Author: Brad Spengler +Date: Wed Jan 18 20:21:37 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 +Author: Jesper Juhl +Date: Sun Jan 8 22:44:29 2012 +0100 + + audit: always follow va_copy() with va_end() + + A call to va_copy() should always be followed by a call to va_end() in + the same function. In kernel/autit.c::audit_log_vformat() this is not + always done. This patch makes sure va_end() is always called. + + Signed-off-by: Jesper Juhl + Cc: Al Viro + Cc: Eric Paris + Cc: Andrew Morton + Signed-off-by: Linus Torvalds + +commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 +Author: Andi Kleen +Date: Thu Jan 12 17:20:30 2012 -0800 + + panic: don't print redundant backtraces on oops + + When an oops causes a panic and panic prints another backtrace it's pretty + common to have the original oops data be scrolled away on a 80x50 screen. + + The second backtrace is quite redundant and not needed anyways. + + So don't print the panic backtrace when oops_in_progress is true. + + [akpm@linux-foundation.org: add comment] + Signed-off-by: Andi Kleen + Cc: Michael Holzheu + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f +Author: Miklos Szeredi +Date: Thu Jan 12 17:59:46 2012 +0100 + + fsnotify: don't BUG in fsnotify_destroy_mark() + + Removing the parent of a watched file results in "kernel BUG at + fs/notify/mark.c:139". + + To reproduce + + add "-w /tmp/audit/dir/watched_file" to audit.rules + rm -rf /tmp/audit/dir + + This is caused by fsnotify_destroy_mark() being called without an + extra reference taken by the caller. + + Reported by Francesco Cosoleto here: + + https://bugzilla.novell.com/show_bug.cgi?id=689860 + + Fix by removing the BUG_ON and adding a comment about not accessing mark after + the iput. + + Signed-off-by: Miklos Szeredi + CC: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + +commit 1a90cff66ed00cd57bf00a990d13e95060fa362c +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:28 2012 +0100 + + block: fail SCSI passthrough ioctls on partition devices + + Linux allows executing the SG_IO ioctl on a partition or LVM volume, and + will pass the command to the underlying block device. This is + well-known, but it is also a large security problem when (via Unix + permissions, ACLs, SELinux or a combination thereof) a program or user + needs to be granted access only to part of the disk. + + This patch lets partitions forward a small set of harmless ioctls; + others are logged with printk so that we can see which ioctls are + actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. + Of course it was being sent to a (partition on a) hard disk, so it would + have failed with ENOTTY and the patch isn't changing anything in + practice. Still, I'm treating it specially to avoid spamming the logs. + + In principle, this restriction should include programs running with + CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and + /dev/sdb, it still should not be able to read/write outside the + boundaries of /dev/sda2 independent of the capabilities. However, for + now programs with CAP_SYS_RAWIO will still be allowed to send the + ioctls. Their actions will still be logged. + + This patch does not affect the non-libata IDE driver. That driver + however already tests for bd != bd->bd_contains before issuing some + ioctl; it could be restricted further to forbid these ioctls even for + programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + [ Make it also print the command name when warning - Linus ] + Signed-off-by: Linus Torvalds + +commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 +Author: Paolo Bonzini +Date: Thu Jan 12 16:01:27 2012 +0100 + + block: add and use scsi_blk_cmd_ioctl + + Introduce a wrapper around scsi_cmd_ioctl that takes a block device. + + The function will then be enhanced to detect partition block devices + and, in that case, subject the ioctls to whitelisting. + + Cc: linux-scsi@vger.kernel.org + Cc: Jens Axboe + Cc: James Bottomley + Signed-off-by: Paolo Bonzini + Signed-off-by: Linus Torvalds + +commit 97a79814903fc350e1d13704ea31528a42705401 +Author: Kees Cook +Date: Sat Jan 7 10:41:04 2012 -0800 + + audit: treat s_id as an untrusted string + + The use of s_id should go through the untrusted string path, just to be + extra careful. + + Signed-off-by: Kees Cook + Acked-by: Mimi Zohar + Signed-off-by: Eric Paris + +commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 +Author: Xi Wang +Date: Tue Dec 20 18:39:41 2011 -0500 + + audit: fix signedness bug in audit_log_execve_info() + + In the loop, a size_t "len" is used to hold the return value of + audit_log_single_execve_arg(), which returns -1 on error. In that + case the error handling (len <= 0) will be bypassed since "len" is + unsigned, and the loop continues with (p += len) being wrapped. + Change the type of "len" to signed int to fix the error handling. + + size_t len; + ... + for (...) { + len = audit_log_single_execve_arg(...); + if (len <= 0) + break; + p += len; + } + + Signed-off-by: Xi Wang + Signed-off-by: Eric Paris + +commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 +Author: Dan Carpenter +Date: Tue Jan 17 03:28:51 2012 -0300 + + [media] ds3000: using logical && instead of bitwise & + + The intent here was to test if the FE_HAS_LOCK was set. The current + test is equivalent to "if (status) { ..." + + Signed-off-by: Dan Carpenter + Signed-off-by: Mauro Carvalho Chehab + +commit 36522330dc59d2fc70c042f3f081d75c32b6259a +Author: Brad Spengler +Date: Mon Jan 16 13:10:38 2012 -0500 + + Ignore the 0 signal for protected task RBAC checks + +commit d513acd55f7a683f6e146a4f570cdb63300479ab +Author: Brad Spengler +Date: Mon Jan 16 11:56:13 2012 -0500 + + whitespace cleanup + +commit ced261c4b82818c700aff8487f647f6f3e5b5122 +Merge: d48751f 83555fb +Author: Brad Spengler +Date: Fri Jan 13 20:12:54 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 +Merge: fcd8129 93dad39 +Author: Brad Spengler +Date: Fri Jan 13 20:12:43 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit d48751f3919ae855fda0ff6c149db82442329253 +Author: Brad Spengler +Date: Wed Jan 11 19:05:47 2012 -0500 + + Call our own set_user when forcing change to new id + +commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 +Merge: e6578ff fcd8129 +Author: Brad Spengler +Date: Tue Jan 10 16:00:10 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f +Author: Brad Spengler +Date: Tue Jan 10 15:58:43 2012 -0500 + + Merge changes from pax-linux-3.1.8-test23.patch + +commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 +Merge: 8859ec3 a120549 +Author: Brad Spengler +Date: Fri Jan 6 21:45:56 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit a12054967a77090de1caa07c41e694a77db4e237 +Author: Brad Spengler +Date: Fri Jan 6 21:45:30 2012 -0500 + + Merge changes from pax-linux-3.1.8-test22.patch + +commit 8859ec32f9815c274df65448f9f2960176c380d3 +Merge: a5016b4 ddd4114 +Author: Brad Spengler +Date: Fri Jan 6 21:26:08 2012 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/binfmt_elf.c + security/Kconfig + +commit ddd41147e158a79704983a409b7433eba797cf66 +Author: Brad Spengler +Date: Fri Jan 6 21:12:42 2012 -0500 + + Resync with PaX patch (whitespace difference) + +commit 29e569df8205c5f0e043fe4803aa984406c8b118 +Author: Brad Spengler +Date: Fri Jan 6 21:09:47 2012 -0500 + + Merge changes from pax-linux-3.1.8-test21.patch + +commit a5016b4f9c09c337b17e063a7f369af1e86d944d +Merge: 0124c92 04231d5 +Author: Brad Spengler +Date: Fri Jan 6 18:52:20 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 +Merge: 7bdddeb a919904 +Author: Brad Spengler +Date: Fri Jan 6 18:51:50 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + include/net/flow.h + +commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 +Author: Brad Spengler +Date: Fri Jan 6 18:33:05 2012 -0500 + + Make GRKERNSEC_SETXID option compatible with credential debugging + +commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe +Author: KOSAKI Motohiro +Date: Wed Dec 28 15:57:11 2011 -0800 + + mm/mempolicy.c: refix mbind_range() vma issue + + commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the + slightly incorrect fix. + + Why? Think following case. + + 1. map 4 pages of a file at offset 0 + + [0123] + + 2. map 2 pages just after the first mapping of the same file but with + page offset 2 + + [0123][23] + + 3. mbind() 2 pages from the first mapping at offset 2. + mbind_range() should treat new vma is, + + [0123][23] + |23| + mbind vma + + but it does + + [0123][23] + |01| + mbind vma + + Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). + + This patch fixes it. + + [testcase] + test result - before the patch + + case4: 126: test failed. expect '2,4', actual '2,2,2' + case5: passed + case6: passed + case7: passed + case8: passed + case_n: 246: test failed. expect '4,2', actual '1,4' + + ------------[ cut here ]------------ + kernel BUG at mm/filemap.c:135! + invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC + + (snip long bug on messages) + + test result - after the patch + + case4: passed + case5: passed + case6: passed + case7: passed + case8: passed + case_n: passed + + source: mbind_vma_test.c + ============================================================ + #include + #include + #include + #include + #include + #include + #include + + static unsigned long pagesize; + void* mmap_addr; + struct bitmask *nmask; + char buf[1024]; + FILE *file; + char retbuf[10240] = ""; + int mapped_fd; + + char *rubysrc = "ruby -e '\ + pid = %d; \ + vstart = 0x%llx; \ + vend = 0x%llx; \ + s = `pmap -q #{pid}`; \ + rary = []; \ + s.each_line {|line|; \ + ary=line.split(\" \"); \ + addr = ary[0].to_i(16); \ + if(vstart <= addr && addr < vend) then \ + rary.push(ary[1].to_i()/4); \ + end; \ + }; \ + print rary.join(\",\"); \ + '"; + + void init(void) + { + void* addr; + char buf[128]; + + nmask = numa_allocate_nodemask(); + numa_bitmask_setbit(nmask, 0); + + pagesize = getpagesize(); + + sprintf(buf, "%s", "mbind_vma_XXXXXX"); + mapped_fd = mkstemp(buf); + if (mapped_fd == -1) + perror("mkstemp "), exit(1); + unlink(buf); + + if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) + perror("lseek "), exit(1); + if (write(mapped_fd, "\0", 1) < 0) + perror("write "), exit(1); + + addr = mmap(NULL, pagesize*8, PROT_NONE, + MAP_SHARED, mapped_fd, 0); + if (addr == MAP_FAILED) + perror("mmap "), exit(1); + + if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) + perror("mprotect "), exit(1); + + mmap_addr = addr + pagesize; + + /* make page populate */ + memset(mmap_addr, 0, pagesize*6); + } + + void fin(void) + { + void* addr = mmap_addr - pagesize; + munmap(addr, pagesize*8); + + memset(buf, 0, sizeof(buf)); + memset(retbuf, 0, sizeof(retbuf)); + } + + void mem_bind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_BIND, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_interleave(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); + if (err) + perror("mbind "), exit(err); + } + + void mem_unbind(int index, int len) + { + int err; + + err = mbind(mmap_addr+pagesize*index, pagesize*len, + MPOL_DEFAULT, NULL, 0, 0); + if (err) + perror("mbind "), exit(err); + } + + void Assert(char *expected, char *value, char *name, int line) + { + if (strcmp(expected, value) == 0) { + fprintf(stderr, "%s: passed\n", name); + return; + } + else { + fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", + name, line, + expected, value); + // exit(1); + } + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPNNNNNNNNNN + case 4 below + */ + void case4(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 4); + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case4", __LINE__); + + fin(); + } + + /* + AAAA + PPPPPPNNNNNN + might become + PPPPPPPPPPNN + case 5 below + */ + void case5(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case5", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPPPPP 6 + */ + void case6(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_bind(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("6", retbuf, "case6", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPPPPPXXXX 7 + */ + void case7(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_bind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case7", __LINE__); + + fin(); + } + + /* + AAAA + PPPPNNNNXXXX + might become + PPPPNNNNNNNN 8 + */ + void case8(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + mem_bind(0, 2); + mem_interleave(4, 2); + mem_interleave(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("2,4", retbuf, "case8", __LINE__); + + fin(); + } + + void case_n(void) + { + init(); + sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); + + /* make redundunt mappings [0][1234][34][7] */ + mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, + MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); + + /* Expect to do nothing. */ + mem_unbind(2, 2); + + file = popen(buf, "r"); + fread(retbuf, sizeof(retbuf), 1, file); + Assert("4,2", retbuf, "case_n", __LINE__); + + fin(); + } + + int main(int argc, char** argv) + { + case4(); + case5(); + case6(); + case7(); + case8(); + case_n(); + + return 0; + } + ============================================================= + + Signed-off-by: KOSAKI Motohiro + Acked-by: Johannes Weiner + Cc: Minchan Kim + Cc: Caspar Zhang + Cc: KOSAKI Motohiro + Cc: Christoph Lameter + Cc: Hugh Dickins + Cc: Mel Gorman + Cc: Lee Schermerhorn + Cc: [3.1.x] + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit f3a1082005781777086df235049f8c0b7efe524e +Author: Wei Yongjun +Date: Tue Dec 27 22:32:41 2011 -0500 + + packet: fix possible dev refcnt leak when bind fail + + If bind is fail when bind is called after set PACKET_FANOUT + sock option, the dev refcnt will leak. + + Signed-off-by: Wei Yongjun + Signed-off-by: David S. Miller + +commit 915f8b08dac68839dc7204ee81cf9852fda16d24 +Author: Haogang Chen +Date: Mon Dec 19 17:11:56 2011 -0800 + + nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() + + There is a potential integer overflow in nilfs_ioctl_clean_segments(). + When a large argv[n].v_nmembs is passed from the userspace, the subsequent + call to vmalloc() will allocate a buffer smaller than expected, which + leads to out-of-bound access in nilfs_ioctl_move_blocks() and + lfs_clean_segments(). + + The following check does not prevent the overflow because nsegs is also + controlled by the userspace and could be very large. + + if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) + goto out_free; + + This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and + returns -EINVAL when overflow. + + Signed-off-by: Haogang Chen + Signed-off-by: Ryusuke Konishi + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 +Author: Kautuk Consul +Date: Mon Dec 19 17:12:04 2011 -0800 + + mm/vmalloc.c: remove static declaration of va from __get_vm_area_node + + Static storage is not required for the struct vmap_area in + __get_vm_area_node. + + Removing "static" to store this variable on the stack instead. + + Signed-off-by: Kautuk Consul + Acked-by: David Rientjes + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 +Author: Michel Lespinasse +Date: Mon Dec 19 17:12:06 2011 -0800 + + binary_sysctl(): fix memory leak + + binary_sysctl() calls sysctl_getname() which allocates from names_cache + slab usin __getname() + + The matching function to free the name is __putname(), and not putname() + which should be used only to match getname() allocations. + + This is because when auditing is enabled, putname() calls audit_putname + *instead* (not in addition) to __putname(). Then, if a syscall is in + progress, audit_putname does not release the name - instead, it expects + the name to get released when the syscall completes, but that will happen + only if audit_getname() was called previously, i.e. if the name was + allocated with getname() rather than the naked __getname(). So, + __getname() followed by putname() ends up leaking memory. + + Signed-off-by: Michel Lespinasse + Acked-by: Al Viro + Cc: Christoph Hellwig + Cc: Eric Paris + Cc: + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + +commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 +Author: Sean Hefty +Date: Tue Dec 6 21:17:11 2011 +0000 + + RDMA/cma: Verify private data length + + private_data_len is defined as a u8. If the user specifies a large + private_data size (> 220 bytes), we will calculate a total length that + exceeds 255, resulting in private_data_len wrapping back to 0. This + can lead to overwriting random kernel memory. Avoid this by verifying + that the resulting size fits into a u8. + + Reported-by: B. Thery + Addresses: + Signed-off-by: Sean Hefty + Signed-off-by: Roland Dreier + +commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 +Author: Xi Wang +Date: Sun Dec 11 23:40:56 2011 -0800 + + Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() + + The error check (intr_status < 0) didn't work because intr_status is + a u8. Change its type to signed int. + + Signed-off-by: Xi Wang + Signed-off-by: Dmitry Torokhov + +commit e27f34e383d7863b2528a63b81b23db09781f6b6 +Author: Xi Wang +Date: Fri Dec 16 12:44:15 2011 +0000 + + sctp: fix incorrect overflow check on autoclose + + Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for + limiting the autoclose value. If userspace passes in -1 on 32-bit + platform, the overflow check didn't work and autoclose would be set + to 0xffffffff. + + This patch defines a max_autoclose (in seconds) for limiting the value + and exposes it through sysctl, with the following intentions. + + 1) Avoid overflowing autoclose * HZ. + + 2) Keep the default autoclose bound consistent across 32- and 64-bit + platforms (INT_MAX / HZ in this patch). + + 3) Keep the autoclose value consistent between setsockopt() and + getsockopt() calls. + + Suggested-by: Vlad Yasevich + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 +Author: Xi Wang +Date: Wed Dec 21 05:18:33 2011 -0500 + + vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() + + Commit e133e737 didn't correctly fix the integer overflow issue. + + - unsigned int required_size; + + u64 required_size; + ... + required_size = mode_cmd->pitch * mode_cmd->height; + - if (unlikely(required_size > dev_priv->vram_size)) { + + if (unlikely(required_size > (u64) dev_priv->vram_size)) { + + Note that both pitch and height are u32. Their product is still u32 and + would overflow before being assigned to required_size. A correct way is + to convert pitch and height to u64 before the multiplication. + + required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; + + This patch calls the existing vmw_kms_validate_mode_vram() for + validation. + + Signed-off-by: Xi Wang + Reviewed-and-tested-by: Thomas Hellstrom + Signed-off-by: Dave Airlie + + Conflicts: + + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c + +commit eb8f0bd01fb994c9abc77dc84729794cd841753d +Author: Xi Wang +Date: Thu Dec 22 13:35:22 2011 +0000 + + rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() + + Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will + cause a kernel oops due to insufficient bounds checking. + + if (count > 1<<30) { + /* Enforce a limit to prevent overflow */ + return -EINVAL; + } + count = roundup_pow_of_two(count); + table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); + + Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: + + ... + (count * sizeof(struct rps_dev_flow)) + + where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow + 32 bits. + + This patch replaces the magic number (1 << 30) with a symbolic bound. + + Suggested-by: Eric Dumazet + Signed-off-by: Xi Wang + Signed-off-by: David S. Miller + +commit 648188958672024b616c42c1f6c98c8cfc85619d +Author: Xi Wang +Date: Fri Dec 30 10:40:17 2011 -0500 + + netfilter: ctnetlink: fix timeout calculation + + The sanity check (timeout < 0) never works; the dividend is unsigned + and so is the division, which should have been a signed division. + + long timeout = (ct->timeout.expires - jiffies) / HZ; + if (timeout < 0) + timeout = 0; + + This patch converts the time values to signed for the division. + + Signed-off-by: Xi Wang + Signed-off-by: Pablo Neira Ayuso + +commit ab03a0973cee73f88655ff4981812ad316a6cd59 +Merge: 76f82df 7bdddeb +Author: Brad Spengler +Date: Tue Jan 3 17:42:50 2012 -0500 + + Merge branch 'pax-test' into grsec-test + +commit 7bdddebd9d274a344a1c57a561152160c9e9a32a +Merge: 3e59cb5 55cc81a +Author: Brad Spengler +Date: Tue Jan 3 17:42:36 2012 -0500 + + Merge branch 'linux-3.1.y' into pax-test + +commit 76f82df18ba181687f454426fa9ced7a92b2ac1f +Author: Brad Spengler +Date: Thu Dec 22 20:15:02 2011 -0500 + + Only further restrict futex targeting another process -- our modified + permission check also happened to allow a case where a process retaining + uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid + being non-zero (reported on forums by ben_w) + +commit 6b235a4450a5fea41663ec35fa0608988b6078c6 +Merge: 97c16f0 3e59cb5 +Author: Brad Spengler +Date: Thu Dec 22 19:11:06 2011 -0500 + + Merge branch 'pax-test' into grsec-test + + Conflicts: + fs/hfs/btree.c + +commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 +Merge: 285eb4e c26f60b +Author: Brad Spengler +Date: Thu Dec 22 19:09:57 2011 -0500 + + Merge branch 'linux-3.1.y' into pax-test + + Conflicts: + arch/x86/kernel/process.c + +commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 +Author: Brad Spengler +Date: Mon Dec 19 21:54:01 2011 -0500 + + Add new option: "Enforce consistent multithreaded privileges" + +commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb +Author: Brad Spengler +Date: Wed Dec 7 19:58:31 2011 -0500 + + Remove harmless duplicate code -- exec_file would be null already so the + second check would never pass. + +commit 4e3304e94aa72737810bc50169519af157dce4ce +Author: Brad Spengler +Date: Wed Dec 7 19:50:39 2011 -0500 + + Revert back to (possibly?) undocumented /proc/pid behavior that gdb + depended on for attaching to a thread. Entries exist in /proc for + threads, but are not visible in a readdir. + +commit 1bd899335f23815cfe8deac44c6b346398f3b95e +Author: Brad Spengler +Date: Sun Dec 4 18:03:28 2011 -0500 + + Put the already-walked path if in RCU-walk mode + +commit ec7ae36b7159f10649709779443a988662965d66 +Author: Brad Spengler +Date: Sun Dec 4 17:35:21 2011 -0500 + + Fix memory leak introduced by recent (unpublished) commit + 75ab998b94a29d464518d6d501bdde3fbfcbfa14 + +commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 +Author: Brad Spengler +Date: Sun Dec 4 13:56:10 2011 -0500 + + Explicitly check size copied to userland in override_release to silence gcc + +commit c30a85d0fff67e0724e726febb934c0b6fa01c6c +Author: Brad Spengler +Date: Sun Dec 4 13:54:02 2011 -0500 + + Initialize variable to silence erroneous gcc warning + +commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 +Author: Brad Spengler +Date: Sun Dec 4 13:47:47 2011 -0500 + + Future-proof other potential RCU-aware locations where we can log. + +commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 +Author: Brad Spengler +Date: Sun Dec 4 13:02:54 2011 -0500 + + Fix freeze reported by 'vs' on the forums. Bug occurred due to + MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used + in generic_permission() was in the task's effective set but disallowed by + RBAC, would block when acquiring locks resulting in the freeze. + + Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged + as being required when CAP_DAC_OVERRIDE is present (consistent with + older patches). + +commit ab694e5eccfbc369baa593ebc1269d1908cf16dc +Author: Xi Wang +Date: Tue Nov 29 09:26:30 2011 +0000 + + sctp: better integer overflow check in sctp_auth_create_key() + + The check from commit 30c2235c is incomplete and cannot prevent + cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the + left-hand side of the check (INT_MAX - key_len), which is unsigned, + becomes 0xffffffff (UINT_MAX) and bypasses the check. + + However this shouldn't be a security issue. The function is called + from the following two code paths: + + 1) setsockopt() + + 2) sctp_auth_asoc_set_secret() + + In case (1), sca_keylength is never going to exceed 65535 since it's + bounded by a u16 from the user API. As such, the key length will + never overflow. + + In case (2), sca_keylength is computed based on the user key (1 short) + and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still + will not overflow. + + In other words, this overflow check is not really necessary. Just + make it more correct. + + Signed-off-by: Xi Wang + Cc: Vlad Yasevich + Signed-off-by: David S. Miller + +commit e565e28c3635a1d50f80541fbf6b606d742fec76 +Author: Josh Boyer +Date: Fri Aug 19 14:50:26 2011 -0400 + + fs/minix: Verify bitmap block counts before mounting + + Newer versions of MINIX can create filesystems that allocate an extra + bitmap block. Mounting of this succeeds, but doing a statfs call will + result in an oops in count_free because of a negative number being used + for the bh index. + + Avoid this by verifying the number of allocated blocks at mount time, + erroring out if there are not enough and make statfs ignore the extras + if there are too many. + + This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 + + Signed-off-by: Josh Boyer + Signed-off-by: Al Viro + +commit 6e134e398ec1a3f428261680e83df4319e64bed9 +Author: Julia Lawall +Date: Tue Nov 15 14:53:11 2011 -0800 + + drivers/gpu/vga/vgaarb.c: add missing kfree + + kbuf is a buffer that is local to this function, so all of the error paths + leaving the function should release it. + + Signed-off-by: Julia Lawall + Cc: Jesper Juhl + Signed-off-by: Andrew Morton + Signed-off-by: Dave Airlie + +commit 2b9057b321e36860e8d63985b5c4e496f254b717 +Author: Brad Spengler +Date: Sat Dec 3 21:33:28 2011 -0500 + + Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch + +commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch + +commit 285eb4ea45d853ae00426b3315a61c1368080dad +Author: Brad Spengler +Date: Sat Dec 10 18:33:46 2011 -0500 + + Import changes from pax-linux-3.1.5-test20.patch + +commit a6bda918fc90ec1d5c387e978d147ad2044153f1 +Author: Brad Spengler +Date: Thu Dec 8 20:55:54 2011 -0500 + + Import changes from pax-linux-3.1.4-test19.patch + +commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 +Author: Brad Spengler +Date: Sat Dec 3 21:29:37 2011 -0500 + + Import pax-linux-3.1.4-test18.patch commit e8658e072c00c4c4124383dba46d91f67a24cf97 Merge: b48043e f70f945 Author: Brad Spengler diff --git a/test/grsecurity-3.0-3.14.1-201404192355.patch b/test/grsecurity-3.0-3.14.1-201404192355.patch new file mode 100644 index 0000000..507f05e --- /dev/null +++ b/test/grsecurity-3.0-3.14.1-201404192355.patch @@ -0,0 +1,119569 @@ +diff --git a/Documentation/dontdiff b/Documentation/dontdiff +index b89a739..e289b9b 100644 +--- a/Documentation/dontdiff ++++ b/Documentation/dontdiff +@@ -2,9 +2,11 @@ + *.aux + *.bin + *.bz2 ++*.c.[012]*.* + *.cis + *.cpio + *.csp ++*.dbg + *.dsp + *.dvi + *.elf +@@ -14,6 +16,7 @@ + *.gcov + *.gen.S + *.gif ++*.gmo + *.grep + *.grp + *.gz +@@ -48,14 +51,17 @@ + *.tab.h + *.tex + *.ver ++*.vim + *.xml + *.xz + *_MODULES ++*_reg_safe.h + *_vga16.c + *~ + \#*# + *.9 +-.* ++.[^g]* ++.gen* + .*.d + .mm + 53c700_d.h +@@ -69,9 +75,11 @@ Image + Module.markers + Module.symvers + PENDING ++PERF* + SCCS + System.map* + TAGS ++TRACEEVENT-CFLAGS + aconf + af_names.h + aic7*reg.h* +@@ -80,6 +88,7 @@ aic7*seq.h* + aicasm + aicdb.h* + altivec*.c ++ashldi3.S + asm-offsets.h + asm_offsets.h + autoconf.h* +@@ -92,32 +101,40 @@ bounds.h + bsetup + btfixupprep + build ++builtin-policy.h + bvmlinux + bzImage* + capability_names.h + capflags.c + classlist.h* ++clut_vga16.c ++common-cmds.h + comp*.log + compile.h* + conf + config + config-* + config_data.h* ++config.c + config.mak + config.mak.autogen ++config.tmp + conmakehash + consolemap_deftbl.c* + cpustr.h + crc32table.h* + cscope.* + defkeymap.c ++devicetable-offsets.h + devlist.h* + dnotify_test + docproc + dslm ++dtc-lexer.lex.c + elf2ecoff + elfconfig.h* + evergreen_reg_safe.h ++exception_policy.conf + fixdep + flask.h + fore200e_mkfirm +@@ -125,12 +142,15 @@ fore200e_pca_fw.c* + gconf + gconf.glade.h + gen-devlist ++gen-kdb_cmds.c + gen_crc32table + gen_init_cpio + generated + genheaders + genksyms + *_gray256.c ++hash ++hid-example + hpet_example + hugepage-mmap + hugepage-shm +@@ -145,14 +165,14 @@ int32.c + int4.c + int8.c + kallsyms +-kconfig ++kern_constants.h + keywords.c + ksym.c* + ksym.h* + kxgettext + lex.c + lex.*.c +-linux ++lib1funcs.S + logo_*.c + logo_*_clut224.c + logo_*_mono.c +@@ -162,14 +182,15 @@ mach-types.h + machtypes.h + map + map_hugetlb +-media + mconf ++mdp + miboot* + mk_elfconfig + mkboot + mkbugboot + mkcpustr + mkdep ++mkpiggy + mkprep + mkregtable + mktables +@@ -185,6 +206,8 @@ oui.c* + page-types + parse.c + parse.h ++parse-events* ++pasyms.h + patches* + pca200e.bin + pca200e_ecd.bin2 +@@ -194,6 +217,7 @@ perf-archive + piggyback + piggy.gzip + piggy.S ++pmu-* + pnmtologo + ppc_defs.h* + pss_boot.h +@@ -203,7 +227,12 @@ r200_reg_safe.h + r300_reg_safe.h + r420_reg_safe.h + r600_reg_safe.h ++randomize_layout_hash.h ++randomize_layout_seed.h ++realmode.lds ++realmode.relocs + recordmcount ++regdb.c + relocs + rlim_names.h + rn50_reg_safe.h +@@ -213,8 +242,12 @@ series + setup + setup.bin + setup.elf ++signing_key* ++size_overflow_hash.h + sImage ++slabinfo + sm_tbl* ++sortextable + split-include + syscalltab.h + tables.c +@@ -224,6 +257,7 @@ tftpboot.img + timeconst.h + times.h* + trix_boot.h ++user_constants.h + utsrelease.h* + vdso-syms.lds + vdso.lds +@@ -235,13 +269,17 @@ vdso32.lds + vdso32.so.dbg + vdso64.lds + vdso64.so.dbg ++vdsox32.lds ++vdsox32-syms.lds + version.h* + vmImage + vmlinux + vmlinux-* + vmlinux.aout + vmlinux.bin.all ++vmlinux.bin.bz2 + vmlinux.lds ++vmlinux.relocs + vmlinuz + voffset.h + vsyscall.lds +@@ -249,9 +287,12 @@ vsyscall_32.lds + wanxlfw.inc + uImage + unifdef ++utsrelease.h + wakeup.bin + wakeup.elf + wakeup.lds ++x509* + zImage* + zconf.hash.c ++zconf.lex.c + zoffset.h +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index 7116fda..d8ed6e8 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Format: such that (rxsize & ~0x1fffc0) == 0. + Default: 1024 + ++ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to ++ ignore grsecurity's /proc restrictions ++ ++ + hashdist= [KNL,NUMA] Large hashes allocated during boot + are distributed across NUMA nodes. Defaults on + for 64-bit NUMA, off otherwise. +@@ -2080,6 +2084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + noexec=on: enable non-executable mappings (default) + noexec=off: disable non-executable mappings + ++ nopcid [X86-64] ++ Disable PCID (Process-Context IDentifier) even if it ++ is supported by the processor. ++ + nosmap [X86] + Disable SMAP (Supervisor Mode Access Prevention) + even if it is supported by processor. +@@ -2347,6 +2355,25 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ pax_nouderef [X86] disables UDEREF. Most likely needed under certain ++ virtualization environments that don't cope well with the ++ expand down segment used by UDEREF on X86-32 or the frequent ++ page table updates on X86-64. ++ ++ pax_sanitize_slab= ++ 0/1 to disable/enable slab object sanitization (enabled by ++ default). ++ ++ pax_softmode= 0/1 to disable/enable PaX softmode on boot already. ++ ++ pax_extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ ++ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF ++ when the processor supports PCID. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/Makefile b/Makefile +index 7d0b699..05f9ddb 100644 +--- a/Makefile ++++ b/Makefile +@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + + HOSTCC = gcc + HOSTCXX = g++ +-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer +-HOSTCXXFLAGS = -O2 ++HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks ++HOSTCFLAGS += $(call cc-option, -Wno-empty-body) ++HOSTCXXFLAGS = -O2 -Wall -W -fno-delete-null-pointer-checks + + # Decide whether to build built-in, modular, or both. + # Normally, just do built-in. +@@ -423,8 +424,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ + # Rules shared between *config targets and build targets + + # Basic helpers built in scripts/ +-PHONY += scripts_basic +-scripts_basic: ++PHONY += scripts_basic gcc-plugins ++scripts_basic: gcc-plugins + $(Q)$(MAKE) $(build)=scripts/basic + $(Q)rm -f .tmp_quiet_recordmcount + +@@ -585,6 +586,72 @@ else + KBUILD_CFLAGS += -O2 + endif + ++ifndef DISABLE_PAX_PLUGINS ++ifeq ($(call cc-ifversion, -ge, 0408, y), y) ++PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)") ++else ++PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)") ++endif ++ifneq ($(PLUGINCC),) ++ifdef CONFIG_PAX_CONSTIFY_PLUGIN ++CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN ++endif ++ifdef CONFIG_PAX_MEMORY_STACKLEAK ++STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN ++STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100 ++endif ++ifdef CONFIG_KALLOCSTAT_PLUGIN ++KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so ++endif ++ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so ++KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN ++KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN ++endif ++ifdef CONFIG_GRKERNSEC_RANDSTRUCT ++RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN ++ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE ++RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode ++endif ++endif ++ifdef CONFIG_CHECKER_PLUGIN ++ifeq ($(call cc-ifversion, -ge, 0406, y), y) ++CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN ++endif ++endif ++COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so ++ifdef CONFIG_PAX_SIZE_OVERFLOW ++SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN ++endif ++ifdef CONFIG_PAX_LATENT_ENTROPY ++LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN ++endif ++ifdef CONFIG_PAX_MEMORY_STRUCTLEAK ++STRUCTLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/structleak_plugin.so -DSTRUCTLEAK_PLUGIN ++endif ++GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS) ++GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS) ++GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) $(STRUCTLEAK_PLUGIN_CFLAGS) ++GCC_PLUGINS_CFLAGS += $(RANDSTRUCT_PLUGIN_CFLAGS) ++GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS) ++export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS CONSTIFY_PLUGIN LATENT_ENTROPY_PLUGIN_CFLAGS ++ifeq ($(KBUILD_EXTMOD),) ++gcc-plugins: ++ $(Q)$(MAKE) $(build)=tools/gcc ++else ++gcc-plugins: ; ++endif ++else ++gcc-plugins: ++ifeq ($(call cc-ifversion, -ge, 0405, y), y) ++ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc--plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.)) ++else ++ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least" ++endif ++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active." ++endif ++endif ++ + include $(srctree)/arch/$(SRCARCH)/Makefile + + ifdef CONFIG_READABLE_ASM +@@ -779,7 +846,7 @@ export mod_sign_cmd + + + ifeq ($(KBUILD_EXTMOD),) +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ + + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ +@@ -828,6 +895,8 @@ endif + + # The actual objects are generated when descending, + # make sure no implicit rule kicks in ++$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) + $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; + + # Handle descending into subdirectories listed in $(vmlinux-dirs) +@@ -837,7 +906,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; + # Error messages still appears in the original language + + PHONY += $(vmlinux-dirs) +-$(vmlinux-dirs): prepare scripts ++$(vmlinux-dirs): gcc-plugins prepare scripts + $(Q)$(MAKE) $(build)=$@ + + define filechk_kernel.release +@@ -880,10 +949,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ + + archprepare: archheaders archscripts prepare1 scripts_basic + ++prepare0: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++prepare0: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) + prepare0: archprepare FORCE + $(Q)$(MAKE) $(build)=. + + # All the preparing.. ++prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS)) + prepare: prepare0 + + # Generate some files +@@ -991,6 +1063,8 @@ all: modules + # using awk while concatenating to the final file. + + PHONY += modules ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) + modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin + $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order + @$(kecho) ' Building modules, stage 2.'; +@@ -1006,7 +1080,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) + + # Target to prepare building external modules + PHONY += modules_prepare +-modules_prepare: prepare scripts ++modules_prepare: gcc-plugins prepare scripts + + # Target to install modules + PHONY += modules_install +@@ -1072,7 +1146,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ + Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ + signing_key.priv signing_key.x509 x509.genkey \ + extra_certificates signing_key.x509.keyid \ +- signing_key.x509.signer ++ signing_key.x509.signer tools/gcc/size_overflow_hash.h \ ++ tools/gcc/randomize_layout_seed.h + + # clean - Delete most, but leave enough to build external modules + # +@@ -1112,6 +1187,7 @@ distclean: mrproper + \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ + -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ + -o -name '.*.rej' \ ++ -o -name '.*.rej' -o -name '*.so' \ + -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ + -type f -print | xargs rm -f + +@@ -1273,6 +1349,8 @@ PHONY += $(module-dirs) modules + $(module-dirs): crmodverdir $(objtree)/Module.symvers + $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) + ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) + modules: $(module-dirs) + @$(kecho) ' Building modules, stage 2.'; + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost +@@ -1412,17 +1490,21 @@ else + target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) + endif + +-%.s: %.c prepare scripts FORCE ++%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++%.s: %.c gcc-plugins prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) + %.i: %.c prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) +-%.o: %.c prepare scripts FORCE ++%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++%.o: %.c gcc-plugins prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) + %.lst: %.c prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) +-%.s: %.S prepare scripts FORCE ++%.s: %.S gcc-plugins prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) +-%.o: %.S prepare scripts FORCE ++%.o: %.S gcc-plugins prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) + %.symtypes: %.c prepare scripts FORCE + $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) +@@ -1432,11 +1514,15 @@ endif + $(cmd_crmodverdir) + $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ + $(build)=$(build-dir) +-%/: prepare scripts FORCE ++%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++%/: gcc-plugins prepare scripts FORCE + $(cmd_crmodverdir) + $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ + $(build)=$(build-dir) +-%.ko: prepare scripts FORCE ++%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++%.ko: gcc-plugins prepare scripts FORCE + $(cmd_crmodverdir) + $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ + $(build)=$(build-dir) $(@:.ko=.o) +diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h +index 78b03ef..da28a51 100644 +--- a/arch/alpha/include/asm/atomic.h ++++ b/arch/alpha/include/asm/atomic.h +@@ -292,6 +292,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v) + #define atomic_dec(v) atomic_sub(1,(v)) + #define atomic64_dec(v) atomic64_sub(1,(v)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() + #define smp_mb__before_atomic_inc() smp_mb() +diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h +index ad368a9..fbe0f25 100644 +--- a/arch/alpha/include/asm/cache.h ++++ b/arch/alpha/include/asm/cache.h +@@ -4,19 +4,19 @@ + #ifndef __ARCH_ALPHA_CACHE_H + #define __ARCH_ALPHA_CACHE_H + ++#include + + /* Bytes per L1 (data) cache line. */ + #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6) +-# define L1_CACHE_BYTES 64 + # define L1_CACHE_SHIFT 6 + #else + /* Both EV4 and EV5 are write-through, read-allocate, + direct-mapped, physical. + */ +-# define L1_CACHE_BYTES 32 + # define L1_CACHE_SHIFT 5 + #endif + ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + #define SMP_CACHE_BYTES L1_CACHE_BYTES + + #endif +diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h +index 968d999..d36b2df 100644 +--- a/arch/alpha/include/asm/elf.h ++++ b/arch/alpha/include/asm/elf.h +@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; + + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL) ++ ++#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28) ++#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19) ++#endif ++ + /* $0 is set by ld.so to a pointer to a function which might be + registered using atexit. This provides a mean for the dynamic + linker to call DT_FINI functions for shared libraries that have +diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h +index aab14a0..b4fa3e7 100644 +--- a/arch/alpha/include/asm/pgalloc.h ++++ b/arch/alpha/include/asm/pgalloc.h +@@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd) + pgd_set(pgd, pmd); + } + ++static inline void ++pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd) ++{ ++ pgd_populate(mm, pgd, pmd); ++} ++ + extern pgd_t *pgd_alloc(struct mm_struct *mm); + + static inline void +diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h +index d8f9b7e..f6222fa 100644 +--- a/arch/alpha/include/asm/pgtable.h ++++ b/arch/alpha/include/asm/pgtable.h +@@ -102,6 +102,17 @@ struct vm_area_struct; + #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS) + #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW) + #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW) ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE) ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE) ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE) ++#else ++# define PAGE_SHARED_NOEXEC PAGE_SHARED ++# define PAGE_COPY_NOEXEC PAGE_COPY ++# define PAGE_READONLY_NOEXEC PAGE_READONLY ++#endif ++ + #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE) + + #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x)) +diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c +index 2fd00b7..cfd5069 100644 +--- a/arch/alpha/kernel/module.c ++++ b/arch/alpha/kernel/module.c +@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab, + + /* The small sections were sorted to the end of the segment. + The following should definitely cover them. */ +- gp = (u64)me->module_core + me->core_size - 0x8000; ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000; + got = sechdrs[me->arch.gotsecindex].sh_addr; + + for (i = 0; i < n; i++) { +diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c +index 1402fcc..0b1abd2 100644 +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -1298,10 +1298,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p) + generic version except that we know how to honor ADDR_LIMIT_32BIT. */ + + static unsigned long +-arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +- unsigned long limit) ++arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long limit, unsigned long flags) + { + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + info.flags = 0; + info.length = len; +@@ -1309,6 +1310,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len, + info.high_limit = limit; + info.align_mask = 0; + info.align_offset = 0; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + +@@ -1341,20 +1343,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + merely specific addresses, but regions of memory -- perhaps + this feature should be incorporated into all ports? */ + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags); + if (addr != (unsigned long) -ENOMEM) + return addr; + } + + /* Next, try allocating at TASK_UNMAPPED_BASE. */ +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE), +- len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags); ++ + if (addr != (unsigned long) -ENOMEM) + return addr; + + /* Finally, try allocating in low memory. */ +- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags); + + return addr; + } +diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c +index 98838a0..b304fb4 100644 +--- a/arch/alpha/mm/fault.c ++++ b/arch/alpha/mm/fault.c +@@ -53,6 +53,124 @@ __load_new_mm_context(struct mm_struct *next_mm) + __reload_thread(pcb); + } + ++#ifdef CONFIG_PAX_PAGEEXEC ++/* ++ * PaX: decide what to do with offenders (regs->pc = fault address) ++ * ++ * returns 1 when task should be killed ++ * 2 when patched PLT trampoline was detected ++ * 3 when unpatched PLT trampoline was detected ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ ++#ifdef CONFIG_PAX_EMUPLT ++ int err; ++ ++ do { /* PaX: patched PLT emulation #1 */ ++ unsigned int ldah, ldq, jmp; ++ ++ err = get_user(ldah, (unsigned int *)regs->pc); ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4)); ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8)); ++ ++ if (err) ++ break; ++ ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U && ++ (ldq & 0xFFFF0000U) == 0xA77B0000U && ++ jmp == 0x6BFB0000U) ++ { ++ unsigned long r27, addr; ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16; ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL; ++ ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL); ++ err = get_user(r27, (unsigned long *)addr); ++ if (err) ++ break; ++ ++ regs->r27 = r27; ++ regs->pc = r27; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #2 */ ++ unsigned int ldah, lda, br; ++ ++ err = get_user(ldah, (unsigned int *)regs->pc); ++ err |= get_user(lda, (unsigned int *)(regs->pc+4)); ++ err |= get_user(br, (unsigned int *)(regs->pc+8)); ++ ++ if (err) ++ break; ++ ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U && ++ (lda & 0xFFFF0000U) == 0xA77B0000U && ++ (br & 0xFFE00000U) == 0xC3E00000U) ++ { ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL; ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16; ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL; ++ ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL); ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2); ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: unpatched PLT emulation */ ++ unsigned int br; ++ ++ err = get_user(br, (unsigned int *)regs->pc); ++ ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) { ++ unsigned int br2, ldq, nop, jmp; ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver; ++ ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2); ++ err = get_user(br2, (unsigned int *)addr); ++ err |= get_user(ldq, (unsigned int *)(addr+4)); ++ err |= get_user(nop, (unsigned int *)(addr+8)); ++ err |= get_user(jmp, (unsigned int *)(addr+12)); ++ err |= get_user(resolver, (unsigned long *)(addr+16)); ++ ++ if (err) ++ break; ++ ++ if (br2 == 0xC3600000U && ++ ldq == 0xA77B000CU && ++ nop == 0x47FF041FU && ++ jmp == 0x6B7B0000U) ++ { ++ regs->r28 = regs->pc+4; ++ regs->r27 = addr+16; ++ regs->pc = resolver; ++ return 3; ++ } ++ } ++ } while (0); ++#endif ++ ++ return 1; ++} ++ ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 5; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif + + /* + * This routine handles page faults. It determines the address, +@@ -133,8 +251,29 @@ retry: + good_area: + si_code = SEGV_ACCERR; + if (cause < 0) { +- if (!(vma->vm_flags & VM_EXEC)) ++ if (!(vma->vm_flags & VM_EXEC)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc) ++ goto bad_area; ++ ++ up_read(&mm->mmap_sem); ++ switch (pax_handle_fetch_fault(regs)) { ++ ++#ifdef CONFIG_PAX_EMUPLT ++ case 2: ++ case 3: ++ return; ++#endif ++ ++ } ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp()); ++ do_group_exit(SIGKILL); ++#else + goto bad_area; ++#endif ++ ++ } + } else if (!cause) { + /* Allow reads even for write-only mappings */ + if (!(vma->vm_flags & (VM_READ | VM_WRITE))) +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 1594945..adf4001 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1862,7 +1862,7 @@ config ALIGNMENT_TRAP + + config UACCESS_WITH_MEMCPY + bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" +- depends on MMU ++ depends on MMU && !PAX_MEMORY_UDEREF + default y if CPU_FEROCEON + help + Implement faster copy_to_user and clear_user methods for CPU +@@ -2125,6 +2125,7 @@ config XIP_PHYS_ADDR + config KEXEC + bool "Kexec system call (EXPERIMENTAL)" + depends on (!SMP || PM_SLEEP_SMP) ++ depends on !GRKERNSEC_KMEM + help + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h +index 62d2cb5..09d45e3 100644 +--- a/arch/arm/include/asm/atomic.h ++++ b/arch/arm/include/asm/atomic.h +@@ -18,17 +18,35 @@ + #include + #include + ++#ifdef CONFIG_GENERIC_ATOMIC64 ++#include ++#endif ++ + #define ATOMIC_INIT(i) { (i) } + + #ifdef __KERNEL__ + ++#define _ASM_EXTABLE(from, to) \ ++" .pushsection __ex_table,\"a\"\n"\ ++" .align 3\n" \ ++" .long " #from ", " #to"\n" \ ++" .popsection" ++ + /* + * On ARM, ordinary assignment (str instruction) doesn't clear the local + * strex/ldrex monitor on some implementations. The reason we can use it for + * atomic_set() is the clrex or dummy strex done on every exception return. + */ + #define atomic_read(v) (*(volatile int *)&(v)->counter) ++static inline int atomic_read_unchecked(const atomic_unchecked_t *v) ++{ ++ return v->counter; ++} + #define atomic_set(v,i) (((v)->counter) = (i)) ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) ++{ ++ v->counter = i; ++} + + #if __LINUX_ARM_ARCH__ >= 6 + +@@ -44,6 +62,36 @@ static inline void atomic_add(int i, atomic_t *v) + + prefetchw(&v->counter); + __asm__ __volatile__("@ atomic_add\n" ++"1: ldrex %1, [%3]\n" ++" adds %0, %1, %4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strex %1, %0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "Ir" (i) ++ : "cc"); ++} ++ ++static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v) ++{ ++ unsigned long tmp; ++ int result; ++ ++ prefetchw(&v->counter); ++ __asm__ __volatile__("@ atomic_add_unchecked\n" + "1: ldrex %0, [%3]\n" + " add %0, %0, %4\n" + " strex %1, %0, [%3]\n" +@@ -62,6 +110,42 @@ static inline int atomic_add_return(int i, atomic_t *v) + smp_mb(); + + __asm__ __volatile__("@ atomic_add_return\n" ++"1: ldrex %1, [%3]\n" ++" adds %0, %1, %4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++" mov %0, %1\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strex %1, %0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "Ir" (i) ++ : "cc"); ++ ++ smp_mb(); ++ ++ return result; ++} ++ ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ ++ unsigned long tmp; ++ int result; ++ ++ smp_mb(); ++ ++ __asm__ __volatile__("@ atomic_add_return_unchecked\n" + "1: ldrex %0, [%3]\n" + " add %0, %0, %4\n" + " strex %1, %0, [%3]\n" +@@ -83,6 +167,36 @@ static inline void atomic_sub(int i, atomic_t *v) + + prefetchw(&v->counter); + __asm__ __volatile__("@ atomic_sub\n" ++"1: ldrex %1, [%3]\n" ++" subs %0, %1, %4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strex %1, %0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "Ir" (i) ++ : "cc"); ++} ++ ++static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v) ++{ ++ unsigned long tmp; ++ int result; ++ ++ prefetchw(&v->counter); ++ __asm__ __volatile__("@ atomic_sub_unchecked\n" + "1: ldrex %0, [%3]\n" + " sub %0, %0, %4\n" + " strex %1, %0, [%3]\n" +@@ -101,11 +215,25 @@ static inline int atomic_sub_return(int i, atomic_t *v) + smp_mb(); + + __asm__ __volatile__("@ atomic_sub_return\n" +-"1: ldrex %0, [%3]\n" +-" sub %0, %0, %4\n" ++"1: ldrex %1, [%3]\n" ++" subs %0, %1, %4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++" mov %0, %1\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ + " strex %1, %0, [%3]\n" + " teq %1, #0\n" + " bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "Ir" (i) + : "cc"); +@@ -138,6 +266,28 @@ static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new) + return oldval; + } + ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new) ++{ ++ unsigned long oldval, res; ++ ++ smp_mb(); ++ ++ do { ++ __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n" ++ "ldrex %1, [%3]\n" ++ "mov %0, #0\n" ++ "teq %1, %4\n" ++ "strexeq %0, %5, [%3]\n" ++ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter) ++ : "r" (&ptr->counter), "Ir" (old), "r" (new) ++ : "cc"); ++ } while (res); ++ ++ smp_mb(); ++ ++ return oldval; ++} ++ + #else /* ARM_ARCH_6 */ + + #ifdef CONFIG_SMP +@@ -156,7 +306,17 @@ static inline int atomic_add_return(int i, atomic_t *v) + + return val; + } ++ ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ ++ return atomic_add_return(i, v); ++} ++ + #define atomic_add(i, v) (void) atomic_add_return(i, v) ++static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v) ++{ ++ (void) atomic_add_return(i, v); ++} + + static inline int atomic_sub_return(int i, atomic_t *v) + { +@@ -171,6 +331,10 @@ static inline int atomic_sub_return(int i, atomic_t *v) + return val; + } + #define atomic_sub(i, v) (void) atomic_sub_return(i, v) ++static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v) ++{ ++ (void) atomic_sub_return(i, v); ++} + + static inline int atomic_cmpxchg(atomic_t *v, int old, int new) + { +@@ -186,9 +350,18 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new) + return ret; + } + ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new) ++{ ++ return atomic_cmpxchg(v, old, new); ++} ++ + #endif /* __LINUX_ARM_ARCH__ */ + + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { +@@ -201,11 +374,27 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) + } + + #define atomic_inc(v) atomic_add(1, v) ++static inline void atomic_inc_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_add_unchecked(1, v); ++} + #define atomic_dec(v) atomic_sub(1, v) ++static inline void atomic_dec_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_sub_unchecked(1, v); ++} + + #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0) ++static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v) == 0; ++} + #define atomic_dec_and_test(v) (atomic_sub_return(1, v) == 0) + #define atomic_inc_return(v) (atomic_add_return(1, v)) ++static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v); ++} + #define atomic_dec_return(v) (atomic_sub_return(1, v)) + #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0) + +@@ -221,6 +410,14 @@ typedef struct { + long long counter; + } atomic64_t; + ++#ifdef CONFIG_PAX_REFCOUNT ++typedef struct { ++ long long counter; ++} atomic64_unchecked_t; ++#else ++typedef atomic64_t atomic64_unchecked_t; ++#endif ++ + #define ATOMIC64_INIT(i) { (i) } + + #ifdef CONFIG_ARM_LPAE +@@ -237,6 +434,19 @@ static inline long long atomic64_read(const atomic64_t *v) + return result; + } + ++static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ long long result; ++ ++ __asm__ __volatile__("@ atomic64_read_unchecked\n" ++" ldrd %0, %H0, [%1]" ++ : "=&r" (result) ++ : "r" (&v->counter), "Qo" (v->counter) ++ ); ++ ++ return result; ++} ++ + static inline void atomic64_set(atomic64_t *v, long long i) + { + __asm__ __volatile__("@ atomic64_set\n" +@@ -245,6 +455,15 @@ static inline void atomic64_set(atomic64_t *v, long long i) + : "r" (&v->counter), "r" (i) + ); + } ++ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i) ++{ ++ __asm__ __volatile__("@ atomic64_set_unchecked\n" ++" strd %2, %H2, [%1]" ++ : "=Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ ); ++} + #else + static inline long long atomic64_read(const atomic64_t *v) + { +@@ -259,6 +478,19 @@ static inline long long atomic64_read(const atomic64_t *v) + return result; + } + ++static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ long long result; ++ ++ __asm__ __volatile__("@ atomic64_read_unchecked\n" ++" ldrexd %0, %H0, [%1]" ++ : "=&r" (result) ++ : "r" (&v->counter), "Qo" (v->counter) ++ ); ++ ++ return result; ++} ++ + static inline void atomic64_set(atomic64_t *v, long long i) + { + long long tmp; +@@ -273,6 +505,21 @@ static inline void atomic64_set(atomic64_t *v, long long i) + : "r" (&v->counter), "r" (i) + : "cc"); + } ++ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i) ++{ ++ long long tmp; ++ ++ prefetchw(&v->counter); ++ __asm__ __volatile__("@ atomic64_set_unchecked\n" ++"1: ldrexd %0, %H0, [%2]\n" ++" strexd %0, %3, %H3, [%2]\n" ++" teq %0, #0\n" ++" bne 1b" ++ : "=&r" (tmp), "=Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); ++} + #endif + + static inline void atomic64_add(long long i, atomic64_t *v) +@@ -284,6 +531,37 @@ static inline void atomic64_add(long long i, atomic64_t *v) + __asm__ __volatile__("@ atomic64_add\n" + "1: ldrexd %0, %H0, [%3]\n" + " adds %Q0, %Q0, %Q4\n" ++" adcs %R0, %R0, %R4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strexd %1, %0, %H0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); ++} ++ ++static inline void atomic64_add_unchecked(long long i, atomic64_unchecked_t *v) ++{ ++ long long result; ++ unsigned long tmp; ++ ++ prefetchw(&v->counter); ++ __asm__ __volatile__("@ atomic64_add_unchecked\n" ++"1: ldrexd %0, %H0, [%3]\n" ++" adds %Q0, %Q0, %Q4\n" + " adc %R0, %R0, %R4\n" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" +@@ -303,6 +581,44 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v) + __asm__ __volatile__("@ atomic64_add_return\n" + "1: ldrexd %0, %H0, [%3]\n" + " adds %Q0, %Q0, %Q4\n" ++" adcs %R0, %R0, %R4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++" mov %0, %1\n" ++" mov %H0, %H1\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strexd %1, %0, %H0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); ++ ++ smp_mb(); ++ ++ return result; ++} ++ ++static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v) ++{ ++ long long result; ++ unsigned long tmp; ++ ++ smp_mb(); ++ ++ __asm__ __volatile__("@ atomic64_add_return_unchecked\n" ++"1: ldrexd %0, %H0, [%3]\n" ++" adds %Q0, %Q0, %Q4\n" + " adc %R0, %R0, %R4\n" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" +@@ -325,6 +641,37 @@ static inline void atomic64_sub(long long i, atomic64_t *v) + __asm__ __volatile__("@ atomic64_sub\n" + "1: ldrexd %0, %H0, [%3]\n" + " subs %Q0, %Q0, %Q4\n" ++" sbcs %R0, %R0, %R4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ ++" strexd %1, %0, %H0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); ++} ++ ++static inline void atomic64_sub_unchecked(long long i, atomic64_unchecked_t *v) ++{ ++ long long result; ++ unsigned long tmp; ++ ++ prefetchw(&v->counter); ++ __asm__ __volatile__("@ atomic64_sub_unchecked\n" ++"1: ldrexd %0, %H0, [%3]\n" ++" subs %Q0, %Q0, %Q4\n" + " sbc %R0, %R0, %R4\n" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" +@@ -344,16 +691,29 @@ static inline long long atomic64_sub_return(long long i, atomic64_t *v) + __asm__ __volatile__("@ atomic64_sub_return\n" + "1: ldrexd %0, %H0, [%3]\n" + " subs %Q0, %Q0, %Q4\n" +-" sbc %R0, %R0, %R4\n" ++" sbcs %R0, %R0, %R4\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++" mov %0, %1\n" ++" mov %H0, %H1\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" + " bne 1b" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++"\n4:\n" ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "r" (i) + : "cc"); + +- smp_mb(); +- + return result; + } + +@@ -382,6 +742,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old, + return oldval; + } + ++static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, long long old, ++ long long new) ++{ ++ long long oldval; ++ unsigned long res; ++ ++ smp_mb(); ++ ++ do { ++ __asm__ __volatile__("@ atomic64_cmpxchg_unchecked\n" ++ "ldrexd %1, %H1, [%3]\n" ++ "mov %0, #0\n" ++ "teq %1, %4\n" ++ "teqeq %H1, %H4\n" ++ "strexdeq %0, %5, %H5, [%3]" ++ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter) ++ : "r" (&ptr->counter), "r" (old), "r" (new) ++ : "cc"); ++ } while (res); ++ ++ smp_mb(); ++ ++ return oldval; ++} ++ + static inline long long atomic64_xchg(atomic64_t *ptr, long long new) + { + long long result; +@@ -406,20 +791,34 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new) + static inline long long atomic64_dec_if_positive(atomic64_t *v) + { + long long result; +- unsigned long tmp; ++ u64 tmp; + + smp_mb(); + + __asm__ __volatile__("@ atomic64_dec_if_positive\n" +-"1: ldrexd %0, %H0, [%3]\n" +-" subs %Q0, %Q0, #1\n" +-" sbc %R0, %R0, #0\n" ++"1: ldrexd %1, %H1, [%3]\n" ++" subs %Q0, %Q1, #1\n" ++" sbcs %R0, %R1, #0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++" mov %Q0, %Q1\n" ++" mov %R0, %R1\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ + " teq %R0, #0\n" +-" bmi 2f\n" ++" bmi 4f\n" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" + " bne 1b\n" +-"2:" ++"4:\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter) + : "cc"); +@@ -442,13 +841,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) + " teq %0, %5\n" + " teqeq %H0, %H5\n" + " moveq %1, #0\n" +-" beq 2f\n" ++" beq 4f\n" + " adds %Q0, %Q0, %Q6\n" +-" adc %R0, %R0, %R6\n" ++" adcs %R0, %R0, %R6\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" bvc 3f\n" ++"2: bkpt 0xf103\n" ++"3:\n" ++#endif ++ + " strexd %2, %0, %H0, [%4]\n" + " teq %2, #0\n" + " bne 1b\n" +-"2:" ++"4:\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ _ASM_EXTABLE(2b, 4b) ++#endif ++ + : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "r" (u), "r" (a) + : "cc"); +@@ -461,10 +872,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) + + #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0) + #define atomic64_inc(v) atomic64_add(1LL, (v)) ++#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1LL, (v)) + #define atomic64_inc_return(v) atomic64_add_return(1LL, (v)) ++#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1LL, (v)) + #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0) + #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0) + #define atomic64_dec(v) atomic64_sub(1LL, (v)) ++#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1LL, (v)) + #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v)) + #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0) + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL) +diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h +index 75fe66b..ba3dee4 100644 +--- a/arch/arm/include/asm/cache.h ++++ b/arch/arm/include/asm/cache.h +@@ -4,8 +4,10 @@ + #ifndef __ASMARM_CACHE_H + #define __ASMARM_CACHE_H + ++#include ++ + #define L1_CACHE_SHIFT CONFIG_ARM_L1_CACHE_SHIFT +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + /* + * Memory returned by kmalloc() may be used for DMA, so we must make +@@ -24,5 +26,6 @@ + #endif + + #define __read_mostly __attribute__((__section__(".data..read_mostly"))) ++#define __read_only __attribute__ ((__section__(".data..read_only"))) + + #endif +diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h +index 8b8b616..d973d24 100644 +--- a/arch/arm/include/asm/cacheflush.h ++++ b/arch/arm/include/asm/cacheflush.h +@@ -116,7 +116,7 @@ struct cpu_cache_fns { + void (*dma_unmap_area)(const void *, size_t, int); + + void (*dma_flush_range)(const void *, const void *); +-}; ++} __no_const; + + /* + * Select the calling method +diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h +index 5233151..87a71fa 100644 +--- a/arch/arm/include/asm/checksum.h ++++ b/arch/arm/include/asm/checksum.h +@@ -37,7 +37,19 @@ __wsum + csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum); + + __wsum +-csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr); ++__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr); ++ ++static inline __wsum ++csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr) ++{ ++ __wsum ret; ++ pax_open_userland(); ++ ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr); ++ pax_close_userland(); ++ return ret; ++} ++ ++ + + /* + * Fold a partial checksum without adding pseudo headers +diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h +index df2fbba..63fe3e1 100644 +--- a/arch/arm/include/asm/cmpxchg.h ++++ b/arch/arm/include/asm/cmpxchg.h +@@ -102,6 +102,8 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size + + #define xchg(ptr,x) \ + ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) ++#define xchg_unchecked(ptr,x) \ ++ ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + + #include + +diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h +index 6ddbe44..b5e38b1 100644 +--- a/arch/arm/include/asm/domain.h ++++ b/arch/arm/include/asm/domain.h +@@ -48,18 +48,37 @@ + * Domain types + */ + #define DOMAIN_NOACCESS 0 +-#define DOMAIN_CLIENT 1 + #ifdef CONFIG_CPU_USE_DOMAINS ++#define DOMAIN_USERCLIENT 1 ++#define DOMAIN_KERNELCLIENT 1 + #define DOMAIN_MANAGER 3 ++#define DOMAIN_VECTORS DOMAIN_USER + #else ++ ++#ifdef CONFIG_PAX_KERNEXEC + #define DOMAIN_MANAGER 1 ++#define DOMAIN_KERNEXEC 3 ++#else ++#define DOMAIN_MANAGER 1 ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++#define DOMAIN_USERCLIENT 0 ++#define DOMAIN_UDEREF 1 ++#define DOMAIN_VECTORS DOMAIN_KERNEL ++#else ++#define DOMAIN_USERCLIENT 1 ++#define DOMAIN_VECTORS DOMAIN_USER ++#endif ++#define DOMAIN_KERNELCLIENT 1 ++ + #endif + + #define domain_val(dom,type) ((type) << (2*(dom))) + + #ifndef __ASSEMBLY__ + +-#ifdef CONFIG_CPU_USE_DOMAINS ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + static inline void set_domain(unsigned val) + { + asm volatile( +@@ -68,15 +87,7 @@ static inline void set_domain(unsigned val) + isb(); + } + +-#define modify_domain(dom,type) \ +- do { \ +- struct thread_info *thread = current_thread_info(); \ +- unsigned int domain = thread->cpu_domain; \ +- domain &= ~domain_val(dom, DOMAIN_MANAGER); \ +- thread->cpu_domain = domain | domain_val(dom, type); \ +- set_domain(thread->cpu_domain); \ +- } while (0) +- ++extern void modify_domain(unsigned int dom, unsigned int type); + #else + static inline void set_domain(unsigned val) { } + static inline void modify_domain(unsigned dom, unsigned type) { } +diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h +index f4b46d3..abc9b2b 100644 +--- a/arch/arm/include/asm/elf.h ++++ b/arch/arm/include/asm/elf.h +@@ -114,7 +114,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++ ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE 0x00008000UL ++ ++#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10) ++#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10) ++#endif + + /* When the program starts, a1 contains a pointer to a function to be + registered with atexit, as per the SVR4 ABI. A value of 0 means we +@@ -124,10 +131,6 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); + extern void elf_set_personality(const struct elf32_hdr *); + #define SET_PERSONALITY(ex) elf_set_personality(&(ex)) + +-struct mm_struct; +-extern unsigned long arch_randomize_brk(struct mm_struct *mm); +-#define arch_randomize_brk arch_randomize_brk +- + #ifdef CONFIG_MMU + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + struct linux_binprm; +diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h +index de53547..52b9a28 100644 +--- a/arch/arm/include/asm/fncpy.h ++++ b/arch/arm/include/asm/fncpy.h +@@ -81,7 +81,9 @@ + BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) || \ + (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \ + \ ++ pax_open_kernel(); \ + memcpy(dest_buf, (void const *)(__funcp_address & ~1), size); \ ++ pax_close_kernel(); \ + flush_icache_range((unsigned long)(dest_buf), \ + (unsigned long)(dest_buf) + (size)); \ + \ +diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h +index e42cf59..7b94b8f 100644 +--- a/arch/arm/include/asm/futex.h ++++ b/arch/arm/include/asm/futex.h +@@ -50,6 +50,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; + ++ pax_open_userland(); ++ + smp_mb(); + __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n" + "1: ldrex %1, [%4]\n" +@@ -65,6 +67,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + : "cc", "memory"); + smp_mb(); + ++ pax_close_userland(); ++ + *uval = val; + return ret; + } +@@ -95,6 +99,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; + ++ pax_open_userland(); ++ + __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n" + "1: " TUSER(ldr) " %1, [%4]\n" + " teq %1, %2\n" +@@ -105,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT) + : "cc", "memory"); + ++ pax_close_userland(); ++ + *uval = val; + return ret; + } +@@ -127,6 +135,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + return -EFAULT; + + pagefault_disable(); /* implies preempt_disable() */ ++ pax_open_userland(); + + switch (op) { + case FUTEX_OP_SET: +@@ -148,6 +157,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + ret = -ENOSYS; + } + ++ pax_close_userland(); + pagefault_enable(); /* subsumes preempt_enable() */ + + if (!ret) { +diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h +index 83eb2f7..ed77159 100644 +--- a/arch/arm/include/asm/kmap_types.h ++++ b/arch/arm/include/asm/kmap_types.h +@@ -4,6 +4,6 @@ + /* + * This is the "bare minimum". AIO seems to require this. + */ +-#define KM_TYPE_NR 16 ++#define KM_TYPE_NR 17 + + #endif +diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h +index 9e614a1..3302cca 100644 +--- a/arch/arm/include/asm/mach/dma.h ++++ b/arch/arm/include/asm/mach/dma.h +@@ -22,7 +22,7 @@ struct dma_ops { + int (*residue)(unsigned int, dma_t *); /* optional */ + int (*setspeed)(unsigned int, dma_t *, int); /* optional */ + const char *type; +-}; ++} __do_const; + + struct dma_struct { + void *addr; /* single DMA address */ +diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h +index f98c7f3..6d2a756 100644 +--- a/arch/arm/include/asm/mach/map.h ++++ b/arch/arm/include/asm/mach/map.h +@@ -24,16 +24,18 @@ struct map_desc { + /* types 0-3 are defined in asm/io.h */ + enum { + MT_UNCACHED = 4, +- MT_CACHECLEAN, +- MT_MINICLEAN, ++ MT_CACHECLEAN_RO, ++ MT_MINICLEAN_RO, + MT_LOW_VECTORS, + MT_HIGH_VECTORS, +- MT_MEMORY_RWX, ++ __MT_MEMORY_RWX, + MT_MEMORY_RW, ++ MT_MEMORY_RX, + MT_ROM, +- MT_MEMORY_RWX_NONCACHED, ++ MT_MEMORY_RW_NONCACHED, ++ MT_MEMORY_RX_NONCACHED, + MT_MEMORY_RW_DTCM, +- MT_MEMORY_RWX_ITCM, ++ MT_MEMORY_RX_ITCM, + MT_MEMORY_RW_SO, + MT_MEMORY_DMA_READY, + }; +diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h +index f94784f..9a09a4a 100644 +--- a/arch/arm/include/asm/outercache.h ++++ b/arch/arm/include/asm/outercache.h +@@ -35,7 +35,7 @@ struct outer_cache_fns { + #endif + void (*set_debug)(unsigned long); + void (*resume)(void); +-}; ++} __no_const; + + extern struct outer_cache_fns outer_cache; + +diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h +index 4355f0e..cd9168e 100644 +--- a/arch/arm/include/asm/page.h ++++ b/arch/arm/include/asm/page.h +@@ -23,6 +23,7 @@ + + #else + ++#include + #include + + /* +@@ -114,7 +115,7 @@ struct cpu_user_fns { + void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr); + void (*cpu_copy_user_highpage)(struct page *to, struct page *from, + unsigned long vaddr, struct vm_area_struct *vma); +-}; ++} __no_const; + + #ifdef MULTI_USER + extern struct cpu_user_fns cpu_user; +diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h +index 78a7793..e3dc06c 100644 +--- a/arch/arm/include/asm/pgalloc.h ++++ b/arch/arm/include/asm/pgalloc.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #define check_pgt_cache() do { } while (0) + +@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE)); + } + ++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) ++{ ++ pud_populate(mm, pud, pmd); ++} ++ + #else /* !CONFIG_ARM_LPAE */ + + /* +@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); }) + #define pmd_free(mm, pmd) do { } while (0) + #define pud_populate(mm,pmd,pte) BUG() ++#define pud_populate_kernel(mm,pmd,pte) BUG() + + #endif /* CONFIG_ARM_LPAE */ + +@@ -128,6 +135,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte) + __free_page(pte); + } + ++static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot) ++{ ++#ifdef CONFIG_ARM_LPAE ++ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot); ++#else ++ if (addr & SECTION_SIZE) ++ pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot); ++ else ++ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot); ++#endif ++ flush_pmd_entry(pmdp); ++} ++ + static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte, + pmdval_t prot) + { +@@ -157,7 +177,7 @@ pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmdp, pte_t *ptep) + static inline void + pmd_populate(struct mm_struct *mm, pmd_t *pmdp, pgtable_t ptep) + { +- __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE); ++ __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE | __supported_pmd_mask); + } + #define pmd_pgtable(pmd) pmd_page(pmd) + +diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h +index 5cfba15..f415e1a 100644 +--- a/arch/arm/include/asm/pgtable-2level-hwdef.h ++++ b/arch/arm/include/asm/pgtable-2level-hwdef.h +@@ -20,12 +20,15 @@ + #define PMD_TYPE_FAULT (_AT(pmdval_t, 0) << 0) + #define PMD_TYPE_TABLE (_AT(pmdval_t, 1) << 0) + #define PMD_TYPE_SECT (_AT(pmdval_t, 2) << 0) ++#define PMD_PXNTABLE (_AT(pmdval_t, 1) << 2) /* v7 */ + #define PMD_BIT4 (_AT(pmdval_t, 1) << 4) + #define PMD_DOMAIN(x) (_AT(pmdval_t, (x)) << 5) + #define PMD_PROTECTION (_AT(pmdval_t, 1) << 9) /* v5 */ ++ + /* + * - section + */ ++#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */ + #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2) + #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3) + #define PMD_SECT_XN (_AT(pmdval_t, 1) << 4) /* v6 */ +@@ -37,6 +40,7 @@ + #define PMD_SECT_nG (_AT(pmdval_t, 1) << 17) /* v6 */ + #define PMD_SECT_SUPER (_AT(pmdval_t, 1) << 18) /* v6 */ + #define PMD_SECT_AF (_AT(pmdval_t, 0)) ++#define PMD_SECT_RDONLY (_AT(pmdval_t, 0)) + + #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0)) + #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE) +@@ -66,6 +70,7 @@ + * - extended small page/tiny page + */ + #define PTE_EXT_XN (_AT(pteval_t, 1) << 0) /* v6 */ ++#define PTE_EXT_PXN (_AT(pteval_t, 1) << 2) /* v7 */ + #define PTE_EXT_AP_MASK (_AT(pteval_t, 3) << 4) + #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4) + #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4) +diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h +index dfff709..ed4c4e7 100644 +--- a/arch/arm/include/asm/pgtable-2level.h ++++ b/arch/arm/include/asm/pgtable-2level.h +@@ -126,6 +126,9 @@ + #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */ + #define L_PTE_NONE (_AT(pteval_t, 1) << 11) + ++/* Two-level page tables only have PXN in the PGD, not in the PTE. */ ++#define L_PTE_PXN (_AT(pteval_t, 0)) ++ + /* + * These are the memory types, defined to be compatible with + * pre-ARMv6 CPUs cacheable and bufferable bits: XXCB +diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h +index 626989f..9d67a33 100644 +--- a/arch/arm/include/asm/pgtable-3level-hwdef.h ++++ b/arch/arm/include/asm/pgtable-3level-hwdef.h +@@ -75,6 +75,7 @@ + #define PTE_EXT_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */ + #define PTE_EXT_AF (_AT(pteval_t, 1) << 10) /* Access Flag */ + #define PTE_EXT_NG (_AT(pteval_t, 1) << 11) /* nG */ ++#define PTE_EXT_PXN (_AT(pteval_t, 1) << 53) /* PXN */ + #define PTE_EXT_XN (_AT(pteval_t, 1) << 54) /* XN */ + + /* +diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h +index 85c60ad..b0bbd7e 100644 +--- a/arch/arm/include/asm/pgtable-3level.h ++++ b/arch/arm/include/asm/pgtable-3level.h +@@ -82,6 +82,7 @@ + #define L_PTE_RDONLY (_AT(pteval_t, 1) << 7) /* AP[2] */ + #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */ + #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */ ++#define L_PTE_PXN (_AT(pteval_t, 1) << 53) /* PXN */ + #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */ + #define L_PTE_DIRTY (_AT(pteval_t, 1) << 55) /* unused */ + #define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56) /* unused */ +@@ -95,6 +96,7 @@ + /* + * To be used in assembly code with the upper page attributes. + */ ++#define L_PTE_PXN_HIGH (1 << (53 - 32)) + #define L_PTE_XN_HIGH (1 << (54 - 32)) + #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) + +diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h +index 7d59b52..27a12f8 100644 +--- a/arch/arm/include/asm/pgtable.h ++++ b/arch/arm/include/asm/pgtable.h +@@ -33,6 +33,9 @@ + #include + #endif + ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++ + /* + * Just any arbitrary offset to the start of the vmalloc VM area: the + * current 8MB value just means that there will be a 8MB "hole" after the +@@ -48,6 +51,9 @@ + #define LIBRARY_TEXT_START 0x0c000000 + + #ifndef __ASSEMBLY__ ++extern pteval_t __supported_pte_mask; ++extern pmdval_t __supported_pmd_mask; ++ + extern void __pte_error(const char *file, int line, pte_t); + extern void __pmd_error(const char *file, int line, pmd_t); + extern void __pgd_error(const char *file, int line, pgd_t); +@@ -56,6 +62,48 @@ extern void __pgd_error(const char *file, int line, pgd_t); + #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd) + #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd) + ++#define __HAVE_ARCH_PAX_OPEN_KERNEL ++#define __HAVE_ARCH_PAX_CLOSE_KERNEL ++ ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++#include ++#include ++#include ++ ++static inline int test_domain(int domain, int domaintype) ++{ ++ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype); ++} ++#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++static inline unsigned long pax_open_kernel(void) { ++#ifdef CONFIG_ARM_LPAE ++ /* TODO */ ++#else ++ preempt_disable(); ++ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC)); ++ modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC); ++#endif ++ return 0; ++} ++ ++static inline unsigned long pax_close_kernel(void) { ++#ifdef CONFIG_ARM_LPAE ++ /* TODO */ ++#else ++ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER)); ++ /* DOMAIN_MANAGER = "client" under KERNEXEC */ ++ modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER); ++ preempt_enable_no_resched(); ++#endif ++ return 0; ++} ++#else ++static inline unsigned long pax_open_kernel(void) { return 0; } ++static inline unsigned long pax_close_kernel(void) { return 0; } ++#endif ++ + /* + * This is the lowest virtual address we can permit any user space + * mapping to be mapped at. This is particularly important for +@@ -75,8 +123,8 @@ extern void __pgd_error(const char *file, int line, pgd_t); + /* + * The pgprot_* and protection_map entries will be fixed up in runtime + * to include the cachable and bufferable bits based on memory policy, +- * as well as any architecture dependent bits like global/ASID and SMP +- * shared mapping bits. ++ * as well as any architecture dependent bits like global/ASID, PXN, ++ * and SMP shared mapping bits. + */ + #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG + +@@ -262,7 +310,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } + static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) + { + const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | +- L_PTE_NONE | L_PTE_VALID; ++ L_PTE_NONE | L_PTE_VALID | __supported_pte_mask; + pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask); + return pte; + } +diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h +index c4ae171..ea0c0c2 100644 +--- a/arch/arm/include/asm/psci.h ++++ b/arch/arm/include/asm/psci.h +@@ -29,7 +29,7 @@ struct psci_operations { + int (*cpu_off)(struct psci_power_state state); + int (*cpu_on)(unsigned long cpuid, unsigned long entry_point); + int (*migrate)(unsigned long cpuid); +-}; ++} __no_const; + + extern struct psci_operations psci_ops; + extern struct smp_operations psci_smp_ops; +diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h +index 22a3b9b..7f214ee 100644 +--- a/arch/arm/include/asm/smp.h ++++ b/arch/arm/include/asm/smp.h +@@ -112,7 +112,7 @@ struct smp_operations { + int (*cpu_disable)(unsigned int cpu); + #endif + #endif +-}; ++} __no_const; + + /* + * set platform specific SMP operations +diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h +index 71a06b2..8bb9ae1 100644 +--- a/arch/arm/include/asm/thread_info.h ++++ b/arch/arm/include/asm/thread_info.h +@@ -88,9 +88,9 @@ struct thread_info { + .flags = 0, \ + .preempt_count = INIT_PREEMPT_COUNT, \ + .addr_limit = KERNEL_DS, \ +- .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \ +- domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ +- domain_val(DOMAIN_IO, DOMAIN_CLIENT), \ ++ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \ ++ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \ ++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \ + .restart_block = { \ + .fn = do_no_restart_syscall, \ + }, \ +@@ -157,7 +157,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, + #define TIF_SYSCALL_AUDIT 9 + #define TIF_SYSCALL_TRACEPOINT 10 + #define TIF_SECCOMP 11 /* seccomp syscall filtering active */ +-#define TIF_NOHZ 12 /* in adaptive nohz mode */ ++/* within 8 bits of TIF_SYSCALL_TRACE ++ * to meet flexible second operand requirements ++ */ ++#define TIF_GRSEC_SETXID 12 ++#define TIF_NOHZ 13 /* in adaptive nohz mode */ + #define TIF_USING_IWMMXT 17 + #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ + #define TIF_RESTORE_SIGMASK 20 +@@ -170,10 +174,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, + #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) + #define _TIF_SECCOMP (1 << TIF_SECCOMP) + #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* Checks for any syscall work in entry-common.S */ + #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ +- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) ++ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID) + + /* + * Change these and you break ASM code in entry-common.S +diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h +index 72abdc5..35acac1 100644 +--- a/arch/arm/include/asm/uaccess.h ++++ b/arch/arm/include/asm/uaccess.h +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #if __LINUX_ARM_ARCH__ < 6 + #include +@@ -70,11 +71,38 @@ extern int __put_user_bad(void); + static inline void set_fs(mm_segment_t fs) + { + current_thread_info()->addr_limit = fs; +- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); ++ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER); + } + + #define segment_eq(a,b) ((a) == (b)) + ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ ++static inline void pax_open_userland(void) ++{ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (segment_eq(get_fs(), USER_DS)) { ++ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF)); ++ modify_domain(DOMAIN_USER, DOMAIN_UDEREF); ++ } ++#endif ++ ++} ++ ++static inline void pax_close_userland(void) ++{ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (segment_eq(get_fs(), USER_DS)) { ++ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS)); ++ modify_domain(DOMAIN_USER, DOMAIN_NOACCESS); ++ } ++#endif ++ ++} ++ + #define __addr_ok(addr) ({ \ + unsigned long flag; \ + __asm__("cmp %2, %0; movlo %0, #0" \ +@@ -150,8 +178,12 @@ extern int __get_user_4(void *); + + #define get_user(x,p) \ + ({ \ ++ int __e; \ + might_fault(); \ +- __get_user_check(x,p); \ ++ pax_open_userland(); \ ++ __e = __get_user_check(x,p); \ ++ pax_close_userland(); \ ++ __e; \ + }) + + extern int __put_user_1(void *, unsigned int); +@@ -195,8 +227,12 @@ extern int __put_user_8(void *, unsigned long long); + + #define put_user(x,p) \ + ({ \ ++ int __e; \ + might_fault(); \ +- __put_user_check(x,p); \ ++ pax_open_userland(); \ ++ __e = __put_user_check(x,p); \ ++ pax_close_userland(); \ ++ __e; \ + }) + + #else /* CONFIG_MMU */ +@@ -220,6 +256,7 @@ static inline void set_fs(mm_segment_t fs) + + #endif /* CONFIG_MMU */ + ++#define access_ok_noprefault(type,addr,size) access_ok((type),(addr),(size)) + #define access_ok(type,addr,size) (__range_ok(addr,size) == 0) + + #define user_addr_max() \ +@@ -237,13 +274,17 @@ static inline void set_fs(mm_segment_t fs) + #define __get_user(x,ptr) \ + ({ \ + long __gu_err = 0; \ ++ pax_open_userland(); \ + __get_user_err((x),(ptr),__gu_err); \ ++ pax_close_userland(); \ + __gu_err; \ + }) + + #define __get_user_error(x,ptr,err) \ + ({ \ ++ pax_open_userland(); \ + __get_user_err((x),(ptr),err); \ ++ pax_close_userland(); \ + (void) 0; \ + }) + +@@ -319,13 +360,17 @@ do { \ + #define __put_user(x,ptr) \ + ({ \ + long __pu_err = 0; \ ++ pax_open_userland(); \ + __put_user_err((x),(ptr),__pu_err); \ ++ pax_close_userland(); \ + __pu_err; \ + }) + + #define __put_user_error(x,ptr,err) \ + ({ \ ++ pax_open_userland(); \ + __put_user_err((x),(ptr),err); \ ++ pax_close_userland(); \ + (void) 0; \ + }) + +@@ -425,11 +470,44 @@ do { \ + + + #ifdef CONFIG_MMU +-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n); +-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n); ++extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n); ++extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n); ++ ++static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n) ++{ ++ unsigned long ret; ++ ++ check_object_size(to, n, false); ++ pax_open_userland(); ++ ret = ___copy_from_user(to, from, n); ++ pax_close_userland(); ++ return ret; ++} ++ ++static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n) ++{ ++ unsigned long ret; ++ ++ check_object_size(from, n, true); ++ pax_open_userland(); ++ ret = ___copy_to_user(to, from, n); ++ pax_close_userland(); ++ return ret; ++} ++ + extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n); +-extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n); ++extern unsigned long __must_check ___clear_user(void __user *addr, unsigned long n); + extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n); ++ ++static inline unsigned long __must_check __clear_user(void __user *addr, unsigned long n) ++{ ++ unsigned long ret; ++ pax_open_userland(); ++ ret = ___clear_user(addr, n); ++ pax_close_userland(); ++ return ret; ++} ++ + #else + #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0) + #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0) +@@ -438,6 +516,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l + + static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else /* security hole - plug it */ +@@ -447,6 +528,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u + + static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + if (access_ok(VERIFY_WRITE, to, n)) + n = __copy_to_user(to, from, n); + return n; +diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h +index 5af0ed1..cea83883 100644 +--- a/arch/arm/include/uapi/asm/ptrace.h ++++ b/arch/arm/include/uapi/asm/ptrace.h +@@ -92,7 +92,7 @@ + * ARMv7 groups of PSR bits + */ + #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */ +-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */ ++#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */ + #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ + #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */ + +diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c +index 85e664b..419a1cd 100644 +--- a/arch/arm/kernel/armksyms.c ++++ b/arch/arm/kernel/armksyms.c +@@ -55,7 +55,7 @@ EXPORT_SYMBOL(arm_delay_ops); + + /* networking */ + EXPORT_SYMBOL(csum_partial); +-EXPORT_SYMBOL(csum_partial_copy_from_user); ++EXPORT_SYMBOL(__csum_partial_copy_from_user); + EXPORT_SYMBOL(csum_partial_copy_nocheck); + EXPORT_SYMBOL(__csum_ipv6_magic); + +@@ -91,9 +91,9 @@ EXPORT_SYMBOL(__memzero); + #ifdef CONFIG_MMU + EXPORT_SYMBOL(copy_page); + +-EXPORT_SYMBOL(__copy_from_user); +-EXPORT_SYMBOL(__copy_to_user); +-EXPORT_SYMBOL(__clear_user); ++EXPORT_SYMBOL(___copy_from_user); ++EXPORT_SYMBOL(___copy_to_user); ++EXPORT_SYMBOL(___clear_user); + + EXPORT_SYMBOL(__get_user_1); + EXPORT_SYMBOL(__get_user_2); +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index 1879e8d..b2207fc 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -47,6 +47,87 @@ + 9997: + .endm + ++ .macro pax_enter_kernel ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ @ make aligned space for saved DACR ++ sub sp, sp, #8 ++ @ save regs ++ stmdb sp!, {r1, r2} ++ @ read DACR from cpu_domain into r1 ++ mov r2, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r2, r2, #(0x1fc0) ++ bic r2, r2, #(0x3f) ++ ldr r1, [r2, #TI_CPU_DOMAIN] ++ @ store old DACR on stack ++ str r1, [sp, #8] ++#ifdef CONFIG_PAX_KERNEXEC ++ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT ++ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) ++ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) ++#endif ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ @ set current DOMAIN_USER to DOMAIN_NOACCESS ++ bic r1, r1, #(domain_val(DOMAIN_USER, 3)) ++#endif ++ @ write r1 to current_thread_info()->cpu_domain ++ str r1, [r2, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r1, r2} ++#endif ++ .endm ++ ++ .macro pax_open_userland ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ @ save regs ++ stmdb sp!, {r0, r1} ++ @ read DACR from cpu_domain into r1 ++ mov r0, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r0, r0, #(0x1fc0) ++ bic r0, r0, #(0x3f) ++ ldr r1, [r0, #TI_CPU_DOMAIN] ++ @ set current DOMAIN_USER to DOMAIN_CLIENT ++ bic r1, r1, #(domain_val(DOMAIN_USER, 3)) ++ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF)) ++ @ write r1 to current_thread_info()->cpu_domain ++ str r1, [r0, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r0, r1} ++#endif ++ .endm ++ ++ .macro pax_close_userland ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ @ save regs ++ stmdb sp!, {r0, r1} ++ @ read DACR from cpu_domain into r1 ++ mov r0, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r0, r0, #(0x1fc0) ++ bic r0, r0, #(0x3f) ++ ldr r1, [r0, #TI_CPU_DOMAIN] ++ @ set current DOMAIN_USER to DOMAIN_NOACCESS ++ bic r1, r1, #(domain_val(DOMAIN_USER, 3)) ++ @ write r1 to current_thread_info()->cpu_domain ++ str r1, [r0, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r0, r1} ++#endif ++ .endm ++ + .macro pabt_helper + @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5 + #ifdef MULTI_PABORT +@@ -89,11 +170,15 @@ + * Invalid mode handlers + */ + .macro inv_entry, reason ++ ++ pax_enter_kernel ++ + sub sp, sp, #S_FRAME_SIZE + ARM( stmib sp, {r1 - lr} ) + THUMB( stmia sp, {r0 - r12} ) + THUMB( str sp, [sp, #S_SP] ) + THUMB( str lr, [sp, #S_LR] ) ++ + mov r1, #\reason + .endm + +@@ -149,7 +234,11 @@ ENDPROC(__und_invalid) + .macro svc_entry, stack_hole=0 + UNWIND(.fnstart ) + UNWIND(.save {r0 - pc} ) ++ ++ pax_enter_kernel ++ + sub sp, sp, #(S_FRAME_SIZE + \stack_hole - 4) ++ + #ifdef CONFIG_THUMB2_KERNEL + SPFIX( str r0, [sp] ) @ temporarily saved + SPFIX( mov r0, sp ) +@@ -164,7 +253,12 @@ ENDPROC(__und_invalid) + ldmia r0, {r3 - r5} + add r7, sp, #S_SP - 4 @ here for interlock avoidance + mov r6, #-1 @ "" "" "" "" ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ @ offset sp by 8 as done in pax_enter_kernel ++ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4) ++#else + add r2, sp, #(S_FRAME_SIZE + \stack_hole - 4) ++#endif + SPFIX( addeq r2, r2, #4 ) + str r3, [sp, #-4]! @ save the "real" r0 copied + @ from the exception stack +@@ -317,6 +411,9 @@ ENDPROC(__pabt_svc) + .macro usr_entry + UNWIND(.fnstart ) + UNWIND(.cantunwind ) @ don't unwind the user space ++ ++ pax_enter_kernel_user ++ + sub sp, sp, #S_FRAME_SIZE + ARM( stmib sp, {r1 - r12} ) + THUMB( stmia sp, {r0 - r12} ) +@@ -416,7 +513,9 @@ __und_usr: + tst r3, #PSR_T_BIT @ Thumb mode? + bne __und_usr_thumb + sub r4, r2, #4 @ ARM instr at LR - 4 ++ pax_open_userland + 1: ldrt r0, [r4] ++ pax_close_userland + ARM_BE8(rev r0, r0) @ little endian instruction + + @ r0 = 32-bit ARM instruction which caused the exception +@@ -450,11 +549,15 @@ __und_usr_thumb: + */ + .arch armv6t2 + #endif ++ pax_open_userland + 2: ldrht r5, [r4] ++ pax_close_userland + ARM_BE8(rev16 r5, r5) @ little endian instruction + cmp r5, #0xe800 @ 32bit instruction if xx != 0 + blo __und_usr_fault_16 @ 16bit undefined instruction ++ pax_open_userland + 3: ldrht r0, [r2] ++ pax_close_userland + ARM_BE8(rev16 r0, r0) @ little endian instruction + add r2, r2, #2 @ r2 is PC + 2, make it PC + 4 + str r2, [sp, #S_PC] @ it's a 2x16bit instr, update +@@ -484,7 +587,8 @@ ENDPROC(__und_usr) + */ + .pushsection .fixup, "ax" + .align 2 +-4: mov pc, r9 ++4: pax_close_userland ++ mov pc, r9 + .popsection + .pushsection __ex_table,"a" + .long 1b, 4b +@@ -694,7 +798,7 @@ ENTRY(__switch_to) + THUMB( str lr, [ip], #4 ) + ldr r4, [r2, #TI_TP_VALUE] + ldr r5, [r2, #TI_TP_VALUE + 4] +-#ifdef CONFIG_CPU_USE_DOMAINS ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + ldr r6, [r2, #TI_CPU_DOMAIN] + #endif + switch_tls r1, r4, r5, r3, r7 +@@ -703,7 +807,7 @@ ENTRY(__switch_to) + ldr r8, =__stack_chk_guard + ldr r7, [r7, #TSK_STACK_CANARY] + #endif +-#ifdef CONFIG_CPU_USE_DOMAINS ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + mcr p15, 0, r6, c3, c0, 0 @ Set domain register + #endif + mov r5, r0 +diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S +index a2dcafd..1048b5a 100644 +--- a/arch/arm/kernel/entry-common.S ++++ b/arch/arm/kernel/entry-common.S +@@ -10,18 +10,46 @@ + + #include + #include ++#include + #include + ++#include "entry-header.S" ++ + #ifdef CONFIG_NEED_RET_TO_USER + #include + #else + .macro arch_ret_to_user, tmp1, tmp2 ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ @ save regs ++ stmdb sp!, {r1, r2} ++ @ read DACR from cpu_domain into r1 ++ mov r2, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r2, r2, #(0x1fc0) ++ bic r2, r2, #(0x3f) ++ ldr r1, [r2, #TI_CPU_DOMAIN] ++#ifdef CONFIG_PAX_KERNEXEC ++ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT ++ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) ++ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) ++#endif ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ @ set current DOMAIN_USER to DOMAIN_UDEREF ++ bic r1, r1, #(domain_val(DOMAIN_USER, 3)) ++ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF)) ++#endif ++ @ write r1 to current_thread_info()->cpu_domain ++ str r1, [r2, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r1, r2} ++#endif + .endm + #endif + +-#include "entry-header.S" +- +- + .align 5 + /* + * This is the fast syscall return path. We do as little as +@@ -411,6 +439,12 @@ ENTRY(vector_swi) + USER( ldr scno, [lr, #-4] ) @ get SWI instruction + #endif + ++ /* ++ * do this here to avoid a performance hit of wrapping the code above ++ * that directly dereferences userland to parse the SWI instruction ++ */ ++ pax_enter_kernel_user ++ + adr tbl, sys_call_table @ load syscall table pointer + + #if defined(CONFIG_OABI_COMPAT) +diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S +index 39f89fb..d612bd9 100644 +--- a/arch/arm/kernel/entry-header.S ++++ b/arch/arm/kernel/entry-header.S +@@ -184,6 +184,60 @@ + msr cpsr_c, \rtemp @ switch back to the SVC mode + .endm + ++ .macro pax_enter_kernel_user ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ @ save regs ++ stmdb sp!, {r0, r1} ++ @ read DACR from cpu_domain into r1 ++ mov r0, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r0, r0, #(0x1fc0) ++ bic r0, r0, #(0x3f) ++ ldr r1, [r0, #TI_CPU_DOMAIN] ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ @ set current DOMAIN_USER to DOMAIN_NOACCESS ++ bic r1, r1, #(domain_val(DOMAIN_USER, 3)) ++#endif ++#ifdef CONFIG_PAX_KERNEXEC ++ @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT ++ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3)) ++ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT)) ++#endif ++ @ write r1 to current_thread_info()->cpu_domain ++ str r1, [r0, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r0, r1} ++#endif ++ .endm ++ ++ .macro pax_exit_kernel ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ @ save regs ++ stmdb sp!, {r0, r1} ++ @ read old DACR from stack into r1 ++ ldr r1, [sp, #(8 + S_SP)] ++ sub r1, r1, #8 ++ ldr r1, [r1] ++ ++ @ write r1 to current_thread_info()->cpu_domain ++ mov r0, sp ++ @ assume 8K pages, since we have to split the immediate in two ++ bic r0, r0, #(0x1fc0) ++ bic r0, r0, #(0x3f) ++ str r1, [r0, #TI_CPU_DOMAIN] ++ @ write r1 to DACR ++ mcr p15, 0, r1, c3, c0, 0 ++ @ instruction sync ++ instr_sync ++ @ restore regs ++ ldmia sp!, {r0, r1} ++#endif ++ .endm ++ + #ifndef CONFIG_THUMB2_KERNEL + .macro svc_exit, rpsr, irq = 0 + .if \irq != 0 +@@ -203,6 +257,9 @@ + blne trace_hardirqs_off + #endif + .endif ++ ++ pax_exit_kernel ++ + msr spsr_cxsf, \rpsr + #if defined(CONFIG_CPU_V6) + ldr r0, [sp] +@@ -266,6 +323,9 @@ + blne trace_hardirqs_off + #endif + .endif ++ ++ pax_exit_kernel ++ + ldr lr, [sp, #S_SP] @ top of the stack + ldrd r0, r1, [sp, #S_LR] @ calling lr and pc + clrex @ clear the exclusive monitor +diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c +index 918875d..cd5fa27 100644 +--- a/arch/arm/kernel/fiq.c ++++ b/arch/arm/kernel/fiq.c +@@ -87,7 +87,10 @@ void set_fiq_handler(void *start, unsigned int length) + void *base = vectors_page; + unsigned offset = FIQ_OFFSET; + ++ pax_open_kernel(); + memcpy(base + offset, start, length); ++ pax_close_kernel(); ++ + if (!cache_is_vipt_nonaliasing()) + flush_icache_range((unsigned long)base + offset, offset + + length); +diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S +index f5f381d..a6f36a1 100644 +--- a/arch/arm/kernel/head.S ++++ b/arch/arm/kernel/head.S +@@ -437,7 +437,7 @@ __enable_mmu: + mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \ + domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ + domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \ +- domain_val(DOMAIN_IO, DOMAIN_CLIENT)) ++ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT)) + mcr p15, 0, r5, c3, c0, 0 @ load domain access register + mcr p15, 0, r4, c2, c0, 0 @ load page table pointer + #endif +diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c +index 45e4781..8eac93d 100644 +--- a/arch/arm/kernel/module.c ++++ b/arch/arm/kernel/module.c +@@ -38,12 +38,39 @@ + #endif + + #ifdef CONFIG_MMU +-void *module_alloc(unsigned long size) ++static inline void *__module_alloc(unsigned long size, pgprot_t prot) + { ++ if (!size || PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR) ++ return NULL; + return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END, +- GFP_KERNEL, PAGE_KERNEL_EXEC, NUMA_NO_NODE, ++ GFP_KERNEL, prot, NUMA_NO_NODE, + __builtin_return_address(0)); + } ++ ++void *module_alloc(unsigned long size) ++{ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ return __module_alloc(size, PAGE_KERNEL); ++#else ++ return __module_alloc(size, PAGE_KERNEL_EXEC); ++#endif ++ ++} ++ ++#ifdef CONFIG_PAX_KERNEXEC ++void module_free_exec(struct module *mod, void *module_region) ++{ ++ module_free(mod, module_region); ++} ++EXPORT_SYMBOL(module_free_exec); ++ ++void *module_alloc_exec(unsigned long size) ++{ ++ return __module_alloc(size, PAGE_KERNEL_EXEC); ++} ++EXPORT_SYMBOL(module_alloc_exec); ++#endif + #endif + + int +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index 07314af..c46655c 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -18,6 +18,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn) + bool thumb2 = IS_ENABLED(CONFIG_THUMB2_KERNEL); + int size; + ++ pax_open_kernel(); + if (thumb2 && __opcode_is_thumb16(insn)) { + *(u16 *)addr = __opcode_to_mem_thumb16(insn); + size = sizeof(u16); +@@ -39,6 +40,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn) + *(u32 *)addr = insn; + size = sizeof(u32); + } ++ pax_close_kernel(); + + flush_icache_range((uintptr_t)(addr), + (uintptr_t)(addr) + size); +diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c +index 92f7b15..7048500 100644 +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -217,6 +217,7 @@ void machine_power_off(void) + + if (pm_power_off) + pm_power_off(); ++ BUG(); + } + + /* +@@ -230,7 +231,7 @@ void machine_power_off(void) + * executing pre-reset code, and using RAM that the primary CPU's code wishes + * to use. Implementing such co-ordination would be essentially impossible. + */ +-void machine_restart(char *cmd) ++__noreturn void machine_restart(char *cmd) + { + local_irq_disable(); + smp_send_stop(); +@@ -253,8 +254,8 @@ void __show_regs(struct pt_regs *regs) + + show_regs_print_info(KERN_DEFAULT); + +- print_symbol("PC is at %s\n", instruction_pointer(regs)); +- print_symbol("LR is at %s\n", regs->ARM_lr); ++ printk("PC is at %pA\n", (void *)instruction_pointer(regs)); ++ printk("LR is at %pA\n", (void *)regs->ARM_lr); + printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" + "sp : %08lx ip : %08lx fp : %08lx\n", + regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, +@@ -425,12 +426,6 @@ unsigned long get_wchan(struct task_struct *p) + return 0; + } + +-unsigned long arch_randomize_brk(struct mm_struct *mm) +-{ +- unsigned long range_end = mm->brk + 0x02000000; +- return randomize_range(mm->brk, range_end, 0) ? : mm->brk; +-} +- + #ifdef CONFIG_MMU + #ifdef CONFIG_KUSER_HELPERS + /* +@@ -446,7 +441,7 @@ static struct vm_area_struct gate_vma = { + + static int __init gate_vma_init(void) + { +- gate_vma.vm_page_prot = PAGE_READONLY_EXEC; ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); + return 0; + } + arch_initcall(gate_vma_init); +@@ -472,41 +467,16 @@ int in_gate_area_no_mm(unsigned long addr) + + const char *arch_vma_name(struct vm_area_struct *vma) + { +- return is_gate_vma(vma) ? "[vectors]" : +- (vma->vm_mm && vma->vm_start == vma->vm_mm->context.sigpage) ? +- "[sigpage]" : NULL; ++ return is_gate_vma(vma) ? "[vectors]" : NULL; + } + +-static struct page *signal_page; +-extern struct page *get_signal_page(void); +- + int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + { + struct mm_struct *mm = current->mm; +- unsigned long addr; +- int ret; +- +- if (!signal_page) +- signal_page = get_signal_page(); +- if (!signal_page) +- return -ENOMEM; + + down_write(&mm->mmap_sem); +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0); +- if (IS_ERR_VALUE(addr)) { +- ret = addr; +- goto up_fail; +- } +- +- ret = install_special_mapping(mm, addr, PAGE_SIZE, +- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, +- &signal_page); +- +- if (ret == 0) +- mm->context.sigpage = addr; +- +- up_fail: ++ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC; + up_write(&mm->mmap_sem); +- return ret; ++ return 0; + } + #endif +diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c +index 4693188..4596c5e 100644 +--- a/arch/arm/kernel/psci.c ++++ b/arch/arm/kernel/psci.c +@@ -24,7 +24,7 @@ + #include + #include + +-struct psci_operations psci_ops; ++struct psci_operations psci_ops __read_only; + + static int (*invoke_psci_fn)(u32, u32, u32, u32); + +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index 0dd3b79..e018f64 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -929,10 +929,19 @@ static int tracehook_report_syscall(struct pt_regs *regs, + return current_thread_info()->syscall; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) + { + current_thread_info()->syscall = scno; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + /* Do the secure computing check first; failures should be fast. */ + if (secure_computing(scno) == -1) + return -1; +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c +index 1e8b030..37c3022 100644 +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -100,21 +100,23 @@ EXPORT_SYMBOL(system_serial_high); + unsigned int elf_hwcap __read_mostly; + EXPORT_SYMBOL(elf_hwcap); + ++pteval_t __supported_pte_mask __read_only; ++pmdval_t __supported_pmd_mask __read_only; + + #ifdef MULTI_CPU +-struct processor processor __read_mostly; ++struct processor processor __read_only; + #endif + #ifdef MULTI_TLB +-struct cpu_tlb_fns cpu_tlb __read_mostly; ++struct cpu_tlb_fns cpu_tlb __read_only; + #endif + #ifdef MULTI_USER +-struct cpu_user_fns cpu_user __read_mostly; ++struct cpu_user_fns cpu_user __read_only; + #endif + #ifdef MULTI_CACHE +-struct cpu_cache_fns cpu_cache __read_mostly; ++struct cpu_cache_fns cpu_cache __read_only; + #endif + #ifdef CONFIG_OUTER_CACHE +-struct outer_cache_fns outer_cache __read_mostly; ++struct outer_cache_fns outer_cache __read_only; + EXPORT_SYMBOL(outer_cache); + #endif + +@@ -247,9 +249,13 @@ static int __get_cpu_architecture(void) + asm("mrc p15, 0, %0, c0, c1, 4" + : "=r" (mmfr0)); + if ((mmfr0 & 0x0000000f) >= 0x00000003 || +- (mmfr0 & 0x000000f0) >= 0x00000030) ++ (mmfr0 & 0x000000f0) >= 0x00000030) { + cpu_arch = CPU_ARCH_ARMv7; +- else if ((mmfr0 & 0x0000000f) == 0x00000002 || ++ if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) { ++ __supported_pte_mask |= L_PTE_PXN; ++ __supported_pmd_mask |= PMD_PXNTABLE; ++ } ++ } else if ((mmfr0 & 0x0000000f) == 0x00000002 || + (mmfr0 & 0x000000f0) == 0x00000020) + cpu_arch = CPU_ARCH_ARMv6; + else +diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c +index 04d6388..5115238 100644 +--- a/arch/arm/kernel/signal.c ++++ b/arch/arm/kernel/signal.c +@@ -23,8 +23,6 @@ + + extern const unsigned long sigreturn_codes[7]; + +-static unsigned long signal_return_offset; +- + #ifdef CONFIG_CRUNCH + static int preserve_crunch_context(struct crunch_sigframe __user *frame) + { +@@ -395,8 +393,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, + * except when the MPU has protected the vectors + * page from PL0 + */ +- retcode = mm->context.sigpage + signal_return_offset + +- (idx << 2) + thumb; ++ retcode = mm->context.sigpage + (idx << 2) + thumb; + } else + #endif + { +@@ -600,33 +597,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall) + } while (thread_flags & _TIF_WORK_MASK); + return 0; + } +- +-struct page *get_signal_page(void) +-{ +- unsigned long ptr; +- unsigned offset; +- struct page *page; +- void *addr; +- +- page = alloc_pages(GFP_KERNEL, 0); +- +- if (!page) +- return NULL; +- +- addr = page_address(page); +- +- /* Give the signal return code some randomness */ +- offset = 0x200 + (get_random_int() & 0x7fc); +- signal_return_offset = offset; +- +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ +- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); +- +- ptr = (unsigned long)addr + offset; +- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); +- +- return page; +-} +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index b7b4c86..47c4f77 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -73,7 +73,7 @@ enum ipi_msg_type { + + static DECLARE_COMPLETION(cpu_running); + +-static struct smp_operations smp_ops; ++static struct smp_operations smp_ops __read_only; + + void __init smp_set_ops(struct smp_operations *ops) + { +diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c +index 7a3be1d..b00c7de 100644 +--- a/arch/arm/kernel/tcm.c ++++ b/arch/arm/kernel/tcm.c +@@ -61,7 +61,7 @@ static struct map_desc itcm_iomap[] __initdata = { + .virtual = ITCM_OFFSET, + .pfn = __phys_to_pfn(ITCM_OFFSET), + .length = 0, +- .type = MT_MEMORY_RWX_ITCM, ++ .type = MT_MEMORY_RX_ITCM, + } + }; + +@@ -267,7 +267,9 @@ no_dtcm: + start = &__sitcm_text; + end = &__eitcm_text; + ram = &__itcm_start; ++ pax_open_kernel(); + memcpy(start, ram, itcm_code_sz); ++ pax_close_kernel(); + pr_debug("CPU ITCM: copied code from %p - %p\n", + start, end); + itcm_present = true; +diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c +index 172ee18..ce4ec3d 100644 +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -62,7 +62,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); + void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) + { + #ifdef CONFIG_KALLSYMS +- printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from); ++ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from); + #else + printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); + #endif +@@ -264,6 +264,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; + static int die_owner = -1; + static unsigned int die_nest_count; + ++extern void gr_handle_kernel_exploit(void); ++ + static unsigned long oops_begin(void) + { + int cpu; +@@ -306,6 +308,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) + panic("Fatal exception in interrupt"); + if (panic_on_oops) + panic("Fatal exception"); ++ ++ gr_handle_kernel_exploit(); ++ + if (signr) + do_exit(signr); + } +@@ -642,7 +647,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) + * The user helper at 0xffff0fe0 must be used instead. + * (see entry-armv.S for details) + */ ++ pax_open_kernel(); + *((unsigned int *)0xffff0ff0) = regs->ARM_r0; ++ pax_close_kernel(); + } + return 0; + +@@ -899,7 +906,11 @@ void __init early_trap_init(void *vectors_base) + kuser_init(vectors_base); + + flush_icache_range(vectors, vectors + PAGE_SIZE * 2); +- modify_domain(DOMAIN_USER, DOMAIN_CLIENT); ++ ++#ifndef CONFIG_PAX_MEMORY_UDEREF ++ modify_domain(DOMAIN_USER, DOMAIN_USERCLIENT); ++#endif ++ + #else /* ifndef CONFIG_CPU_V7M */ + /* + * on V7-M there is no need to copy the vector table to a dedicated +diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S +index 7bcee5c..e2f3249 100644 +--- a/arch/arm/kernel/vmlinux.lds.S ++++ b/arch/arm/kernel/vmlinux.lds.S +@@ -8,7 +8,11 @@ + #include + #include + #include +- ++ ++#ifdef CONFIG_PAX_KERNEXEC ++#include ++#endif ++ + #define PROC_INFO \ + . = ALIGN(4); \ + VMLINUX_SYMBOL(__proc_info_begin) = .; \ +@@ -34,7 +38,7 @@ + #endif + + #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \ +- defined(CONFIG_GENERIC_BUG) ++ defined(CONFIG_GENERIC_BUG) || defined(CONFIG_PAX_REFCOUNT) + #define ARM_EXIT_KEEP(x) x + #define ARM_EXIT_DISCARD(x) + #else +@@ -90,6 +94,11 @@ SECTIONS + _text = .; + HEAD_TEXT + } ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ . = ALIGN(1<arch.vmid_gen != atomic64_read(&kvm_vmid_gen)); ++ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen)); + } + + /** +@@ -441,7 +441,7 @@ static void update_vttbr(struct kvm *kvm) + + /* First user of a new VMID generation? */ + if (unlikely(kvm_next_vmid == 0)) { +- atomic64_inc(&kvm_vmid_gen); ++ atomic64_inc_unchecked(&kvm_vmid_gen); + kvm_next_vmid = 1; + + /* +@@ -458,7 +458,7 @@ static void update_vttbr(struct kvm *kvm) + kvm_call_hyp(__kvm_flush_vm_context); + } + +- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen); ++ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen); + kvm->arch.vmid = kvm_next_vmid; + kvm_next_vmid++; + +diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S +index 14a0d98..7771a7d 100644 +--- a/arch/arm/lib/clear_user.S ++++ b/arch/arm/lib/clear_user.S +@@ -12,14 +12,14 @@ + + .text + +-/* Prototype: int __clear_user(void *addr, size_t sz) ++/* Prototype: int ___clear_user(void *addr, size_t sz) + * Purpose : clear some user memory + * Params : addr - user memory address to clear + * : sz - number of bytes to clear + * Returns : number of bytes NOT cleared + */ + ENTRY(__clear_user_std) +-WEAK(__clear_user) ++WEAK(___clear_user) + stmfd sp!, {r1, lr} + mov r2, #0 + cmp r1, #4 +@@ -44,7 +44,7 @@ WEAK(__clear_user) + USER( strnebt r2, [r0]) + mov r0, #0 + ldmfd sp!, {r1, pc} +-ENDPROC(__clear_user) ++ENDPROC(___clear_user) + ENDPROC(__clear_user_std) + + .pushsection .fixup,"ax" +diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S +index 66a477a..bee61d3 100644 +--- a/arch/arm/lib/copy_from_user.S ++++ b/arch/arm/lib/copy_from_user.S +@@ -16,7 +16,7 @@ + /* + * Prototype: + * +- * size_t __copy_from_user(void *to, const void *from, size_t n) ++ * size_t ___copy_from_user(void *to, const void *from, size_t n) + * + * Purpose: + * +@@ -84,11 +84,11 @@ + + .text + +-ENTRY(__copy_from_user) ++ENTRY(___copy_from_user) + + #include "copy_template.S" + +-ENDPROC(__copy_from_user) ++ENDPROC(___copy_from_user) + + .pushsection .fixup,"ax" + .align 0 +diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S +index 6ee2f67..d1cce76 100644 +--- a/arch/arm/lib/copy_page.S ++++ b/arch/arm/lib/copy_page.S +@@ -10,6 +10,7 @@ + * ASM optimised string functions + */ + #include ++#include + #include + #include + #include +diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S +index d066df6..df28194 100644 +--- a/arch/arm/lib/copy_to_user.S ++++ b/arch/arm/lib/copy_to_user.S +@@ -16,7 +16,7 @@ + /* + * Prototype: + * +- * size_t __copy_to_user(void *to, const void *from, size_t n) ++ * size_t ___copy_to_user(void *to, const void *from, size_t n) + * + * Purpose: + * +@@ -88,11 +88,11 @@ + .text + + ENTRY(__copy_to_user_std) +-WEAK(__copy_to_user) ++WEAK(___copy_to_user) + + #include "copy_template.S" + +-ENDPROC(__copy_to_user) ++ENDPROC(___copy_to_user) + ENDPROC(__copy_to_user_std) + + .pushsection .fixup,"ax" +diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S +index 7d08b43..f7ca7ea 100644 +--- a/arch/arm/lib/csumpartialcopyuser.S ++++ b/arch/arm/lib/csumpartialcopyuser.S +@@ -57,8 +57,8 @@ + * Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT + */ + +-#define FN_ENTRY ENTRY(csum_partial_copy_from_user) +-#define FN_EXIT ENDPROC(csum_partial_copy_from_user) ++#define FN_ENTRY ENTRY(__csum_partial_copy_from_user) ++#define FN_EXIT ENDPROC(__csum_partial_copy_from_user) + + #include "csumpartialcopygeneric.S" + +diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c +index 5306de3..aed6d03 100644 +--- a/arch/arm/lib/delay.c ++++ b/arch/arm/lib/delay.c +@@ -28,7 +28,7 @@ + /* + * Default to the loop-based delay implementation. + */ +-struct arm_delay_ops arm_delay_ops = { ++struct arm_delay_ops arm_delay_ops __read_only = { + .delay = __loop_delay, + .const_udelay = __loop_const_udelay, + .udelay = __loop_udelay, +diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c +index 3e58d71..029817c 100644 +--- a/arch/arm/lib/uaccess_with_memcpy.c ++++ b/arch/arm/lib/uaccess_with_memcpy.c +@@ -136,7 +136,7 @@ out: + } + + unsigned long +-__copy_to_user(void __user *to, const void *from, unsigned long n) ++___copy_to_user(void __user *to, const void *from, unsigned long n) + { + /* + * This test is stubbed out of the main function above to keep +@@ -190,7 +190,7 @@ out: + return n; + } + +-unsigned long __clear_user(void __user *addr, unsigned long n) ++unsigned long ___clear_user(void __user *addr, unsigned long n) + { + /* See rational for this in __copy_to_user() above. */ + if (n < 64) +diff --git a/arch/arm/mach-at91/setup.c b/arch/arm/mach-at91/setup.c +index f7ca97b..3d7e719 100644 +--- a/arch/arm/mach-at91/setup.c ++++ b/arch/arm/mach-at91/setup.c +@@ -81,7 +81,7 @@ void __init at91_init_sram(int bank, unsigned long base, unsigned int length) + + desc->pfn = __phys_to_pfn(base); + desc->length = length; +- desc->type = MT_MEMORY_RWX_NONCACHED; ++ desc->type = MT_MEMORY_RW_NONCACHED; + + pr_info("AT91: sram at 0x%lx of 0x%x mapped at 0x%lx\n", + base, length, desc->virtual); +diff --git a/arch/arm/mach-kirkwood/common.c b/arch/arm/mach-kirkwood/common.c +index f3407a5..bd4256f 100644 +--- a/arch/arm/mach-kirkwood/common.c ++++ b/arch/arm/mach-kirkwood/common.c +@@ -156,7 +156,16 @@ static void clk_gate_fn_disable(struct clk_hw *hw) + clk_gate_ops.disable(hw); + } + +-static struct clk_ops clk_gate_fn_ops; ++static int clk_gate_fn_is_enabled(struct clk_hw *hw) ++{ ++ return clk_gate_ops.is_enabled(hw); ++} ++ ++static struct clk_ops clk_gate_fn_ops = { ++ .enable = clk_gate_fn_enable, ++ .disable = clk_gate_fn_disable, ++ .is_enabled = clk_gate_fn_is_enabled, ++}; + + static struct clk __init *clk_register_gate_fn(struct device *dev, + const char *name, +@@ -190,14 +199,6 @@ static struct clk __init *clk_register_gate_fn(struct device *dev, + gate_fn->fn_en = fn_en; + gate_fn->fn_dis = fn_dis; + +- /* ops is the gate ops, but with our enable/disable functions */ +- if (clk_gate_fn_ops.enable != clk_gate_fn_enable || +- clk_gate_fn_ops.disable != clk_gate_fn_disable) { +- clk_gate_fn_ops = clk_gate_ops; +- clk_gate_fn_ops.enable = clk_gate_fn_enable; +- clk_gate_fn_ops.disable = clk_gate_fn_disable; +- } +- + clk = clk_register(dev, &gate_fn->gate.hw); + + if (IS_ERR(clk)) +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index aead77a..a2253fa 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -568,7 +568,7 @@ static int n8x0_menelaus_late_init(struct device *dev) + } + #endif + +-static struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = { ++static struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = { + .late_init = n8x0_menelaus_late_init, + }; + +diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c +index ab43755..ccfa231 100644 +--- a/arch/arm/mach-omap2/gpmc.c ++++ b/arch/arm/mach-omap2/gpmc.c +@@ -148,7 +148,6 @@ struct omap3_gpmc_regs { + }; + + static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ]; +-static struct irq_chip gpmc_irq_chip; + static int gpmc_irq_start; + + static struct resource gpmc_mem_root; +@@ -716,6 +715,18 @@ static void gpmc_irq_noop(struct irq_data *data) { } + + static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; } + ++static struct irq_chip gpmc_irq_chip = { ++ .name = "gpmc", ++ .irq_startup = gpmc_irq_noop_ret, ++ .irq_enable = gpmc_irq_enable, ++ .irq_disable = gpmc_irq_disable, ++ .irq_shutdown = gpmc_irq_noop, ++ .irq_ack = gpmc_irq_noop, ++ .irq_mask = gpmc_irq_noop, ++ .irq_unmask = gpmc_irq_noop, ++ ++}; ++ + static int gpmc_setup_irq(void) + { + int i; +@@ -730,15 +741,6 @@ static int gpmc_setup_irq(void) + return gpmc_irq_start; + } + +- gpmc_irq_chip.name = "gpmc"; +- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret; +- gpmc_irq_chip.irq_enable = gpmc_irq_enable; +- gpmc_irq_chip.irq_disable = gpmc_irq_disable; +- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop; +- gpmc_irq_chip.irq_ack = gpmc_irq_noop; +- gpmc_irq_chip.irq_mask = gpmc_irq_noop; +- gpmc_irq_chip.irq_unmask = gpmc_irq_noop; +- + gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE; + gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT; + +diff --git a/arch/arm/mach-omap2/omap-mpuss-lowpower.c b/arch/arm/mach-omap2/omap-mpuss-lowpower.c +index 667915d..2ee1219 100644 +--- a/arch/arm/mach-omap2/omap-mpuss-lowpower.c ++++ b/arch/arm/mach-omap2/omap-mpuss-lowpower.c +@@ -84,7 +84,7 @@ struct cpu_pm_ops { + int (*finish_suspend)(unsigned long cpu_state); + void (*resume)(void); + void (*scu_prepare)(unsigned int cpu_id, unsigned int cpu_state); +-}; ++} __no_const; + + static DEFINE_PER_CPU(struct omap4_cpu_pm_info, omap4_pm_info); + static struct powerdomain *mpuss_pd; +@@ -102,7 +102,7 @@ static void dummy_cpu_resume(void) + static void dummy_scu_prepare(unsigned int cpu_id, unsigned int cpu_state) + {} + +-struct cpu_pm_ops omap_pm_ops = { ++static struct cpu_pm_ops omap_pm_ops __read_only = { + .finish_suspend = default_finish_suspend, + .resume = dummy_cpu_resume, + .scu_prepare = dummy_scu_prepare, +diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c +index 3664562..72f85c6 100644 +--- a/arch/arm/mach-omap2/omap-wakeupgen.c ++++ b/arch/arm/mach-omap2/omap-wakeupgen.c +@@ -343,7 +343,7 @@ static int irq_cpu_hotplug_notify(struct notifier_block *self, + return NOTIFY_OK; + } + +-static struct notifier_block __refdata irq_hotplug_notifier = { ++static struct notifier_block irq_hotplug_notifier = { + .notifier_call = irq_cpu_hotplug_notify, + }; + +diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c +index 01ef59d..32ae28a8 100644 +--- a/arch/arm/mach-omap2/omap_device.c ++++ b/arch/arm/mach-omap2/omap_device.c +@@ -510,7 +510,7 @@ void omap_device_delete(struct omap_device *od) + struct platform_device __init *omap_device_build(const char *pdev_name, + int pdev_id, + struct omap_hwmod *oh, +- void *pdata, int pdata_len) ++ const void *pdata, int pdata_len) + { + struct omap_hwmod *ohs[] = { oh }; + +@@ -538,7 +538,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name, + struct platform_device __init *omap_device_build_ss(const char *pdev_name, + int pdev_id, + struct omap_hwmod **ohs, +- int oh_cnt, void *pdata, ++ int oh_cnt, const void *pdata, + int pdata_len) + { + int ret = -ENOMEM; +diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h +index 78c02b3..c94109a 100644 +--- a/arch/arm/mach-omap2/omap_device.h ++++ b/arch/arm/mach-omap2/omap_device.h +@@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev); + /* Core code interface */ + + struct platform_device *omap_device_build(const char *pdev_name, int pdev_id, +- struct omap_hwmod *oh, void *pdata, ++ struct omap_hwmod *oh, const void *pdata, + int pdata_len); + + struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id, + struct omap_hwmod **oh, int oh_cnt, +- void *pdata, int pdata_len); ++ const void *pdata, int pdata_len); + + struct omap_device *omap_device_alloc(struct platform_device *pdev, + struct omap_hwmod **ohs, int oh_cnt); +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index 1f33f5d..b29fa75 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops { + int (*init_clkdm)(struct omap_hwmod *oh); + void (*update_context_lost)(struct omap_hwmod *oh); + int (*get_context_lost)(struct omap_hwmod *oh); +-}; ++} __no_const; + + /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */ +-static struct omap_hwmod_soc_ops soc_ops; ++static struct omap_hwmod_soc_ops soc_ops __read_only; + + /* omap_hwmod_list contains all registered struct omap_hwmods */ + static LIST_HEAD(omap_hwmod_list); +diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c +index 95fee54..cfa9cf1 100644 +--- a/arch/arm/mach-omap2/powerdomains43xx_data.c ++++ b/arch/arm/mach-omap2/powerdomains43xx_data.c +@@ -10,6 +10,7 @@ + + #include + #include ++#include + + #include "powerdomain.h" + +@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void) + + void __init am43xx_powerdomains_init(void) + { +- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; ++ pax_open_kernel(); ++ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; ++ pax_close_kernel(); + pwrdm_register_platform_funcs(&omap4_pwrdm_operations); + pwrdm_register_pwrdms(powerdomains_am43xx); + pwrdm_complete_init(); +diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c +index d15c7bb..b2d1f0c 100644 +--- a/arch/arm/mach-omap2/wd_timer.c ++++ b/arch/arm/mach-omap2/wd_timer.c +@@ -110,7 +110,9 @@ static int __init omap_init_wdt(void) + struct omap_hwmod *oh; + char *oh_name = "wd_timer2"; + char *dev_name = "omap_wdt"; +- struct omap_wd_timer_platform_data pdata; ++ static struct omap_wd_timer_platform_data pdata = { ++ .read_reset_sources = prm_read_reset_sources ++ }; + + if (!cpu_class_is_omap2() || of_have_populated_dt()) + return 0; +@@ -121,8 +123,6 @@ static int __init omap_init_wdt(void) + return -EINVAL; + } + +- pdata.read_reset_sources = prm_read_reset_sources; +- + pdev = omap_device_build(dev_name, id, oh, &pdata, + sizeof(struct omap_wd_timer_platform_data)); + WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n", +diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c +index b82dcae..44ee5b6 100644 +--- a/arch/arm/mach-tegra/cpuidle-tegra20.c ++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c +@@ -180,7 +180,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev, + bool entered_lp2 = false; + + if (tegra_pending_sgi()) +- ACCESS_ONCE(abort_flag) = true; ++ ACCESS_ONCE_RW(abort_flag) = true; + + cpuidle_coupled_parallel_barrier(dev, &abort_barrier); + +diff --git a/arch/arm/mach-ux500/setup.h b/arch/arm/mach-ux500/setup.h +index 2dea8b5..6499da2 100644 +--- a/arch/arm/mach-ux500/setup.h ++++ b/arch/arm/mach-ux500/setup.h +@@ -33,13 +33,6 @@ extern void ux500_timer_init(void); + .type = MT_DEVICE, \ + } + +-#define __MEM_DEV_DESC(x, sz) { \ +- .virtual = IO_ADDRESS(x), \ +- .pfn = __phys_to_pfn(x), \ +- .length = sz, \ +- .type = MT_MEMORY_RWX, \ +-} +- + extern struct smp_operations ux500_smp_ops; + extern void ux500_cpu_die(unsigned int cpu); + +diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig +index 1f8fed9..14d7823 100644 +--- a/arch/arm/mm/Kconfig ++++ b/arch/arm/mm/Kconfig +@@ -446,7 +446,7 @@ config CPU_32v5 + + config CPU_32v6 + bool +- select CPU_USE_DOMAINS if CPU_V6 && MMU ++ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + select TLS_REG_EMUL if !CPU_32v6K && !MMU + + config CPU_32v6K +@@ -601,6 +601,7 @@ config CPU_CP15_MPU + + config CPU_USE_DOMAINS + bool ++ depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + help + This option enables or disables the use of domain switching + via the set_fs() function. +@@ -800,6 +801,7 @@ config NEED_KUSER_HELPERS + config KUSER_HELPERS + bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS + default y ++ depends on !(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND + help + Warning: disabling this option may break user programs. + +@@ -812,7 +814,7 @@ config KUSER_HELPERS + See Documentation/arm/kernel_user_helpers.txt for details. + + However, the fixed address nature of these helpers can be used +- by ROP (return orientated programming) authors when creating ++ by ROP (Return Oriented Programming) authors when creating + exploits. + + If all of the binaries and libraries which run on your platform +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index 9240364..a2b8cf3 100644 +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -212,10 +212,12 @@ union offset_union { + #define __get16_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v, a = addr; \ ++ pax_open_userland(); \ + __get8_unaligned_check(ins,v,a,err); \ + val = v << ((BE) ? 8 : 0); \ + __get8_unaligned_check(ins,v,a,err); \ + val |= v << ((BE) ? 0 : 8); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -229,6 +231,7 @@ union offset_union { + #define __get32_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v, a = addr; \ ++ pax_open_userland(); \ + __get8_unaligned_check(ins,v,a,err); \ + val = v << ((BE) ? 24 : 0); \ + __get8_unaligned_check(ins,v,a,err); \ +@@ -237,6 +240,7 @@ union offset_union { + val |= v << ((BE) ? 8 : 16); \ + __get8_unaligned_check(ins,v,a,err); \ + val |= v << ((BE) ? 0 : 24); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -250,6 +254,7 @@ union offset_union { + #define __put16_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v = val, a = addr; \ ++ pax_open_userland(); \ + __asm__( FIRST_BYTE_16 \ + ARM( "1: "ins" %1, [%2], #1\n" ) \ + THUMB( "1: "ins" %1, [%2]\n" ) \ +@@ -269,6 +274,7 @@ union offset_union { + " .popsection\n" \ + : "=r" (err), "=&r" (v), "=&r" (a) \ + : "0" (err), "1" (v), "2" (a)); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +@@ -282,6 +288,7 @@ union offset_union { + #define __put32_unaligned_check(ins,val,addr) \ + do { \ + unsigned int err = 0, v = val, a = addr; \ ++ pax_open_userland(); \ + __asm__( FIRST_BYTE_32 \ + ARM( "1: "ins" %1, [%2], #1\n" ) \ + THUMB( "1: "ins" %1, [%2]\n" ) \ +@@ -311,6 +318,7 @@ union offset_union { + " .popsection\n" \ + : "=r" (err), "=&r" (v), "=&r" (a) \ + : "0" (err), "1" (v), "2" (a)); \ ++ pax_close_userland(); \ + if (err) \ + goto fault; \ + } while (0) +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index 7abde2c..9df495f 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -46,7 +46,7 @@ struct l2x0_of_data { + void (*setup)(const struct device_node *, u32 *, u32 *); + void (*save)(void); + struct outer_cache_fns outer_cache; +-}; ++} __do_const; + + static bool of_init = false; + +diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c +index 6eb97b3..ac509f6 100644 +--- a/arch/arm/mm/context.c ++++ b/arch/arm/mm/context.c +@@ -43,7 +43,7 @@ + #define NUM_USER_ASIDS ASID_FIRST_VERSION + + static DEFINE_RAW_SPINLOCK(cpu_asid_lock); +-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION); ++static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION); + static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS); + + static DEFINE_PER_CPU(atomic64_t, active_asids); +@@ -182,7 +182,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu) + { + static u32 cur_idx = 1; + u64 asid = atomic64_read(&mm->context.id); +- u64 generation = atomic64_read(&asid_generation); ++ u64 generation = atomic64_read_unchecked(&asid_generation); + + if (asid != 0 && is_reserved_asid(asid)) { + /* +@@ -203,7 +203,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu) + */ + asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx); + if (asid == NUM_USER_ASIDS) { +- generation = atomic64_add_return(ASID_FIRST_VERSION, ++ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION, + &asid_generation); + flush_context(cpu); + asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1); +@@ -234,14 +234,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk) + cpu_set_reserved_ttbr0(); + + asid = atomic64_read(&mm->context.id); +- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) ++ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) + && atomic64_xchg(&per_cpu(active_asids, cpu), asid)) + goto switch_mm_fastpath; + + raw_spin_lock_irqsave(&cpu_asid_lock, flags); + /* Check that our ASID belongs to the current generation. */ + asid = atomic64_read(&mm->context.id); +- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) { ++ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) { + asid = new_context(mm, cpu); + atomic64_set(&mm->context.id, asid); + } +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index eb8830a..5360ce7 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "fault.h" + +@@ -138,6 +139,31 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr, + if (fixup_exception(regs)) + return; + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (addr < TASK_SIZE) { ++ if (current->signal->curr_ip) ++ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); ++ else ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); ++ } ++#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ if ((fsr & FSR_WRITE) && ++ (((unsigned long)_stext <= addr && addr < init_mm.end_code) || ++ (MODULES_VADDR <= addr && addr < MODULES_END))) ++ { ++ if (current->signal->curr_ip) ++ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); ++ else ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); ++ } ++#endif ++ + /* + * No handler, we'll have to terminate things with extreme prejudice. + */ +@@ -174,6 +200,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr, + } + #endif + ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (fsr & FSR_LNX_PF) { ++ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + tsk->thread.address = addr; + tsk->thread.error_code = fsr; + tsk->thread.trap_no = 14; +@@ -401,6 +434,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + } + #endif /* CONFIG_MMU */ + ++#ifdef CONFIG_PAX_PAGEEXEC ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 20; i++) { ++ unsigned char c; ++ if (get_user(c, (__force unsigned char __user *)pc+i)) ++ printk(KERN_CONT "?? "); ++ else ++ printk(KERN_CONT "%02x ", c); ++ } ++ printk("\n"); ++ ++ printk(KERN_ERR "PAX: bytes at SP-4: "); ++ for (i = -1; i < 20; i++) { ++ unsigned long c; ++ if (get_user(c, (__force unsigned long __user *)sp+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08lx ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + /* + * First Level Translation Fault Handler + * +@@ -548,9 +608,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + const struct fsr_info *inf = fsr_info + fsr_fs(fsr); + struct siginfo info; + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (addr < TASK_SIZE && is_domain_fault(fsr)) { ++ if (current->signal->curr_ip) ++ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); ++ else ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr); ++ goto die; ++ } ++#endif ++ + if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs)) + return; + ++die: + printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", + inf->name, fsr, addr); + +@@ -574,15 +647,98 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs * + ifsr_info[nr].name = name; + } + ++asmlinkage int sys_sigreturn(struct pt_regs *regs); ++asmlinkage int sys_rt_sigreturn(struct pt_regs *regs); ++ + asmlinkage void __exception + do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) + { + const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); + struct siginfo info; ++ unsigned long pc = instruction_pointer(regs); ++ ++ if (user_mode(regs)) { ++ unsigned long sigpage = current->mm->context.sigpage; ++ ++ if (sigpage <= pc && pc < sigpage + 7*4) { ++ if (pc < sigpage + 3*4) ++ sys_sigreturn(regs); ++ else ++ sys_rt_sigreturn(regs); ++ return; ++ } ++ if (pc == 0xffff0f60UL) { ++ /* ++ * PaX: __kuser_cmpxchg64 emulation ++ */ ++ // TODO ++ //regs->ARM_pc = regs->ARM_lr; ++ //return; ++ } ++ if (pc == 0xffff0fa0UL) { ++ /* ++ * PaX: __kuser_memory_barrier emulation ++ */ ++ // dmb(); implied by the exception ++ regs->ARM_pc = regs->ARM_lr; ++ return; ++ } ++ if (pc == 0xffff0fc0UL) { ++ /* ++ * PaX: __kuser_cmpxchg emulation ++ */ ++ // TODO ++ //long new; ++ //int op; ++ ++ //op = FUTEX_OP_SET << 28; ++ //new = futex_atomic_op_inuser(op, regs->ARM_r2); ++ //regs->ARM_r0 = old != new; ++ //regs->ARM_pc = regs->ARM_lr; ++ //return; ++ } ++ if (pc == 0xffff0fe0UL) { ++ /* ++ * PaX: __kuser_get_tls emulation ++ */ ++ regs->ARM_r0 = current_thread_info()->tp_value[0]; ++ regs->ARM_pc = regs->ARM_lr; ++ return; ++ } ++ } ++ ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) { ++ if (current->signal->curr_ip) ++ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc); ++ else ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc); ++ goto die; ++ } ++#endif ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) { ++ unsigned int bkpt; ++ ++ if (!probe_kernel_address(pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) { ++ current->thread.error_code = ifsr; ++ current->thread.trap_no = 0; ++ pax_report_refcount_overflow(regs); ++ fixup_exception(regs); ++ return; ++ } ++ } ++#endif + + if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs)) + return; + ++die: + printk(KERN_ALERT "Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n", + inf->name, ifsr, addr); + +diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h +index cf08bdf..772656c 100644 +--- a/arch/arm/mm/fault.h ++++ b/arch/arm/mm/fault.h +@@ -3,6 +3,7 @@ + + /* + * Fault status register encodings. We steal bit 31 for our own purposes. ++ * Set when the FSR value is from an instruction fault. + */ + #define FSR_LNX_PF (1 << 31) + #define FSR_WRITE (1 << 11) +@@ -22,6 +23,17 @@ static inline int fsr_fs(unsigned int fsr) + } + #endif + ++/* valid for LPAE and !LPAE */ ++static inline int is_xn_fault(unsigned int fsr) ++{ ++ return ((fsr_fs(fsr) & 0x3c) == 0xc); ++} ++ ++static inline int is_domain_fault(unsigned int fsr) ++{ ++ return ((fsr_fs(fsr) & 0xD) == 0x9); ++} ++ + void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs); + unsigned long search_exception_table(unsigned long addr); + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 804d615..fcec50a 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -30,6 +30,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -625,7 +627,46 @@ void free_initmem(void) + { + #ifdef CONFIG_HAVE_TCM + extern char __tcm_start, __tcm_end; ++#endif + ++#ifdef CONFIG_PAX_KERNEXEC ++ unsigned long addr; ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; ++ int cpu_arch = cpu_architecture(); ++ unsigned int cr = get_cr(); ++ ++ if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) { ++ /* make pages tables, etc before .text NX */ ++ for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ __section_update(pmd, addr, PMD_SECT_XN); ++ } ++ /* make init NX */ ++ for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ __section_update(pmd, addr, PMD_SECT_XN); ++ } ++ /* make kernel code/rodata RX */ ++ for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++#ifdef CONFIG_ARM_LPAE ++ __section_update(pmd, addr, PMD_SECT_RDONLY); ++#else ++ __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE); ++#endif ++ } ++ } ++#endif ++ ++#ifdef CONFIG_HAVE_TCM + poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start); + free_reserved_area(&__tcm_start, &__tcm_end, -1, "TCM link"); + #endif +diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c +index f9c32ba..8540068 100644 +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -392,9 +392,9 @@ __arm_ioremap_exec(phys_addr_t phys_addr, size_t size, bool cached) + unsigned int mtype; + + if (cached) +- mtype = MT_MEMORY_RWX; ++ mtype = MT_MEMORY_RX; + else +- mtype = MT_MEMORY_RWX_NONCACHED; ++ mtype = MT_MEMORY_RX_NONCACHED; + + return __arm_ioremap_caller(phys_addr, size, mtype, + __builtin_return_address(0)); +diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c +index 5e85ed3..b10a7ed 100644 +--- a/arch/arm/mm/mmap.c ++++ b/arch/arm/mm/mmap.c +@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + int do_align = 0; + int aliasing = cache_is_vipt_aliasing(); ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + /* +@@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + if (len > TASK_SIZE) + return -ENOMEM; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_align) + addr = COLOUR_ALIGN(addr, pgoff); +@@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -99,6 +103,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.high_limit = TASK_SIZE; + info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + +@@ -112,6 +117,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long addr = addr0; + int do_align = 0; + int aliasing = cache_is_vipt_aliasing(); ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + /* +@@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + return addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* requesting a specific address */ + if (addr) { + if (do_align) +@@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + else + addr = PAGE_ALIGN(addr); + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -173,6 +183,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + { + unsigned long random_factor = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* 8 bits of randomness in 20 address space bits */ + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) +@@ -180,9 +194,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + + if (mmap_is_legacy()) { + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + } else { + mm->mmap_base = mmap_base(random_factor); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; + } + } +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index a623cb3..c5e3f19 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -39,6 +39,22 @@ + #include "mm.h" + #include "tcm.h" + ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++void modify_domain(unsigned int dom, unsigned int type) ++{ ++ struct thread_info *thread = current_thread_info(); ++ unsigned int domain = thread->cpu_domain; ++ /* ++ * DOMAIN_MANAGER might be defined to some other value, ++ * use the arch-defined constant ++ */ ++ domain &= ~domain_val(dom, 3); ++ thread->cpu_domain = domain | domain_val(dom, type); ++ set_domain(thread->cpu_domain); ++} ++EXPORT_SYMBOL(modify_domain); ++#endif ++ + /* + * empty_zero_page is a special page that is used for + * zero-initialized data and COW. +@@ -235,7 +251,15 @@ __setup("noalign", noalign_setup); + #define PROT_PTE_S2_DEVICE PROT_PTE_DEVICE + #define PROT_SECT_DEVICE PMD_TYPE_SECT|PMD_SECT_AP_WRITE + +-static struct mem_type mem_types[] = { ++#ifdef CONFIG_PAX_KERNEXEC ++#define L_PTE_KERNEXEC L_PTE_RDONLY ++#define PMD_SECT_KERNEXEC PMD_SECT_RDONLY ++#else ++#define L_PTE_KERNEXEC L_PTE_DIRTY ++#define PMD_SECT_KERNEXEC PMD_SECT_AP_WRITE ++#endif ++ ++static struct mem_type mem_types[] __read_only = { + [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */ + .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED | + L_PTE_SHARED, +@@ -264,19 +288,19 @@ static struct mem_type mem_types[] = { + .prot_sect = PROT_SECT_DEVICE, + .domain = DOMAIN_IO, + }, +- [MT_UNCACHED] = { ++ [MT_UNCACHED_RW] = { + .prot_pte = PROT_PTE_DEVICE, + .prot_l1 = PMD_TYPE_TABLE, + .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN, + .domain = DOMAIN_IO, + }, +- [MT_CACHECLEAN] = { +- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN, ++ [MT_CACHECLEAN_RO] = { ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_RDONLY, + .domain = DOMAIN_KERNEL, + }, + #ifndef CONFIG_ARM_LPAE +- [MT_MINICLEAN] = { +- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE, ++ [MT_MINICLEAN_RO] = { ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_XN | PMD_SECT_RDONLY, + .domain = DOMAIN_KERNEL, + }, + #endif +@@ -284,15 +308,15 @@ static struct mem_type mem_types[] = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_RDONLY, + .prot_l1 = PMD_TYPE_TABLE, +- .domain = DOMAIN_USER, ++ .domain = DOMAIN_VECTORS, + }, + [MT_HIGH_VECTORS] = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_USER | L_PTE_RDONLY, + .prot_l1 = PMD_TYPE_TABLE, +- .domain = DOMAIN_USER, ++ .domain = DOMAIN_VECTORS, + }, +- [MT_MEMORY_RWX] = { ++ [__MT_MEMORY_RWX] = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY, + .prot_l1 = PMD_TYPE_TABLE, + .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE, +@@ -305,17 +329,30 @@ static struct mem_type mem_types[] = { + .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE, + .domain = DOMAIN_KERNEL, + }, +- [MT_ROM] = { +- .prot_sect = PMD_TYPE_SECT, ++ [MT_MEMORY_RX] = { ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC, ++ .prot_l1 = PMD_TYPE_TABLE, ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC, ++ .domain = DOMAIN_KERNEL, ++ }, ++ [MT_ROM_RX] = { ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY, + .domain = DOMAIN_KERNEL, + }, +- [MT_MEMORY_RWX_NONCACHED] = { ++ [MT_MEMORY_RW_NONCACHED] = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_MT_BUFFERABLE, + .prot_l1 = PMD_TYPE_TABLE, + .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE, + .domain = DOMAIN_KERNEL, + }, ++ [MT_MEMORY_RX_NONCACHED] = { ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC | ++ L_PTE_MT_BUFFERABLE, ++ .prot_l1 = PMD_TYPE_TABLE, ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC, ++ .domain = DOMAIN_KERNEL, ++ }, + [MT_MEMORY_RW_DTCM] = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_XN, +@@ -323,9 +360,10 @@ static struct mem_type mem_types[] = { + .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN, + .domain = DOMAIN_KERNEL, + }, +- [MT_MEMORY_RWX_ITCM] = { +- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY, ++ [MT_MEMORY_RX_ITCM] = { ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC, + .prot_l1 = PMD_TYPE_TABLE, ++ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC, + .domain = DOMAIN_KERNEL, + }, + [MT_MEMORY_RW_SO] = { +@@ -524,9 +562,14 @@ static void __init build_mem_type_table(void) + * Mark cache clean areas and XIP ROM read only + * from SVC mode and no access from userspace. + */ +- mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; +- mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; +- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++ mem_types[MT_ROM_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++#ifdef CONFIG_PAX_KERNEXEC ++ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++ mem_types[MT_MEMORY_RX_ITCM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++#endif ++ mem_types[MT_MINICLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; ++ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; + #endif + + if (is_smp()) { +@@ -542,13 +585,17 @@ static void __init build_mem_type_table(void) + mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; + mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; + mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; +- mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S; +- mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED; ++ mem_types[__MT_MEMORY_RWX].prot_sect |= PMD_SECT_S; ++ mem_types[__MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED; + mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S; + mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED; ++ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S; ++ mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED; + mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED; +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S; +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED; ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_S; ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_pte |= L_PTE_SHARED; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_S; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_pte |= L_PTE_SHARED; + } + } + +@@ -559,15 +606,20 @@ static void __init build_mem_type_table(void) + if (cpu_arch >= CPU_ARCH_ARMv6) { + if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { + /* Non-cacheable Normal is XCB = 001 */ +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ++ PMD_SECT_BUFFERED; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= + PMD_SECT_BUFFERED; + } else { + /* For both ARMv6 and non-TEX-remapping ARMv7 */ +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ++ PMD_SECT_TEX(1); ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= + PMD_SECT_TEX(1); + } + } else { +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE; ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE; + } + + #ifdef CONFIG_ARM_LPAE +@@ -583,6 +635,8 @@ static void __init build_mem_type_table(void) + vecs_pgprot |= PTE_EXT_AF; + #endif + ++ user_pgprot |= __supported_pte_mask; ++ + for (i = 0; i < 16; i++) { + pteval_t v = pgprot_val(protection_map[i]); + protection_map[i] = __pgprot(v | user_pgprot); +@@ -600,21 +654,24 @@ static void __init build_mem_type_table(void) + + mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; + mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; +- mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd; +- mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot; ++ mem_types[__MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd; ++ mem_types[__MT_MEMORY_RWX].prot_pte |= kern_pgprot; + mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd; + mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot; ++ mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd; ++ mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot; + mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot; +- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask; +- mem_types[MT_ROM].prot_sect |= cp->pmd; ++ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ecc_mask; ++ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= ecc_mask; ++ mem_types[MT_ROM_RX].prot_sect |= cp->pmd; + + switch (cp->pmd) { + case PMD_SECT_WT: +- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WT; ++ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WT; + break; + case PMD_SECT_WB: + case PMD_SECT_WBWA: +- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WB; ++ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WB; + break; + } + pr_info("Memory policy: %sData cache %s\n", +@@ -1247,18 +1304,15 @@ void __init arm_mm_memblock_reserve(void) + * called function. This means you can't use any function or debugging + * method which may touch any device, otherwise the kernel _will_ crash. + */ ++ ++static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE); ++ + static void __init devicemaps_init(const struct machine_desc *mdesc) + { + struct map_desc map; + unsigned long addr; +- void *vectors; + +- /* +- * Allocate the vector page early. +- */ +- vectors = early_alloc(PAGE_SIZE * 2); +- +- early_trap_init(vectors); ++ early_trap_init(&vectors); + + for (addr = VMALLOC_START; addr; addr += PMD_SIZE) + pmd_clear(pmd_off_k(addr)); +@@ -1271,7 +1325,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) + map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK); + map.virtual = MODULES_VADDR; + map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK; +- map.type = MT_ROM; ++ map.type = MT_ROM_RX; + create_mapping(&map); + #endif + +@@ -1282,14 +1336,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) + map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS); + map.virtual = FLUSH_BASE; + map.length = SZ_1M; +- map.type = MT_CACHECLEAN; ++ map.type = MT_CACHECLEAN_RO; + create_mapping(&map); + #endif + #ifdef FLUSH_BASE_MINICACHE + map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS + SZ_1M); + map.virtual = FLUSH_BASE_MINICACHE; + map.length = SZ_1M; +- map.type = MT_MINICLEAN; ++ map.type = MT_MINICLEAN_RO; + create_mapping(&map); + #endif + +@@ -1298,7 +1352,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) + * location (0xffff0000). If we aren't using high-vectors, also + * create a mapping at the low-vectors virtual address. + */ +- map.pfn = __phys_to_pfn(virt_to_phys(vectors)); ++ map.pfn = __phys_to_pfn(virt_to_phys(&vectors)); + map.virtual = 0xffff0000; + map.length = PAGE_SIZE; + #ifdef CONFIG_KUSER_HELPERS +@@ -1369,11 +1423,48 @@ static void __init map_lowmem(void) + if (start >= end) + break; + ++#ifdef CONFIG_PAX_KERNEXEC ++ map.pfn = __phys_to_pfn(start); ++ map.virtual = __phys_to_virt(start); ++ map.length = end - start; ++ ++ if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) { ++ struct map_desc kernel; ++ struct map_desc initmap; ++ ++ /* when freeing initmem we will make this RW */ ++ initmap.pfn = __phys_to_pfn(__pa(__init_begin)); ++ initmap.virtual = (unsigned long)__init_begin; ++ initmap.length = _sdata - __init_begin; ++ initmap.type = __MT_MEMORY_RWX; ++ create_mapping(&initmap); ++ ++ /* when freeing initmem we will make this RX */ ++ kernel.pfn = __phys_to_pfn(__pa(_stext)); ++ kernel.virtual = (unsigned long)_stext; ++ kernel.length = __init_begin - _stext; ++ kernel.type = __MT_MEMORY_RWX; ++ create_mapping(&kernel); ++ ++ if (map.virtual < (unsigned long)_stext) { ++ map.length = (unsigned long)_stext - map.virtual; ++ map.type = __MT_MEMORY_RWX; ++ create_mapping(&map); ++ } ++ ++ map.pfn = __phys_to_pfn(__pa(_sdata)); ++ map.virtual = (unsigned long)_sdata; ++ map.length = end - __pa(_sdata); ++ } ++ ++ map.type = MT_MEMORY_RW; ++ create_mapping(&map); ++#else + if (end < kernel_x_start || start >= kernel_x_end) { + map.pfn = __phys_to_pfn(start); + map.virtual = __phys_to_virt(start); + map.length = end - start; +- map.type = MT_MEMORY_RWX; ++ map.type = __MT_MEMORY_RWX; + + create_mapping(&map); + } else { +@@ -1390,7 +1481,7 @@ static void __init map_lowmem(void) + map.pfn = __phys_to_pfn(kernel_x_start); + map.virtual = __phys_to_virt(kernel_x_start); + map.length = kernel_x_end - kernel_x_start; +- map.type = MT_MEMORY_RWX; ++ map.type = __MT_MEMORY_RWX; + + create_mapping(&map); + +@@ -1403,6 +1494,7 @@ static void __init map_lowmem(void) + create_mapping(&map); + } + } ++#endif + } + } + +diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c +index a5bc92d..0bb4730 100644 +--- a/arch/arm/plat-omap/sram.c ++++ b/arch/arm/plat-omap/sram.c +@@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size, + * Looks like we need to preserve some bootloader code at the + * beginning of SRAM for jumping to flash for reboot to work... + */ ++ pax_open_kernel(); + memset_io(omap_sram_base + omap_sram_skip, 0, + omap_sram_size - omap_sram_skip); ++ pax_close_kernel(); + } +diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h +index ce6d763..cfea917 100644 +--- a/arch/arm/plat-samsung/include/plat/dma-ops.h ++++ b/arch/arm/plat-samsung/include/plat/dma-ops.h +@@ -47,7 +47,7 @@ struct samsung_dma_ops { + int (*started)(unsigned ch); + int (*flush)(unsigned ch); + int (*stop)(unsigned ch); +-}; ++} __no_const; + + extern void *samsung_dmadev_get_ops(void); + extern void *s3c_dma_get_ops(void); +diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h +index 6c0f684..5faea9d 100644 +--- a/arch/arm64/include/asm/uaccess.h ++++ b/arch/arm64/include/asm/uaccess.h +@@ -99,6 +99,7 @@ static inline void set_fs(mm_segment_t fs) + flag; \ + }) + ++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size)) + #define access_ok(type, addr, size) __range_ok(addr, size) + #define user_addr_max get_fs + +diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h +index c3a58a1..78fbf54 100644 +--- a/arch/avr32/include/asm/cache.h ++++ b/arch/avr32/include/asm/cache.h +@@ -1,8 +1,10 @@ + #ifndef __ASM_AVR32_CACHE_H + #define __ASM_AVR32_CACHE_H + ++#include ++ + #define L1_CACHE_SHIFT 5 +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + /* + * Memory returned by kmalloc() may be used for DMA, so we must make +diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h +index d232888..87c8df1 100644 +--- a/arch/avr32/include/asm/elf.h ++++ b/arch/avr32/include/asm/elf.h +@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t; + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE 0x00001000UL ++ ++#define PAX_DELTA_MMAP_LEN 15 ++#define PAX_DELTA_STACK_LEN 15 ++#endif + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h +index 479330b..53717a8 100644 +--- a/arch/avr32/include/asm/kmap_types.h ++++ b/arch/avr32/include/asm/kmap_types.h +@@ -2,9 +2,9 @@ + #define __ASM_AVR32_KMAP_TYPES_H + + #ifdef CONFIG_DEBUG_HIGHMEM +-# define KM_TYPE_NR 29 ++# define KM_TYPE_NR 30 + #else +-# define KM_TYPE_NR 14 ++# define KM_TYPE_NR 15 + #endif + + #endif /* __ASM_AVR32_KMAP_TYPES_H */ +diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c +index 0eca933..eb78c7b 100644 +--- a/arch/avr32/mm/fault.c ++++ b/arch/avr32/mm/fault.c +@@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap) + + int exception_trace = 1; + ++#ifdef CONFIG_PAX_PAGEEXEC ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 20; i++) { ++ unsigned char c; ++ if (get_user(c, (unsigned char *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%02x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + /* + * This routine handles page faults. It determines the address and the + * problem, and then passes it off to one of the appropriate routines. +@@ -176,6 +193,16 @@ bad_area: + up_read(&mm->mmap_sem); + + if (user_mode(regs)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) { ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) { ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp); ++ do_group_exit(SIGKILL); ++ } ++ } ++#endif ++ + if (exception_trace && printk_ratelimit()) + printk("%s%s[%d]: segfault at %08lx pc %08lx " + "sp %08lx ecr %lu\n", +diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h +index 568885a..f8008df 100644 +--- a/arch/blackfin/include/asm/cache.h ++++ b/arch/blackfin/include/asm/cache.h +@@ -7,6 +7,7 @@ + #ifndef __ARCH_BLACKFIN_CACHE_H + #define __ARCH_BLACKFIN_CACHE_H + ++#include + #include /* for asmlinkage */ + + /* +@@ -14,7 +15,7 @@ + * Blackfin loads 32 bytes for cache + */ + #define L1_CACHE_SHIFT 5 +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + #define SMP_CACHE_BYTES L1_CACHE_BYTES + + #define ARCH_DMA_MINALIGN L1_CACHE_BYTES +diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h +index aea2718..3639a60 100644 +--- a/arch/cris/include/arch-v10/arch/cache.h ++++ b/arch/cris/include/arch-v10/arch/cache.h +@@ -1,8 +1,9 @@ + #ifndef _ASM_ARCH_CACHE_H + #define _ASM_ARCH_CACHE_H + ++#include + /* Etrax 100LX have 32-byte cache-lines. */ +-#define L1_CACHE_BYTES 32 + #define L1_CACHE_SHIFT 5 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #endif /* _ASM_ARCH_CACHE_H */ +diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h +index 7caf25d..ee65ac5 100644 +--- a/arch/cris/include/arch-v32/arch/cache.h ++++ b/arch/cris/include/arch-v32/arch/cache.h +@@ -1,11 +1,12 @@ + #ifndef _ASM_CRIS_ARCH_CACHE_H + #define _ASM_CRIS_ARCH_CACHE_H + ++#include + #include + + /* A cache-line is 32 bytes. */ +-#define L1_CACHE_BYTES 32 + #define L1_CACHE_SHIFT 5 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define __read_mostly __attribute__((__section__(".data..read_mostly"))) + +diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h +index b86329d..6709906 100644 +--- a/arch/frv/include/asm/atomic.h ++++ b/arch/frv/include/asm/atomic.h +@@ -186,6 +186,16 @@ static inline void atomic64_dec(atomic64_t *v) + #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter)) + #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + { + int c, old; +diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h +index 2797163..c2a401d 100644 +--- a/arch/frv/include/asm/cache.h ++++ b/arch/frv/include/asm/cache.h +@@ -12,10 +12,11 @@ + #ifndef __ASM_CACHE_H + #define __ASM_CACHE_H + ++#include + + /* bytes per L1 cache line */ + #define L1_CACHE_SHIFT (CONFIG_FRV_L1_CACHE_SHIFT) +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define __cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES))) + #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES))) +diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h +index 43901f2..0d8b865 100644 +--- a/arch/frv/include/asm/kmap_types.h ++++ b/arch/frv/include/asm/kmap_types.h +@@ -2,6 +2,6 @@ + #ifndef _ASM_KMAP_TYPES_H + #define _ASM_KMAP_TYPES_H + +-#define KM_TYPE_NR 17 ++#define KM_TYPE_NR 18 + + #endif +diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c +index 836f147..4cf23f5 100644 +--- a/arch/frv/mm/elf-fdpic.c ++++ b/arch/frv/mm/elf-fdpic.c +@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + { + struct vm_area_struct *vma; + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (len > TASK_SIZE) + return -ENOMEM; +@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + if (addr) { + addr = PAGE_ALIGN(addr); + vma = find_vma(current->mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + goto success; + } + +@@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + info.high_limit = (current->mm->start_stack - 0x00200000); + info.align_mask = 0; + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + if (!(addr & ~PAGE_MASK)) + goto success; +diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h +index f4ca594..adc72fd6 100644 +--- a/arch/hexagon/include/asm/cache.h ++++ b/arch/hexagon/include/asm/cache.h +@@ -21,9 +21,11 @@ + #ifndef __ASM_CACHE_H + #define __ASM_CACHE_H + ++#include ++ + /* Bytes per L1 cache line */ +-#define L1_CACHE_SHIFT (5) +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_SHIFT 5 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define __cacheline_aligned __aligned(L1_CACHE_BYTES) + #define ____cacheline_aligned __aligned(L1_CACHE_BYTES) +diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig +index 0c8e553..112d734 100644 +--- a/arch/ia64/Kconfig ++++ b/arch/ia64/Kconfig +@@ -544,6 +544,7 @@ source "drivers/sn/Kconfig" + config KEXEC + bool "kexec system call" + depends on !IA64_HP_SIM && (!SMP || HOTPLUG_CPU) ++ depends on !GRKERNSEC_KMEM + help + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h +index 6e6fe18..a6ae668 100644 +--- a/arch/ia64/include/asm/atomic.h ++++ b/arch/ia64/include/asm/atomic.h +@@ -208,6 +208,16 @@ atomic64_add_negative (__s64 i, atomic64_t *v) + #define atomic64_inc(v) atomic64_add(1, (v)) + #define atomic64_dec(v) atomic64_sub(1, (v)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + /* Atomic operations are already serializing */ + #define smp_mb__before_atomic_dec() barrier() + #define smp_mb__after_atomic_dec() barrier() +diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h +index 988254a..e1ee885 100644 +--- a/arch/ia64/include/asm/cache.h ++++ b/arch/ia64/include/asm/cache.h +@@ -1,6 +1,7 @@ + #ifndef _ASM_IA64_CACHE_H + #define _ASM_IA64_CACHE_H + ++#include + + /* + * Copyright (C) 1998-2000 Hewlett-Packard Co +@@ -9,7 +10,7 @@ + + /* Bytes per L1 (data) cache line. */ + #define L1_CACHE_SHIFT CONFIG_IA64_L1_CACHE_SHIFT +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #ifdef CONFIG_SMP + # define SMP_CACHE_SHIFT L1_CACHE_SHIFT +diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h +index 5a83c5c..4d7f553 100644 +--- a/arch/ia64/include/asm/elf.h ++++ b/arch/ia64/include/asm/elf.h +@@ -42,6 +42,13 @@ + */ + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL) ++ ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13) ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13) ++#endif ++ + #define PT_IA_64_UNWIND 0x70000001 + + /* IA-64 relocations: */ +diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h +index 5767cdf..7462574 100644 +--- a/arch/ia64/include/asm/pgalloc.h ++++ b/arch/ia64/include/asm/pgalloc.h +@@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud) + pgd_val(*pgd_entry) = __pa(pud); + } + ++static inline void ++pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud) ++{ ++ pgd_populate(mm, pgd_entry, pud); ++} ++ + static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) + { + return quicklist_alloc(0, GFP_KERNEL, NULL); +@@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd) + pud_val(*pud_entry) = __pa(pmd); + } + ++static inline void ++pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd) ++{ ++ pud_populate(mm, pud_entry, pmd); ++} ++ + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr) + { + return quicklist_alloc(0, GFP_KERNEL, NULL); +diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h +index 7935115..c0eca6a 100644 +--- a/arch/ia64/include/asm/pgtable.h ++++ b/arch/ia64/include/asm/pgtable.h +@@ -12,7 +12,7 @@ + * David Mosberger-Tang + */ + +- ++#include + #include + #include + #include +@@ -142,6 +142,17 @@ + #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) + #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) + #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX) ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW) ++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) ++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R) ++#else ++# define PAGE_SHARED_NOEXEC PAGE_SHARED ++# define PAGE_READONLY_NOEXEC PAGE_READONLY ++# define PAGE_COPY_NOEXEC PAGE_COPY ++#endif ++ + #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX) + #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX) + #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX) +diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h +index 45698cd..e8e2dbc 100644 +--- a/arch/ia64/include/asm/spinlock.h ++++ b/arch/ia64/include/asm/spinlock.h +@@ -71,7 +71,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock) + unsigned short *p = (unsigned short *)&lock->lock + 1, tmp; + + asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p)); +- ACCESS_ONCE(*p) = (tmp + 2) & ~1; ++ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1; + } + + static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock) +diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h +index 449c8c0..3d4b1e9 100644 +--- a/arch/ia64/include/asm/uaccess.h ++++ b/arch/ia64/include/asm/uaccess.h +@@ -70,6 +70,7 @@ + && ((segment).seg == KERNEL_DS.seg \ + || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT))); \ + }) ++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size)) + #define access_ok(type, addr, size) __access_ok((addr), (size), get_fs()) + + /* +@@ -240,12 +241,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use + static inline unsigned long + __copy_to_user (void __user *to, const void *from, unsigned long count) + { ++ if (count > INT_MAX) ++ return count; ++ ++ if (!__builtin_constant_p(count)) ++ check_object_size(from, count, true); ++ + return __copy_user(to, (__force void __user *) from, count); + } + + static inline unsigned long + __copy_from_user (void *to, const void __user *from, unsigned long count) + { ++ if (count > INT_MAX) ++ return count; ++ ++ if (!__builtin_constant_p(count)) ++ check_object_size(to, count, false); ++ + return __copy_user((__force void __user *) to, from, count); + } + +@@ -255,10 +268,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) + ({ \ + void __user *__cu_to = (to); \ + const void *__cu_from = (from); \ +- long __cu_len = (n); \ ++ unsigned long __cu_len = (n); \ + \ +- if (__access_ok(__cu_to, __cu_len, get_fs())) \ ++ if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \ ++ if (!__builtin_constant_p(n)) \ ++ check_object_size(__cu_from, __cu_len, true); \ + __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \ ++ } \ + __cu_len; \ + }) + +@@ -266,11 +282,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) + ({ \ + void *__cu_to = (to); \ + const void __user *__cu_from = (from); \ +- long __cu_len = (n); \ ++ unsigned long __cu_len = (n); \ + \ + __chk_user_ptr(__cu_from); \ +- if (__access_ok(__cu_from, __cu_len, get_fs())) \ ++ if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \ ++ if (!__builtin_constant_p(n)) \ ++ check_object_size(__cu_to, __cu_len, false); \ + __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \ ++ } \ + __cu_len; \ + }) + +diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c +index 24603be..948052d 100644 +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -307,8 +307,7 @@ plt_target (struct plt_entry *plt) + void + module_free (struct module *mod, void *module_region) + { +- if (mod && mod->arch.init_unw_table && +- module_region == mod->module_init) { ++ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) { + unw_remove_unwind_table(mod->arch.init_unw_table); + mod->arch.init_unw_table = NULL; + } +@@ -494,15 +493,39 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings, + } + + static inline int ++in_init_rx (const struct module *mod, uint64_t addr) ++{ ++ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx; ++} ++ ++static inline int ++in_init_rw (const struct module *mod, uint64_t addr) ++{ ++ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw; ++} ++ ++static inline int + in_init (const struct module *mod, uint64_t addr) + { +- return addr - (uint64_t) mod->module_init < mod->init_size; ++ return in_init_rx(mod, addr) || in_init_rw(mod, addr); ++} ++ ++static inline int ++in_core_rx (const struct module *mod, uint64_t addr) ++{ ++ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx; ++} ++ ++static inline int ++in_core_rw (const struct module *mod, uint64_t addr) ++{ ++ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw; + } + + static inline int + in_core (const struct module *mod, uint64_t addr) + { +- return addr - (uint64_t) mod->module_core < mod->core_size; ++ return in_core_rx(mod, addr) || in_core_rw(mod, addr); + } + + static inline int +@@ -685,7 +708,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend, + break; + + case RV_BDREL: +- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core); ++ if (in_init_rx(mod, val)) ++ val -= (uint64_t) mod->module_init_rx; ++ else if (in_init_rw(mod, val)) ++ val -= (uint64_t) mod->module_init_rw; ++ else if (in_core_rx(mod, val)) ++ val -= (uint64_t) mod->module_core_rx; ++ else if (in_core_rw(mod, val)) ++ val -= (uint64_t) mod->module_core_rw; + break; + + case RV_LTV: +@@ -820,15 +850,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind + * addresses have been selected... + */ + uint64_t gp; +- if (mod->core_size > MAX_LTOFF) ++ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF) + /* + * This takes advantage of fact that SHF_ARCH_SMALL gets allocated + * at the end of the module. + */ +- gp = mod->core_size - MAX_LTOFF / 2; ++ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2; + else +- gp = mod->core_size / 2; +- gp = (uint64_t) mod->module_core + ((gp + 7) & -8); ++ gp = (mod->core_size_rx + mod->core_size_rw) / 2; ++ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8); + mod->arch.gp = gp; + DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp); + } +diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c +index ab33328..f39506c 100644 +--- a/arch/ia64/kernel/palinfo.c ++++ b/arch/ia64/kernel/palinfo.c +@@ -980,7 +980,7 @@ static int palinfo_cpu_callback(struct notifier_block *nfb, + return NOTIFY_OK; + } + +-static struct notifier_block __refdata palinfo_cpu_notifier = ++static struct notifier_block palinfo_cpu_notifier = + { + .notifier_call = palinfo_cpu_callback, + .priority = 0, +diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c +index 41e33f8..65180b2a 100644 +--- a/arch/ia64/kernel/sys_ia64.c ++++ b/arch/ia64/kernel/sys_ia64.c +@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + unsigned long align_mask = 0; + struct mm_struct *mm = current->mm; + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + if (REGION_NUMBER(addr) == RGN_HPAGE) + addr = 0; + #endif ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ addr = mm->free_area_cache; ++ else ++#endif ++ + if (!addr) + addr = TASK_UNMAPPED_BASE; + +@@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + info.high_limit = TASK_SIZE; + info.align_mask = align_mask; + info.align_offset = 0; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + +diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S +index 84f8a52..7c76178 100644 +--- a/arch/ia64/kernel/vmlinux.lds.S ++++ b/arch/ia64/kernel/vmlinux.lds.S +@@ -192,7 +192,7 @@ SECTIONS { + /* Per-cpu data: */ + . = ALIGN(PERCPU_PAGE_SIZE); + PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu) +- __phys_per_cpu_start = __per_cpu_load; ++ __phys_per_cpu_start = per_cpu_load; + /* + * ensure percpu data fits + * into percpu page size +diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c +index 7225dad..2a7c8256 100644 +--- a/arch/ia64/mm/fault.c ++++ b/arch/ia64/mm/fault.c +@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address) + return pte_present(pte); + } + ++#ifdef CONFIG_PAX_PAGEEXEC ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 8; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + # define VM_READ_BIT 0 + # define VM_WRITE_BIT 1 + # define VM_EXEC_BIT 2 +@@ -151,8 +168,21 @@ retry: + if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE)))) + goto bad_area; + +- if ((vma->vm_flags & mask) != mask) ++ if ((vma->vm_flags & mask) != mask) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) { ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip) ++ goto bad_area; ++ ++ up_read(&mm->mmap_sem); ++ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + goto bad_area; ++ } + + /* + * If for any reason at all we couldn't handle the fault, make +diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c +index 68232db..6ca80af 100644 +--- a/arch/ia64/mm/hugetlbpage.c ++++ b/arch/ia64/mm/hugetlbpage.c +@@ -154,6 +154,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u + unsigned long pgoff, unsigned long flags) + { + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -177,6 +178,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u + info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT; + info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1); + info.align_offset = 0; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + +diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c +index 25c3502..560dae7 100644 +--- a/arch/ia64/mm/init.c ++++ b/arch/ia64/mm/init.c +@@ -120,6 +120,19 @@ ia64_init_addr_space (void) + vma->vm_start = current->thread.rbs_bot & PAGE_MASK; + vma->vm_end = vma->vm_start + PAGE_SIZE; + vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT; ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) { ++ vma->vm_flags &= ~VM_EXEC; ++ ++#ifdef CONFIG_PAX_MPROTECT ++ if (current->mm->pax_flags & MF_PAX_MPROTECT) ++ vma->vm_flags &= ~VM_MAYEXEC; ++#endif ++ ++ } ++#endif ++ + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); + down_write(¤t->mm->mmap_sem); + if (insert_vm_struct(current->mm, vma)) { +diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h +index 40b3ee9..8c2c112 100644 +--- a/arch/m32r/include/asm/cache.h ++++ b/arch/m32r/include/asm/cache.h +@@ -1,8 +1,10 @@ + #ifndef _ASM_M32R_CACHE_H + #define _ASM_M32R_CACHE_H + ++#include ++ + /* L1 cache line size */ + #define L1_CACHE_SHIFT 4 +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #endif /* _ASM_M32R_CACHE_H */ +diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c +index 82abd15..d95ae5d 100644 +--- a/arch/m32r/lib/usercopy.c ++++ b/arch/m32r/lib/usercopy.c +@@ -14,6 +14,9 @@ + unsigned long + __generic_copy_to_user(void __user *to, const void *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + prefetch(from); + if (access_ok(VERIFY_WRITE, to, n)) + __copy_user(to,from,n); +@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n) + unsigned long + __generic_copy_from_user(void *to, const void __user *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + prefetchw(to); + if (access_ok(VERIFY_READ, from, n)) + __copy_user_zeroing(to,from,n); +diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h +index 0395c51..5f26031 100644 +--- a/arch/m68k/include/asm/cache.h ++++ b/arch/m68k/include/asm/cache.h +@@ -4,9 +4,11 @@ + #ifndef __ARCH_M68K_CACHE_H + #define __ARCH_M68K_CACHE_H + ++#include ++ + /* bytes per L1 cache line */ + #define L1_CACHE_SHIFT 4 +-#define L1_CACHE_BYTES (1<< L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define ARCH_DMA_MINALIGN L1_CACHE_BYTES + +diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c +index 0424315..defcca9 100644 +--- a/arch/metag/mm/hugetlbpage.c ++++ b/arch/metag/mm/hugetlbpage.c +@@ -205,6 +205,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len) + info.high_limit = TASK_SIZE; + info.align_mask = PAGE_MASK & HUGEPT_MASK; + info.align_offset = 0; ++ info.threadstack_offset = 0; + return vm_unmapped_area(&info); + } + +diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h +index 4efe96a..60e8699 100644 +--- a/arch/microblaze/include/asm/cache.h ++++ b/arch/microblaze/include/asm/cache.h +@@ -13,11 +13,12 @@ + #ifndef _ASM_MICROBLAZE_CACHE_H + #define _ASM_MICROBLAZE_CACHE_H + ++#include + #include + + #define L1_CACHE_SHIFT 5 + /* word-granular cache in microblaze */ +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define SMP_CACHE_BYTES L1_CACHE_BYTES + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 95fa1f1..56a6fa2 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -2298,6 +2298,7 @@ source "kernel/Kconfig.preempt" + + config KEXEC + bool "Kexec system call" ++ depends on !GRKERNSEC_KMEM + help + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +diff --git a/arch/mips/cavium-octeon/dma-octeon.c b/arch/mips/cavium-octeon/dma-octeon.c +index 02f2444..506969c 100644 +--- a/arch/mips/cavium-octeon/dma-octeon.c ++++ b/arch/mips/cavium-octeon/dma-octeon.c +@@ -199,7 +199,7 @@ static void octeon_dma_free_coherent(struct device *dev, size_t size, + if (dma_release_from_coherent(dev, order, vaddr)) + return; + +- swiotlb_free_coherent(dev, size, vaddr, dma_handle); ++ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs); + } + + static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t paddr) +diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h +index 7eed2f2..c4e385d 100644 +--- a/arch/mips/include/asm/atomic.h ++++ b/arch/mips/include/asm/atomic.h +@@ -21,15 +21,39 @@ + #include + #include + ++#ifdef CONFIG_GENERIC_ATOMIC64 ++#include ++#endif ++ + #define ATOMIC_INIT(i) { (i) } + ++#ifdef CONFIG_64BIT ++#define _ASM_EXTABLE(from, to) \ ++" .section __ex_table,\"a\"\n" \ ++" .dword " #from ", " #to"\n" \ ++" .previous\n" ++#else ++#define _ASM_EXTABLE(from, to) \ ++" .section __ex_table,\"a\"\n" \ ++" .word " #from ", " #to"\n" \ ++" .previous\n" ++#endif ++ + /* + * atomic_read - read atomic variable + * @v: pointer of type atomic_t + * + * Atomically reads the value of @v. + */ +-#define atomic_read(v) (*(volatile int *)&(v)->counter) ++static inline int atomic_read(const atomic_t *v) ++{ ++ return (*(volatile const int *) &v->counter); ++} ++ ++static inline int atomic_read_unchecked(const atomic_unchecked_t *v) ++{ ++ return (*(volatile const int *) &v->counter); ++} + + /* + * atomic_set - set atomic variable +@@ -38,7 +62,15 @@ + * + * Atomically sets the value of @v to @i. + */ +-#define atomic_set(v, i) ((v)->counter = (i)) ++static inline void atomic_set(atomic_t *v, int i) ++{ ++ v->counter = i; ++} ++ ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) ++{ ++ v->counter = i; ++} + + /* + * atomic_add - add integer to atomic variable +@@ -47,7 +79,67 @@ + * + * Atomically adds @i to @v. + */ +-static __inline__ void atomic_add(int i, atomic_t * v) ++static __inline__ void atomic_add(int i, atomic_t *v) ++{ ++ int temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: add %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " addu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + int temp; +@@ -90,7 +182,67 @@ static __inline__ void atomic_add(int i, atomic_t * v) + * + * Atomically subtracts @i from @v. + */ +-static __inline__ void atomic_sub(int i, atomic_t * v) ++static __inline__ void atomic_sub(int i, atomic_t *v) ++{ ++ int temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: sub %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " subu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic_sub_unchecked(long i, atomic_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + int temp; +@@ -129,7 +281,93 @@ static __inline__ void atomic_sub(int i, atomic_t * v) + /* + * Same as above, but return the result value + */ +-static __inline__ int atomic_add_return(int i, atomic_t * v) ++static __inline__ int atomic_add_return(int i, atomic_t *v) ++{ ++ int result; ++ int temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: add %0, %1, %3 \n" ++#else ++ " addu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: addu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: add %0, %1, %3 \n" ++#else ++ " addu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: addu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " lw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++ ++static __inline__ int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) + { + int result; + +@@ -178,7 +416,93 @@ static __inline__ int atomic_add_return(int i, atomic_t * v) + return result; + } + +-static __inline__ int atomic_sub_return(int i, atomic_t * v) ++static __inline__ int atomic_sub_return(int i, atomic_t *v) ++{ ++ int result; ++ int temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: sub %0, %1, %3 \n" ++#else ++ " subu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: subu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: sub %0, %1, %3 \n" ++#else ++ " subu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: subu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " lw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++static __inline__ int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v) + { + int result; + +@@ -238,7 +562,7 @@ static __inline__ int atomic_sub_return(int i, atomic_t * v) + * Atomically test @v and subtract @i if @v is greater or equal than @i. + * The function returns the old value of @v minus @i. + */ +-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v) ++static __inline__ int atomic_sub_if_positive(int i, atomic_t *v) + { + int result; + +@@ -295,8 +619,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v) + return result; + } + +-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new))) ++static inline int atomic_cmpxchg(atomic_t *v, int old, int new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, ++ int new) ++{ ++ return cmpxchg(&(v->counter), old, new); ++} ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} ++ ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) ++{ ++ return xchg(&(v->counter), new); ++} + + /** + * __atomic_add_unless - add unless the number is a given value +@@ -324,6 +666,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + + #define atomic_dec_return(v) atomic_sub_return(1, (v)) + #define atomic_inc_return(v) atomic_add_return(1, (v)) ++static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v); ++} + + /* + * atomic_sub_and_test - subtract value from variable and test result +@@ -345,6 +691,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * other cases. + */ + #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0) ++static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v) == 0; ++} + + /* + * atomic_dec_and_test - decrement by 1 and test +@@ -369,6 +719,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * Atomically increments @v by 1. + */ + #define atomic_inc(v) atomic_add(1, (v)) ++static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_add_unchecked(1, v); ++} + + /* + * atomic_dec - decrement and test +@@ -377,6 +731,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * Atomically decrements @v by 1. + */ + #define atomic_dec(v) atomic_sub(1, (v)) ++static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_sub_unchecked(1, v); ++} + + /* + * atomic_add_negative - add and test if negative +@@ -398,14 +756,30 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * @v: pointer of type atomic64_t + * + */ +-#define atomic64_read(v) (*(volatile long *)&(v)->counter) ++static inline long atomic64_read(const atomic64_t *v) ++{ ++ return (*(volatile const long *) &v->counter); ++} ++ ++static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ return (*(volatile const long *) &v->counter); ++} + + /* + * atomic64_set - set atomic variable + * @v: pointer of type atomic64_t + * @i: required value + */ +-#define atomic64_set(v, i) ((v)->counter = (i)) ++static inline void atomic64_set(atomic64_t *v, long i) ++{ ++ v->counter = i; ++} ++ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) ++{ ++ v->counter = i; ++} + + /* + * atomic64_add - add integer to atomic variable +@@ -414,7 +788,66 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * + * Atomically adds @i to @v. + */ +-static __inline__ void atomic64_add(long i, atomic64_t * v) ++static __inline__ void atomic64_add(long i, atomic64_t *v) ++{ ++ long temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dadd %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " daddu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++static __inline__ void atomic64_add_unchecked(long i, atomic64_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + long temp; +@@ -457,7 +890,67 @@ static __inline__ void atomic64_add(long i, atomic64_t * v) + * + * Atomically subtracts @i from @v. + */ +-static __inline__ void atomic64_sub(long i, atomic64_t * v) ++static __inline__ void atomic64_sub(long i, atomic64_t *v) ++{ ++ long temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dsub %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " dsubu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + long temp; +@@ -496,7 +989,93 @@ static __inline__ void atomic64_sub(long i, atomic64_t * v) + /* + * Same as above, but return the result value + */ +-static __inline__ long atomic64_add_return(long i, atomic64_t * v) ++static __inline__ long atomic64_add_return(long i, atomic64_t *v) ++{ ++ long result; ++ long temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dadd %0, %1, %3 \n" ++#else ++ " daddu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: daddu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dadd %0, %1, %3 \n" ++#else ++ " daddu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: daddu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " ld %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " sd %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++static __inline__ long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v) + { + long result; + +@@ -546,7 +1125,97 @@ static __inline__ long atomic64_add_return(long i, atomic64_t * v) + return result; + } + +-static __inline__ long atomic64_sub_return(long i, atomic64_t * v) ++static __inline__ long atomic64_sub_return(long i, atomic64_t *v) ++{ ++ long result; ++ long temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dsub %0, %1, %3 \n" ++#else ++ " dsubu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: dsubu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dsub %0, %1, %3 \n" ++#else ++ " dsubu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: dsubu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " ld %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " sd %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++ ++static __inline__ long atomic64_sub_return_unchecked(long i, atomic64_unchecked_t *v) + { + long result; + +@@ -605,7 +1274,7 @@ static __inline__ long atomic64_sub_return(long i, atomic64_t * v) + * Atomically test @v and subtract @i if @v is greater or equal than @i. + * The function returns the old value of @v minus @i. + */ +-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v) ++static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v) + { + long result; + +@@ -662,9 +1331,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v) + return result; + } + +-#define atomic64_cmpxchg(v, o, n) \ +- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n))) +-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new))) ++static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ ++static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, ++ long new) ++{ ++ return cmpxchg(&(v->counter), old, new); ++} ++ ++static inline long atomic64_xchg(atomic64_t *v, long new) ++{ ++ return xchg(&v->counter, new); ++} ++ ++static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new) ++{ ++ return xchg(&(v->counter), new); ++} + + /** + * atomic64_add_unless - add unless the number is a given value +@@ -694,6 +1380,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_dec_return(v) atomic64_sub_return(1, (v)) + #define atomic64_inc_return(v) atomic64_add_return(1, (v)) ++#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v)) + + /* + * atomic64_sub_and_test - subtract value from variable and test result +@@ -715,6 +1402,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * other cases. + */ + #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0) ++#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0) + + /* + * atomic64_dec_and_test - decrement by 1 and test +@@ -739,6 +1427,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * Atomically increments @v by 1. + */ + #define atomic64_inc(v) atomic64_add(1, (v)) ++#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v)) + + /* + * atomic64_dec - decrement and test +@@ -747,6 +1436,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * Atomically decrements @v by 1. + */ + #define atomic64_dec(v) atomic64_sub(1, (v)) ++#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v)) + + /* + * atomic64_add_negative - add and test if negative +diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h +index b4db69f..8f3b093 100644 +--- a/arch/mips/include/asm/cache.h ++++ b/arch/mips/include/asm/cache.h +@@ -9,10 +9,11 @@ + #ifndef _ASM_CACHE_H + #define _ASM_CACHE_H + ++#include + #include + + #define L1_CACHE_SHIFT CONFIG_MIPS_L1_CACHE_SHIFT +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define SMP_CACHE_SHIFT L1_CACHE_SHIFT + #define SMP_CACHE_BYTES L1_CACHE_BYTES +diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h +index d414405..6bb4ba2 100644 +--- a/arch/mips/include/asm/elf.h ++++ b/arch/mips/include/asm/elf.h +@@ -398,13 +398,16 @@ extern const char *__elf_platform; + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + #endif + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL) ++ ++#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) ++#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) ++#endif ++ + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + struct linux_binprm; + extern int arch_setup_additional_pages(struct linux_binprm *bprm, + int uses_interp); + +-struct mm_struct; +-extern unsigned long arch_randomize_brk(struct mm_struct *mm); +-#define arch_randomize_brk arch_randomize_brk +- + #endif /* _ASM_ELF_H */ +diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h +index c1f6afa..38cc6e9 100644 +--- a/arch/mips/include/asm/exec.h ++++ b/arch/mips/include/asm/exec.h +@@ -12,6 +12,6 @@ + #ifndef _ASM_EXEC_H + #define _ASM_EXEC_H + +-extern unsigned long arch_align_stack(unsigned long sp); ++#define arch_align_stack(x) ((x) & ~0xfUL) + + #endif /* _ASM_EXEC_H */ +diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h +index 9e8ef59..1139d6b 100644 +--- a/arch/mips/include/asm/hw_irq.h ++++ b/arch/mips/include/asm/hw_irq.h +@@ -10,7 +10,7 @@ + + #include + +-extern atomic_t irq_err_count; ++extern atomic_unchecked_t irq_err_count; + + /* + * interrupt-retrigger: NOP for now. This may not be appropriate for all +diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h +index d44622c..64990d2 100644 +--- a/arch/mips/include/asm/local.h ++++ b/arch/mips/include/asm/local.h +@@ -12,15 +12,25 @@ typedef struct + atomic_long_t a; + } local_t; + ++typedef struct { ++ atomic_long_unchecked_t a; ++} local_unchecked_t; ++ + #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) } + + #define local_read(l) atomic_long_read(&(l)->a) ++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a) + #define local_set(l, i) atomic_long_set(&(l)->a, (i)) ++#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i)) + + #define local_add(i, l) atomic_long_add((i), (&(l)->a)) ++#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a)) + #define local_sub(i, l) atomic_long_sub((i), (&(l)->a)) ++#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a)) + #define local_inc(l) atomic_long_inc(&(l)->a) ++#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a) + #define local_dec(l) atomic_long_dec(&(l)->a) ++#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a) + + /* + * Same as above, but return the result value +@@ -70,6 +80,51 @@ static __inline__ long local_add_return(long i, local_t * l) + return result; + } + ++static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l) ++{ ++ unsigned long result; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqzl %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqz %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ result = l->a.counter; ++ result += i; ++ l->a.counter = result; ++ local_irq_restore(flags); ++ } ++ ++ return result; ++} ++ + static __inline__ long local_sub_return(long i, local_t * l) + { + unsigned long result; +@@ -117,6 +172,8 @@ static __inline__ long local_sub_return(long i, local_t * l) + + #define local_cmpxchg(l, o, n) \ + ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) ++#define local_cmpxchg_unchecked(l, o, n) \ ++ ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) + #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n))) + + /** +diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h +index 5e08bcc..cfedefc 100644 +--- a/arch/mips/include/asm/page.h ++++ b/arch/mips/include/asm/page.h +@@ -120,7 +120,7 @@ extern void copy_user_highpage(struct page *to, struct page *from, + #ifdef CONFIG_CPU_MIPS32 + typedef struct { unsigned long pte_low, pte_high; } pte_t; + #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32)) +- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; }) ++ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; }) + #else + typedef struct { unsigned long long pte; } pte_t; + #define pte_val(x) ((x).pte) +diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h +index b336037..5b874cc 100644 +--- a/arch/mips/include/asm/pgalloc.h ++++ b/arch/mips/include/asm/pgalloc.h +@@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + { + set_pud(pud, __pud((unsigned long)pmd)); + } ++ ++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) ++{ ++ pud_populate(mm, pud, pmd); ++} + #endif + + /* +diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h +index 008324d..f67c239 100644 +--- a/arch/mips/include/asm/pgtable.h ++++ b/arch/mips/include/asm/pgtable.h +@@ -20,6 +20,9 @@ + #include + #include + ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++ + struct mm_struct; + struct vm_area_struct; + +diff --git a/arch/mips/include/asm/smtc_proc.h b/arch/mips/include/asm/smtc_proc.h +index 25da651..ae2a259 100644 +--- a/arch/mips/include/asm/smtc_proc.h ++++ b/arch/mips/include/asm/smtc_proc.h +@@ -18,6 +18,6 @@ extern struct smtc_cpu_proc smtc_cpu_stats[NR_CPUS]; + + /* Count of number of recoveries of "stolen" FPU access rights on 34K */ + +-extern atomic_t smtc_fpu_recoveries; ++extern atomic_unchecked_t smtc_fpu_recoveries; + + #endif /* __ASM_SMTC_PROC_H */ +diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h +index 24846f9..61c49f0 100644 +--- a/arch/mips/include/asm/thread_info.h ++++ b/arch/mips/include/asm/thread_info.h +@@ -116,6 +116,8 @@ static inline struct thread_info *current_thread_info(void) + #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ + #define TIF_SYSCALL_TRACEPOINT 26 /* syscall tracepoint instrumentation */ + #define TIF_32BIT_FPREGS 27 /* 32-bit floating point registers */ ++/* li takes a 32bit immediate */ ++#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */ + #define TIF_SYSCALL_TRACE 31 /* syscall trace active */ + + #define _TIF_SYSCALL_TRACE (1< + #include + #include +diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c +index 7faf5f2..f3d3cf4 100644 +--- a/arch/mips/kernel/binfmt_elfo32.c ++++ b/arch/mips/kernel/binfmt_elfo32.c +@@ -70,6 +70,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG]; + #undef ELF_ET_DYN_BASE + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL) ++ ++#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) ++#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT) ++#endif ++ + #include + + /* +diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c +index 2b91fe8..fe4f6b4 100644 +--- a/arch/mips/kernel/i8259.c ++++ b/arch/mips/kernel/i8259.c +@@ -205,7 +205,7 @@ spurious_8259A_irq: + printk(KERN_DEBUG "spurious 8259A interrupt: IRQ%d.\n", irq); + spurious_irq_mask |= irqmask; + } +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + /* + * Theoretically we do not have to handle this IRQ, + * but in Linux this does not cause problems and is +diff --git a/arch/mips/kernel/irq-gt641xx.c b/arch/mips/kernel/irq-gt641xx.c +index 44a1f79..2bd6aa3 100644 +--- a/arch/mips/kernel/irq-gt641xx.c ++++ b/arch/mips/kernel/irq-gt641xx.c +@@ -110,7 +110,7 @@ void gt641xx_irq_dispatch(void) + } + } + +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + } + + void __init gt641xx_irq_init(void) +diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c +index d1fea7a..45602ea 100644 +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq) + printk("unexpected IRQ # %d\n", irq); + } + +-atomic_t irq_err_count; ++atomic_unchecked_t irq_err_count; + + int arch_show_interrupts(struct seq_file *p, int prec) + { +- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count)); ++ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count)); + return 0; + } + + asmlinkage void spurious_interrupt(void) + { +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + } + + void __init init_IRQ(void) +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 6ae540e..b7396dc 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -562,15 +562,3 @@ unsigned long get_wchan(struct task_struct *task) + out: + return pc; + } +- +-/* +- * Don't forget that the stack pointer must be aligned on a 8 bytes +- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI. +- */ +-unsigned long arch_align_stack(unsigned long sp) +-{ +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) +- sp -= get_random_int() & ~PAGE_MASK; +- +- return sp & ALMASK; +-} +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 7da9b76..21578be 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -658,6 +658,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace +@@ -674,6 +678,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) + tracehook_report_syscall_entry(regs)) + ret = -1; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) + trace_sys_enter(regs, regs->regs[2]); + +diff --git a/arch/mips/kernel/reset.c b/arch/mips/kernel/reset.c +index 07fc524..b9d7f28 100644 +--- a/arch/mips/kernel/reset.c ++++ b/arch/mips/kernel/reset.c +@@ -13,6 +13,7 @@ + #include + + #include ++#include + + /* + * Urgs ... Too many MIPS machines to handle this in a generic way. +@@ -29,16 +30,19 @@ void machine_restart(char *command) + { + if (_machine_restart) + _machine_restart(command); ++ BUG(); + } + + void machine_halt(void) + { + if (_machine_halt) + _machine_halt(); ++ BUG(); + } + + void machine_power_off(void) + { + if (pm_power_off) + pm_power_off(); ++ BUG(); + } +diff --git a/arch/mips/kernel/smtc-proc.c b/arch/mips/kernel/smtc-proc.c +index c10aa84..9ec2e60 100644 +--- a/arch/mips/kernel/smtc-proc.c ++++ b/arch/mips/kernel/smtc-proc.c +@@ -31,7 +31,7 @@ unsigned long selfipis[NR_CPUS]; + + struct smtc_cpu_proc smtc_cpu_stats[NR_CPUS]; + +-atomic_t smtc_fpu_recoveries; ++atomic_unchecked_t smtc_fpu_recoveries; + + static int smtc_proc_show(struct seq_file *m, void *v) + { +@@ -48,7 +48,7 @@ static int smtc_proc_show(struct seq_file *m, void *v) + for(i = 0; i < NR_CPUS; i++) + seq_printf(m, "%d: %ld\n", i, smtc_cpu_stats[i].selfipis); + seq_printf(m, "%d Recoveries of \"stolen\" FPU\n", +- atomic_read(&smtc_fpu_recoveries)); ++ atomic_read_unchecked(&smtc_fpu_recoveries)); + return 0; + } + +@@ -73,7 +73,7 @@ void init_smtc_stats(void) + smtc_cpu_stats[i].selfipis = 0; + } + +- atomic_set(&smtc_fpu_recoveries, 0); ++ atomic_set_unchecked(&smtc_fpu_recoveries, 0); + + proc_create("smtc", 0444, NULL, &smtc_proc_fops); + } +diff --git a/arch/mips/kernel/smtc.c b/arch/mips/kernel/smtc.c +index dfc1b91..11a2c07 100644 +--- a/arch/mips/kernel/smtc.c ++++ b/arch/mips/kernel/smtc.c +@@ -1359,7 +1359,7 @@ void smtc_soft_dump(void) + } + smtc_ipi_qdump(); + printk("%d Recoveries of \"stolen\" FPU\n", +- atomic_read(&smtc_fpu_recoveries)); ++ atomic_read_unchecked(&smtc_fpu_recoveries)); + } + + +diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c +index c24ad5f..9983ab2 100644 +--- a/arch/mips/kernel/sync-r4k.c ++++ b/arch/mips/kernel/sync-r4k.c +@@ -20,8 +20,8 @@ + #include + + static atomic_t count_start_flag = ATOMIC_INIT(0); +-static atomic_t count_count_start = ATOMIC_INIT(0); +-static atomic_t count_count_stop = ATOMIC_INIT(0); ++static atomic_unchecked_t count_count_start = ATOMIC_INIT(0); ++static atomic_unchecked_t count_count_stop = ATOMIC_INIT(0); + static atomic_t count_reference = ATOMIC_INIT(0); + + #define COUNTON 100 +@@ -68,13 +68,13 @@ void synchronise_count_master(int cpu) + + for (i = 0; i < NR_LOOPS; i++) { + /* slaves loop on '!= 2' */ +- while (atomic_read(&count_count_start) != 1) ++ while (atomic_read_unchecked(&count_count_start) != 1) + mb(); +- atomic_set(&count_count_stop, 0); ++ atomic_set_unchecked(&count_count_stop, 0); + smp_wmb(); + + /* this lets the slaves write their count register */ +- atomic_inc(&count_count_start); ++ atomic_inc_unchecked(&count_count_start); + + /* + * Everyone initialises count in the last loop: +@@ -85,11 +85,11 @@ void synchronise_count_master(int cpu) + /* + * Wait for all slaves to leave the synchronization point: + */ +- while (atomic_read(&count_count_stop) != 1) ++ while (atomic_read_unchecked(&count_count_stop) != 1) + mb(); +- atomic_set(&count_count_start, 0); ++ atomic_set_unchecked(&count_count_start, 0); + smp_wmb(); +- atomic_inc(&count_count_stop); ++ atomic_inc_unchecked(&count_count_stop); + } + /* Arrange for an interrupt in a short while */ + write_c0_compare(read_c0_count() + COUNTON); +@@ -130,8 +130,8 @@ void synchronise_count_slave(int cpu) + initcount = atomic_read(&count_reference); + + for (i = 0; i < NR_LOOPS; i++) { +- atomic_inc(&count_count_start); +- while (atomic_read(&count_count_start) != 2) ++ atomic_inc_unchecked(&count_count_start); ++ while (atomic_read_unchecked(&count_count_start) != 2) + mb(); + + /* +@@ -140,8 +140,8 @@ void synchronise_count_slave(int cpu) + if (i == NR_LOOPS-1) + write_c0_count(initcount); + +- atomic_inc(&count_count_stop); +- while (atomic_read(&count_count_stop) != 2) ++ atomic_inc_unchecked(&count_count_stop); ++ while (atomic_read_unchecked(&count_count_stop) != 2) + mb(); + } + /* Arrange for an interrupt in a short while */ +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index e0b4996..6b43ce7 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -691,7 +691,18 @@ asmlinkage void do_ov(struct pt_regs *regs) + siginfo_t info; + + prev_state = exception_enter(); +- die_if_kernel("Integer overflow", regs); ++ if (unlikely(!user_mode(regs))) { ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ if (fixup_exception(regs)) { ++ pax_report_refcount_overflow(regs); ++ exception_exit(prev_state); ++ return; ++ } ++#endif ++ ++ die("Integer overflow", regs); ++ } + + info.si_code = FPE_INTOVF; + info.si_signo = SIGFPE; +diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c +index becc42b..9e43d4b 100644 +--- a/arch/mips/mm/fault.c ++++ b/arch/mips/mm/fault.c +@@ -28,6 +28,23 @@ + #include /* For VMALLOC_END */ + #include + ++#ifdef CONFIG_PAX_PAGEEXEC ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 5; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + /* + * This routine handles page faults. It determines the address, + * and the problem, and then passes it off to one of the appropriate +@@ -199,6 +216,14 @@ bad_area: + bad_area_nosemaphore: + /* User mode accesses just cause a SIGSEGV */ + if (user_mode(regs)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) { ++ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs)); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + tsk->thread.cp0_badvaddr = address; + tsk->thread.error_code = write; + #if 0 +diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c +index f1baadd..5472dca 100644 +--- a/arch/mips/mm/mmap.c ++++ b/arch/mips/mm/mmap.c +@@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, + struct vm_area_struct *vma; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + if (unlikely(len > TASK_SIZE)) +@@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, + do_color_align = 1; + + /* requesting a specific address */ ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_color_align) + addr = COLOUR_ALIGN(addr, pgoff); +@@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + + info.length = len; + info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + + if (dir == DOWN) { + info.flags = VM_UNMAPPED_AREA_TOPDOWN; +@@ -146,6 +152,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + { + unsigned long random_factor = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + random_factor = get_random_int(); + random_factor = random_factor << PAGE_SHIFT; +@@ -157,40 +167,25 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + + if (mmap_is_legacy()) { + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + } else { + mm->mmap_base = mmap_base(random_factor); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; + } + } + +-static inline unsigned long brk_rnd(void) +-{ +- unsigned long rnd = get_random_int(); +- +- rnd = rnd << PAGE_SHIFT; +- /* 8MB for 32bit, 256MB for 64bit */ +- if (TASK_IS_32BIT_ADDR) +- rnd = rnd & 0x7ffffful; +- else +- rnd = rnd & 0xffffffful; +- +- return rnd; +-} +- +-unsigned long arch_randomize_brk(struct mm_struct *mm) +-{ +- unsigned long base = mm->brk; +- unsigned long ret; +- +- ret = PAGE_ALIGN(base + brk_rnd()); +- +- if (ret < mm->brk) +- return mm->brk; +- +- return ret; +-} +- + int __virt_addr_valid(const volatile void *kaddr) + { + return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); +diff --git a/arch/mips/pci/pci-octeon.c b/arch/mips/pci/pci-octeon.c +index 59cccd9..f39ac2f 100644 +--- a/arch/mips/pci/pci-octeon.c ++++ b/arch/mips/pci/pci-octeon.c +@@ -327,8 +327,8 @@ static int octeon_write_config(struct pci_bus *bus, unsigned int devfn, + + + static struct pci_ops octeon_pci_ops = { +- octeon_read_config, +- octeon_write_config, ++ .read = octeon_read_config, ++ .write = octeon_write_config, + }; + + static struct resource octeon_pci_mem_resource = { +diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c +index 5e36c33..eb4a17b 100644 +--- a/arch/mips/pci/pcie-octeon.c ++++ b/arch/mips/pci/pcie-octeon.c +@@ -1792,8 +1792,8 @@ static int octeon_dummy_write_config(struct pci_bus *bus, unsigned int devfn, + } + + static struct pci_ops octeon_pcie0_ops = { +- octeon_pcie0_read_config, +- octeon_pcie0_write_config, ++ .read = octeon_pcie0_read_config, ++ .write = octeon_pcie0_write_config, + }; + + static struct resource octeon_pcie0_mem_resource = { +@@ -1813,8 +1813,8 @@ static struct pci_controller octeon_pcie0_controller = { + }; + + static struct pci_ops octeon_pcie1_ops = { +- octeon_pcie1_read_config, +- octeon_pcie1_write_config, ++ .read = octeon_pcie1_read_config, ++ .write = octeon_pcie1_write_config, + }; + + static struct resource octeon_pcie1_mem_resource = { +@@ -1834,8 +1834,8 @@ static struct pci_controller octeon_pcie1_controller = { + }; + + static struct pci_ops octeon_dummy_ops = { +- octeon_dummy_read_config, +- octeon_dummy_write_config, ++ .read = octeon_dummy_read_config, ++ .write = octeon_dummy_write_config, + }; + + static struct resource octeon_dummy_mem_resource = { +diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c +index a2358b4..7cead4f 100644 +--- a/arch/mips/sgi-ip27/ip27-nmi.c ++++ b/arch/mips/sgi-ip27/ip27-nmi.c +@@ -187,9 +187,9 @@ void + cont_nmi_dump(void) + { + #ifndef REAL_NMI_SIGNAL +- static atomic_t nmied_cpus = ATOMIC_INIT(0); ++ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0); + +- atomic_inc(&nmied_cpus); ++ atomic_inc_unchecked(&nmied_cpus); + #endif + /* + * Only allow 1 cpu to proceed +@@ -233,7 +233,7 @@ cont_nmi_dump(void) + udelay(10000); + } + #else +- while (atomic_read(&nmied_cpus) != num_online_cpus()); ++ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus()); + #endif + + /* +diff --git a/arch/mips/sni/rm200.c b/arch/mips/sni/rm200.c +index a046b30..6799527 100644 +--- a/arch/mips/sni/rm200.c ++++ b/arch/mips/sni/rm200.c +@@ -270,7 +270,7 @@ spurious_8259A_irq: + "spurious RM200 8259A interrupt: IRQ%d.\n", irq); + spurious_irq_mask |= irqmask; + } +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + /* + * Theoretically we do not have to handle this IRQ, + * but in Linux this does not cause problems and is +diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c +index 41e873b..34d33a7 100644 +--- a/arch/mips/vr41xx/common/icu.c ++++ b/arch/mips/vr41xx/common/icu.c +@@ -653,7 +653,7 @@ static int icu_get_irq(unsigned int irq) + + printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2); + +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + + return -1; + } +diff --git a/arch/mips/vr41xx/common/irq.c b/arch/mips/vr41xx/common/irq.c +index ae0e4ee..e8f0692 100644 +--- a/arch/mips/vr41xx/common/irq.c ++++ b/arch/mips/vr41xx/common/irq.c +@@ -64,7 +64,7 @@ static void irq_dispatch(unsigned int irq) + irq_cascade_t *cascade; + + if (irq >= NR_IRQS) { +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + return; + } + +@@ -84,7 +84,7 @@ static void irq_dispatch(unsigned int irq) + ret = cascade->get_irq(irq); + irq = ret; + if (ret < 0) +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + else + irq_dispatch(irq); + if (!irqd_irq_disabled(idata) && chip->irq_unmask) +diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h +index 967d144..db12197 100644 +--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h ++++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h +@@ -11,12 +11,14 @@ + #ifndef _ASM_PROC_CACHE_H + #define _ASM_PROC_CACHE_H + ++#include ++ + /* L1 cache */ + + #define L1_CACHE_NWAYS 4 /* number of ways in caches */ + #define L1_CACHE_NENTRIES 256 /* number of entries in each way */ +-#define L1_CACHE_BYTES 16 /* bytes per entry */ + #define L1_CACHE_SHIFT 4 /* shift for bytes per entry */ ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */ + #define L1_CACHE_WAYDISP 0x1000 /* displacement of one way from the next */ + + #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */ +diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h +index bcb5df2..84fabd2 100644 +--- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h ++++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h +@@ -16,13 +16,15 @@ + #ifndef _ASM_PROC_CACHE_H + #define _ASM_PROC_CACHE_H + ++#include ++ + /* + * L1 cache + */ + #define L1_CACHE_NWAYS 4 /* number of ways in caches */ + #define L1_CACHE_NENTRIES 128 /* number of entries in each way */ +-#define L1_CACHE_BYTES 32 /* bytes per entry */ + #define L1_CACHE_SHIFT 5 /* shift for bytes per entry */ ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */ + #define L1_CACHE_WAYDISP 0x1000 /* distance from one way to the next */ + + #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */ +diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h +index 4ce7a01..449202a 100644 +--- a/arch/openrisc/include/asm/cache.h ++++ b/arch/openrisc/include/asm/cache.h +@@ -19,11 +19,13 @@ + #ifndef __ASM_OPENRISC_CACHE_H + #define __ASM_OPENRISC_CACHE_H + ++#include ++ + /* FIXME: How can we replace these with values from the CPU... + * they shouldn't be hard-coded! + */ + +-#define L1_CACHE_BYTES 16 + #define L1_CACHE_SHIFT 4 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #endif /* __ASM_OPENRISC_CACHE_H */ +diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h +index 472886c..00e7df9 100644 +--- a/arch/parisc/include/asm/atomic.h ++++ b/arch/parisc/include/asm/atomic.h +@@ -252,6 +252,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v) + return dec; + } + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* !CONFIG_64BIT */ + + +diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h +index 47f11c7..3420df2 100644 +--- a/arch/parisc/include/asm/cache.h ++++ b/arch/parisc/include/asm/cache.h +@@ -5,6 +5,7 @@ + #ifndef __ARCH_PARISC_CACHE_H + #define __ARCH_PARISC_CACHE_H + ++#include + + /* + * PA 2.0 processors have 64-byte cachelines; PA 1.1 processors have +@@ -15,13 +16,13 @@ + * just ruin performance. + */ + #ifdef CONFIG_PA20 +-#define L1_CACHE_BYTES 64 + #define L1_CACHE_SHIFT 6 + #else +-#define L1_CACHE_BYTES 32 + #define L1_CACHE_SHIFT 5 + #endif + ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) ++ + #ifndef __ASSEMBLY__ + + #define SMP_CACHE_BYTES L1_CACHE_BYTES +diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h +index 3391d06..c23a2cc 100644 +--- a/arch/parisc/include/asm/elf.h ++++ b/arch/parisc/include/asm/elf.h +@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration... */ + + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE 0x10000UL ++ ++#define PAX_DELTA_MMAP_LEN 16 ++#define PAX_DELTA_STACK_LEN 16 ++#endif ++ + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, + but it's not easy, and we've already done it here. */ +diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h +index f213f5b..0af3e8e 100644 +--- a/arch/parisc/include/asm/pgalloc.h ++++ b/arch/parisc/include/asm/pgalloc.h +@@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd) + (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT)); + } + ++static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd) ++{ ++ pgd_populate(mm, pgd, pmd); ++} ++ + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address) + { + pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL|__GFP_REPEAT, +@@ -93,6 +98,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd) + #define pmd_alloc_one(mm, addr) ({ BUG(); ((pmd_t *)2); }) + #define pmd_free(mm, x) do { } while (0) + #define pgd_populate(mm, pmd, pte) BUG() ++#define pgd_populate_kernel(mm, pmd, pte) BUG() + + #endif + +diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h +index 22b89d1..ce34230 100644 +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -223,6 +223,17 @@ extern void purge_tlb_entries(struct mm_struct *, unsigned long); + #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED) + #define PAGE_COPY PAGE_EXECREAD + #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED) ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED) ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED) ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED) ++#else ++# define PAGE_SHARED_NOEXEC PAGE_SHARED ++# define PAGE_COPY_NOEXEC PAGE_COPY ++# define PAGE_READONLY_NOEXEC PAGE_READONLY ++#endif ++ + #define PAGE_KERNEL __pgprot(_PAGE_KERNEL) + #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC) + #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX) +diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h +index 4006964..fcb3cc2 100644 +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -246,10 +246,10 @@ static inline unsigned long __must_check copy_from_user(void *to, + const void __user *from, + unsigned long n) + { +- int sz = __compiletime_object_size(to); ++ size_t sz = __compiletime_object_size(to); + int ret = -EFAULT; + +- if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n)) ++ if (likely(sz == (size_t)-1 || !__builtin_constant_p(n) || sz >= n)) + ret = __copy_from_user(to, from, n); + else + copy_from_user_overflow(); +diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c +index 50dfafc..b9fc230 100644 +--- a/arch/parisc/kernel/module.c ++++ b/arch/parisc/kernel/module.c +@@ -98,16 +98,38 @@ + + /* three functions to determine where in the module core + * or init pieces the location is */ ++static inline int in_init_rx(struct module *me, void *loc) ++{ ++ return (loc >= me->module_init_rx && ++ loc < (me->module_init_rx + me->init_size_rx)); ++} ++ ++static inline int in_init_rw(struct module *me, void *loc) ++{ ++ return (loc >= me->module_init_rw && ++ loc < (me->module_init_rw + me->init_size_rw)); ++} ++ + static inline int in_init(struct module *me, void *loc) + { +- return (loc >= me->module_init && +- loc <= (me->module_init + me->init_size)); ++ return in_init_rx(me, loc) || in_init_rw(me, loc); ++} ++ ++static inline int in_core_rx(struct module *me, void *loc) ++{ ++ return (loc >= me->module_core_rx && ++ loc < (me->module_core_rx + me->core_size_rx)); ++} ++ ++static inline int in_core_rw(struct module *me, void *loc) ++{ ++ return (loc >= me->module_core_rw && ++ loc < (me->module_core_rw + me->core_size_rw)); + } + + static inline int in_core(struct module *me, void *loc) + { +- return (loc >= me->module_core && +- loc <= (me->module_core + me->core_size)); ++ return in_core_rx(me, loc) || in_core_rw(me, loc); + } + + static inline int in_local(struct module *me, void *loc) +@@ -371,13 +393,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr, + } + + /* align things a bit */ +- me->core_size = ALIGN(me->core_size, 16); +- me->arch.got_offset = me->core_size; +- me->core_size += gots * sizeof(struct got_entry); ++ me->core_size_rw = ALIGN(me->core_size_rw, 16); ++ me->arch.got_offset = me->core_size_rw; ++ me->core_size_rw += gots * sizeof(struct got_entry); + +- me->core_size = ALIGN(me->core_size, 16); +- me->arch.fdesc_offset = me->core_size; +- me->core_size += fdescs * sizeof(Elf_Fdesc); ++ me->core_size_rw = ALIGN(me->core_size_rw, 16); ++ me->arch.fdesc_offset = me->core_size_rw; ++ me->core_size_rw += fdescs * sizeof(Elf_Fdesc); + + me->arch.got_max = gots; + me->arch.fdesc_max = fdescs; +@@ -395,7 +417,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend) + + BUG_ON(value == 0); + +- got = me->module_core + me->arch.got_offset; ++ got = me->module_core_rw + me->arch.got_offset; + for (i = 0; got[i].addr; i++) + if (got[i].addr == value) + goto out; +@@ -413,7 +435,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend) + #ifdef CONFIG_64BIT + static Elf_Addr get_fdesc(struct module *me, unsigned long value) + { +- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset; ++ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset; + + if (!value) { + printk(KERN_ERR "%s: zero OPD requested!\n", me->name); +@@ -431,7 +453,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value) + + /* Create new one */ + fdesc->addr = value; +- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset; ++ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset; + return (Elf_Addr)fdesc; + } + #endif /* CONFIG_64BIT */ +@@ -843,7 +865,7 @@ register_unwind_table(struct module *me, + + table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr; + end = table + sechdrs[me->arch.unwind_section].sh_size; +- gp = (Elf_Addr)me->module_core + me->arch.got_offset; ++ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset; + + DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", + me->arch.unwind_section, table, end, gp); +diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c +index b7cadc4..bf4a32d 100644 +--- a/arch/parisc/kernel/sys_parisc.c ++++ b/arch/parisc/kernel/sys_parisc.c +@@ -89,6 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + unsigned long task_size = TASK_SIZE; + int do_color_align, last_mmap; + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (len > task_size) + return -ENOMEM; +@@ -106,6 +107,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + goto found_addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_color_align && last_mmap) + addr = COLOR_ALIGN(addr, last_mmap, pgoff); +@@ -124,6 +129,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.high_limit = mmap_upper_limit(); + info.align_mask = last_mmap ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = shared_align_offset(last_mmap, pgoff); ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + found_addr: +@@ -143,6 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long addr = addr0; + int do_color_align, last_mmap; + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + #ifdef CONFIG_64BIT + /* This should only ever run for 32-bit processes. */ +@@ -167,6 +174,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + } + + /* requesting a specific address */ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_color_align && last_mmap) + addr = COLOR_ALIGN(addr, last_mmap, pgoff); +@@ -184,6 +195,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = last_mmap ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = shared_align_offset(last_mmap, pgoff); ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + if (!(addr & ~PAGE_MASK)) + goto found_addr; +@@ -249,6 +261,13 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + mm->mmap_legacy_base = mmap_legacy_base(); + mm->mmap_base = mmap_upper_limit(); + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) { ++ mm->mmap_legacy_base += mm->delta_mmap; ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++ } ++#endif ++ + if (mmap_is_legacy()) { + mm->mmap_base = mm->mmap_legacy_base; + mm->get_unmapped_area = arch_get_unmapped_area; +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 1cd1d0c..44ec918 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -722,9 +722,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + + down_read(¤t->mm->mmap_sem); + vma = find_vma(current->mm,regs->iaoq[0]); +- if (vma && (regs->iaoq[0] >= vma->vm_start) +- && (vma->vm_flags & VM_EXEC)) { +- ++ if (vma && (regs->iaoq[0] >= vma->vm_start)) { + fault_address = regs->iaoq[0]; + fault_space = regs->iasq[0]; + +diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c +index 9d08c71..e2b4d20 100644 +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, exception_data); + static unsigned long + parisc_acctyp(unsigned long code, unsigned int inst) + { +- if (code == 6 || code == 16) ++ if (code == 6 || code == 7 || code == 16) + return VM_EXEC; + + switch (inst & 0xf0000000) { +@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsigned int inst) + } + #endif + ++#ifdef CONFIG_PAX_PAGEEXEC ++/* ++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address) ++ * ++ * returns 1 when task should be killed ++ * 2 when rt_sigreturn trampoline was detected ++ * 3 when unpatched PLT trampoline was detected ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ ++#ifdef CONFIG_PAX_EMUPLT ++ int err; ++ ++ do { /* PaX: unpatched PLT emulation */ ++ unsigned int bl, depwi; ++ ++ err = get_user(bl, (unsigned int *)instruction_pointer(regs)); ++ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4)); ++ ++ if (err) ++ break; ++ ++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) { ++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12; ++ ++ err = get_user(ldw, (unsigned int *)addr); ++ err |= get_user(bv, (unsigned int *)(addr+4)); ++ err |= get_user(ldw2, (unsigned int *)(addr+8)); ++ ++ if (err) ++ break; ++ ++ if (ldw == 0x0E801096U && ++ bv == 0xEAC0C000U && ++ ldw2 == 0x0E881095U) ++ { ++ unsigned int resolver, map; ++ ++ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8)); ++ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12)); ++ if (err) ++ break; ++ ++ regs->gr[20] = instruction_pointer(regs)+8; ++ regs->gr[21] = map; ++ regs->gr[22] = resolver; ++ regs->iaoq[0] = resolver | 3UL; ++ regs->iaoq[1] = regs->iaoq[0] + 4; ++ return 3; ++ } ++ } ++ } while (0); ++#endif ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++ ++#ifndef CONFIG_PAX_EMUSIGRT ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP)) ++ return 1; ++#endif ++ ++ do { /* PaX: rt_sigreturn emulation */ ++ unsigned int ldi1, ldi2, bel, nop; ++ ++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs)); ++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4)); ++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8)); ++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12)); ++ ++ if (err) ++ break; ++ ++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) && ++ ldi2 == 0x3414015AU && ++ bel == 0xE4008200U && ++ nop == 0x08000240U) ++ { ++ regs->gr[25] = (ldi1 & 2) >> 1; ++ regs->gr[20] = __NR_rt_sigreturn; ++ regs->gr[31] = regs->iaoq[1] + 16; ++ regs->sr[0] = regs->iasq[1]; ++ regs->iaoq[0] = 0x100UL; ++ regs->iaoq[1] = regs->iaoq[0] + 4; ++ regs->iasq[0] = regs->sr[2]; ++ regs->iasq[1] = regs->sr[2]; ++ return 2; ++ } ++ } while (0); ++#endif ++ ++ return 1; ++} ++ ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 5; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + int fixup_exception(struct pt_regs *regs) + { + const struct exception_table_entry *fix; +@@ -210,8 +321,33 @@ retry: + + good_area: + +- if ((vma->vm_flags & acc_type) != acc_type) ++ if ((vma->vm_flags & acc_type) != acc_type) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) && ++ (address & ~3UL) == instruction_pointer(regs)) ++ { ++ up_read(&mm->mmap_sem); ++ switch (pax_handle_fetch_fault(regs)) { ++ ++#ifdef CONFIG_PAX_EMUPLT ++ case 3: ++ return; ++#endif ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++ case 2: ++ return; ++#endif ++ ++ } ++ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + goto bad_area; ++ } + + /* + * If for any reason at all we couldn't handle the fault, make +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 957bf34..3430cc8 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -393,6 +393,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE + config KEXEC + bool "kexec system call" + depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP)) ++ depends on !GRKERNSEC_KMEM + help + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h +index e3b1d41..8e81edf 100644 +--- a/arch/powerpc/include/asm/atomic.h ++++ b/arch/powerpc/include/asm/atomic.h +@@ -523,6 +523,16 @@ static __inline__ long atomic64_inc_not_zero(atomic64_t *v) + return t1; + } + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* __powerpc64__ */ + + #endif /* __KERNEL__ */ +diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h +index ed0afc1..0332825 100644 +--- a/arch/powerpc/include/asm/cache.h ++++ b/arch/powerpc/include/asm/cache.h +@@ -3,6 +3,7 @@ + + #ifdef __KERNEL__ + ++#include + + /* bytes per L1 cache line */ + #if defined(CONFIG_8xx) || defined(CONFIG_403GCX) +@@ -22,7 +23,7 @@ + #define L1_CACHE_SHIFT 7 + #endif + +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define SMP_CACHE_BYTES L1_CACHE_BYTES + +diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h +index 935b5e7..7001d2d 100644 +--- a/arch/powerpc/include/asm/elf.h ++++ b/arch/powerpc/include/asm/elf.h +@@ -28,8 +28,19 @@ + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-extern unsigned long randomize_et_dyn(unsigned long base); +-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000)) ++#define ELF_ET_DYN_BASE (0x20000000) ++ ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (0x10000000UL) ++ ++#ifdef __powerpc64__ ++#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28) ++#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28) ++#else ++#define PAX_DELTA_MMAP_LEN 15 ++#define PAX_DELTA_STACK_LEN 15 ++#endif ++#endif + + #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0) + +@@ -127,10 +138,6 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + (0x7ff >> (PAGE_SHIFT - 12)) : \ + (0x3ffff >> (PAGE_SHIFT - 12))) + +-extern unsigned long arch_randomize_brk(struct mm_struct *mm); +-#define arch_randomize_brk arch_randomize_brk +- +- + #ifdef CONFIG_SPU_BASE + /* Notes used in ET_CORE. Note name is "SPU//". */ + #define NT_SPU 1 +diff --git a/arch/powerpc/include/asm/exec.h b/arch/powerpc/include/asm/exec.h +index 8196e9c..d83a9f3 100644 +--- a/arch/powerpc/include/asm/exec.h ++++ b/arch/powerpc/include/asm/exec.h +@@ -4,6 +4,6 @@ + #ifndef _ASM_POWERPC_EXEC_H + #define _ASM_POWERPC_EXEC_H + +-extern unsigned long arch_align_stack(unsigned long sp); ++#define arch_align_stack(x) ((x) & ~0xfUL) + + #endif /* _ASM_POWERPC_EXEC_H */ +diff --git a/arch/powerpc/include/asm/kmap_types.h b/arch/powerpc/include/asm/kmap_types.h +index 5acabbd..7ea14fa 100644 +--- a/arch/powerpc/include/asm/kmap_types.h ++++ b/arch/powerpc/include/asm/kmap_types.h +@@ -10,7 +10,7 @@ + * 2 of the License, or (at your option) any later version. + */ + +-#define KM_TYPE_NR 16 ++#define KM_TYPE_NR 17 + + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_KMAP_TYPES_H */ +diff --git a/arch/powerpc/include/asm/local.h b/arch/powerpc/include/asm/local.h +index b8da913..60b608a 100644 +--- a/arch/powerpc/include/asm/local.h ++++ b/arch/powerpc/include/asm/local.h +@@ -9,15 +9,26 @@ typedef struct + atomic_long_t a; + } local_t; + ++typedef struct ++{ ++ atomic_long_unchecked_t a; ++} local_unchecked_t; ++ + #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) } + + #define local_read(l) atomic_long_read(&(l)->a) ++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a) + #define local_set(l,i) atomic_long_set(&(l)->a, (i)) ++#define local_set_unchecked(l,i) atomic_long_set_unchecked(&(l)->a, (i)) + + #define local_add(i,l) atomic_long_add((i),(&(l)->a)) ++#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a)) + #define local_sub(i,l) atomic_long_sub((i),(&(l)->a)) ++#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a)) + #define local_inc(l) atomic_long_inc(&(l)->a) ++#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a) + #define local_dec(l) atomic_long_dec(&(l)->a) ++#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a) + + static __inline__ long local_add_return(long a, local_t *l) + { +@@ -35,6 +46,7 @@ static __inline__ long local_add_return(long a, local_t *l) + + return t; + } ++#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a)) + + #define local_add_negative(a, l) (local_add_return((a), (l)) < 0) + +@@ -54,6 +66,7 @@ static __inline__ long local_sub_return(long a, local_t *l) + + return t; + } ++#define local_sub_return_unchecked(i, l) atomic_long_sub_return_unchecked((i), (&(l)->a)) + + static __inline__ long local_inc_return(local_t *l) + { +@@ -101,6 +114,8 @@ static __inline__ long local_dec_return(local_t *l) + + #define local_cmpxchg(l, o, n) \ + (cmpxchg_local(&((l)->a.counter), (o), (n))) ++#define local_cmpxchg_unchecked(l, o, n) \ ++ (cmpxchg_local(&((l)->a.counter), (o), (n))) + #define local_xchg(l, n) (xchg_local(&((l)->a.counter), (n))) + + /** +diff --git a/arch/powerpc/include/asm/mman.h b/arch/powerpc/include/asm/mman.h +index 8565c25..2865190 100644 +--- a/arch/powerpc/include/asm/mman.h ++++ b/arch/powerpc/include/asm/mman.h +@@ -24,7 +24,7 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot) + } + #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot) + +-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags) ++static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags) + { + return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0); + } +diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h +index 32e4e21..62afb12 100644 +--- a/arch/powerpc/include/asm/page.h ++++ b/arch/powerpc/include/asm/page.h +@@ -230,8 +230,9 @@ extern long long virt_phys_offset; + * and needs to be executable. This means the whole heap ends + * up being executable. + */ +-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \ +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) ++#define VM_DATA_DEFAULT_FLAGS32 \ ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \ ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + + #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \ + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) +@@ -259,6 +260,9 @@ extern long long virt_phys_offset; + #define is_kernel_addr(x) ((x) >= PAGE_OFFSET) + #endif + ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++ + #ifndef CONFIG_PPC_BOOK3S_64 + /* + * Use the top bit of the higher-level page table entries to indicate whether +diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h +index 88693ce..ac6f9ab 100644 +--- a/arch/powerpc/include/asm/page_64.h ++++ b/arch/powerpc/include/asm/page_64.h +@@ -153,15 +153,18 @@ do { \ + * stack by default, so in the absence of a PT_GNU_STACK program header + * we turn execute permission off. + */ +-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \ +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) ++#define VM_STACK_DEFAULT_FLAGS32 \ ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \ ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + + #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \ + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + ++#ifndef CONFIG_PAX_PAGEEXEC + #define VM_STACK_DEFAULT_FLAGS \ + (is_32bit_task() ? \ + VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64) ++#endif + + #include + +diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h +index 4b0be20..c15a27d 100644 +--- a/arch/powerpc/include/asm/pgalloc-64.h ++++ b/arch/powerpc/include/asm/pgalloc-64.h +@@ -54,6 +54,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) + #ifndef CONFIG_PPC_64K_PAGES + + #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD) ++#define pgd_populate_kernel(MM, PGD, PUD) pgd_populate((MM), (PGD), (PUD)) + + static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) + { +@@ -71,6 +72,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + pud_set(pud, (unsigned long)pmd); + } + ++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) ++{ ++ pud_populate(mm, pud, pmd); ++} ++ + #define pmd_populate(mm, pmd, pte_page) \ + pmd_populate_kernel(mm, pmd, page_address(pte_page)) + #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte)) +@@ -173,6 +179,7 @@ extern void __tlb_remove_table(void *_table); + #endif + + #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd) ++#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd)) + + static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd, + pte_t *pte) +diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h +index 3ebb188..e17dddf 100644 +--- a/arch/powerpc/include/asm/pgtable.h ++++ b/arch/powerpc/include/asm/pgtable.h +@@ -2,6 +2,7 @@ + #define _ASM_POWERPC_PGTABLE_H + #ifdef __KERNEL__ + ++#include + #ifndef __ASSEMBLY__ + #include + #include /* For TASK_SIZE */ +diff --git a/arch/powerpc/include/asm/pte-hash32.h b/arch/powerpc/include/asm/pte-hash32.h +index 4aad413..85d86bf 100644 +--- a/arch/powerpc/include/asm/pte-hash32.h ++++ b/arch/powerpc/include/asm/pte-hash32.h +@@ -21,6 +21,7 @@ + #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */ + #define _PAGE_USER 0x004 /* usermode access allowed */ + #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */ ++#define _PAGE_EXEC _PAGE_GUARDED + #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */ + #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ + #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index 90c06ec..3517221 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -248,6 +248,7 @@ + #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */ + #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */ + #define DSISR_NOHPTE 0x40000000 /* no translation found */ ++#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */ + #define DSISR_PROTFAULT 0x08000000 /* protection fault */ + #define DSISR_ISSTORE 0x02000000 /* access was a store */ + #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */ +diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h +index 084e080..9415a3d 100644 +--- a/arch/powerpc/include/asm/smp.h ++++ b/arch/powerpc/include/asm/smp.h +@@ -51,7 +51,7 @@ struct smp_ops_t { + int (*cpu_disable)(void); + void (*cpu_die)(unsigned int nr); + int (*cpu_bootable)(unsigned int nr); +-}; ++} __no_const; + + extern void smp_send_debugger_break(void); + extern void start_secondary_resume(void); +diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h +index b034ecd..af7e31f 100644 +--- a/arch/powerpc/include/asm/thread_info.h ++++ b/arch/powerpc/include/asm/thread_info.h +@@ -107,6 +107,8 @@ static inline struct thread_info *current_thread_info(void) + #if defined(CONFIG_PPC64) + #define TIF_ELF2ABI 18 /* function descriptors must die! */ + #endif ++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */ ++#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */ + + /* as above, but as bit values */ + #define _TIF_SYSCALL_TRACE (1< INT_MAX) ++ return n; ++ ++ if (!__builtin_constant_p(n)) ++ check_object_size(to, n, false); ++ ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ n = __copy_from_user(to, from, n); ++ else ++ memset(to, 0, n); ++ return n; ++} ++ ++static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) ++{ ++ if ((long)n < 0 || n > INT_MAX) ++ return n; ++ ++ if (likely(access_ok(VERIFY_WRITE, to, n))) { ++ if (!__builtin_constant_p(n)) ++ check_object_size(from, n, true); ++ n = __copy_to_user(to, from, n); ++ } ++ return n; ++} ++ ++extern unsigned long copy_in_user(void __user *to, const void __user *from, ++ unsigned long n); ++ ++#endif /* __powerpc64__ */ ++ + extern unsigned long __clear_user(void __user *addr, unsigned long size); + + static inline unsigned long clear_user(void __user *addr, unsigned long size) +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile +index fcc9a89..07be2bb 100644 +--- a/arch/powerpc/kernel/Makefile ++++ b/arch/powerpc/kernel/Makefile +@@ -26,6 +26,8 @@ CFLAGS_REMOVE_ftrace.o = -pg -mno-sched-epilog + CFLAGS_REMOVE_time.o = -pg -mno-sched-epilog + endif + ++CFLAGS_REMOVE_prom_init.o += $(LATENT_ENTROPY_PLUGIN_CFLAGS) ++ + obj-y := cputable.o ptrace.o syscalls.o \ + irq.o align.o signal_32.o pmc.o vdso.o \ + process.o systbl.o idle.o \ +diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S +index 063b65d..7a26e9d 100644 +--- a/arch/powerpc/kernel/exceptions-64e.S ++++ b/arch/powerpc/kernel/exceptions-64e.S +@@ -771,6 +771,7 @@ storage_fault_common: + std r14,_DAR(r1) + std r15,_DSISR(r1) + addi r3,r1,STACK_FRAME_OVERHEAD ++ bl .save_nvgprs + mr r4,r14 + mr r5,r15 + ld r14,PACA_EXGEN+EX_R14(r13) +@@ -779,8 +780,7 @@ storage_fault_common: + cmpdi r3,0 + bne- 1f + b .ret_from_except_lite +-1: bl .save_nvgprs +- mr r5,r3 ++1: mr r5,r3 + addi r3,r1,STACK_FRAME_OVERHEAD + ld r4,_DAR(r1) + bl .bad_page_fault +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 38d5073..f00af8d 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1584,10 +1584,10 @@ handle_page_fault: + 11: ld r4,_DAR(r1) + ld r5,_DSISR(r1) + addi r3,r1,STACK_FRAME_OVERHEAD ++ bl .save_nvgprs + bl .do_page_fault + cmpdi r3,0 + beq+ 12f +- bl .save_nvgprs + mr r5,r3 + addi r3,r1,STACK_FRAME_OVERHEAD + lwz r4,_DAR(r1) +diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c +index 6cff040..74ac5d1 100644 +--- a/arch/powerpc/kernel/module_32.c ++++ b/arch/powerpc/kernel/module_32.c +@@ -161,7 +161,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr, + me->arch.core_plt_section = i; + } + if (!me->arch.core_plt_section || !me->arch.init_plt_section) { +- printk("Module doesn't contain .plt or .init.plt sections.\n"); ++ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name); + return -ENOEXEC; + } + +@@ -191,11 +191,16 @@ static uint32_t do_plt_call(void *location, + + DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location); + /* Init, or core PLT? */ +- if (location >= mod->module_core +- && location < mod->module_core + mod->core_size) ++ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) || ++ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw)) + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr; +- else ++ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) || ++ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw)) + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr; ++ else { ++ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name); ++ return ~0UL; ++ } + + /* Find this entry, or if that fails, the next avail. entry */ + while (entry->jump[0]) { +@@ -299,7 +304,7 @@ int apply_relocate_add(Elf32_Shdr *sechdrs, + } + #ifdef CONFIG_DYNAMIC_FTRACE + module->arch.tramp = +- do_plt_call(module->module_core, ++ do_plt_call(module->module_core_rx, + (unsigned long)ftrace_caller, + sechdrs, module); + #endif +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index af064d2..ce56147 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1009,8 +1009,8 @@ void show_regs(struct pt_regs * regs) + * Lookup NIP late so we have the best change of getting the + * above info out without failing + */ +- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip); +- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link); ++ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip); ++ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link); + #endif + show_stack(current, (unsigned long *) regs->gpr[1]); + if (!user_mode(regs)) +@@ -1532,10 +1532,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) + newsp = stack[0]; + ip = stack[STACK_FRAME_LR_SAVE]; + if (!firstframe || ip != lr) { +- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip); ++ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip); + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + if ((ip == rth || ip == mrth) && curr_frame >= 0) { +- printk(" (%pS)", ++ printk(" (%pA)", + (void *)current->ret_stack[curr_frame].ret); + curr_frame--; + } +@@ -1555,7 +1555,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) + struct pt_regs *regs = (struct pt_regs *) + (sp + STACK_FRAME_OVERHEAD); + lr = regs->link; +- printk("--- Exception: %lx at %pS\n LR = %pS\n", ++ printk("--- Exception: %lx at %pA\n LR = %pA\n", + regs->trap, (void *)regs->nip, (void *)lr); + firstframe = 1; + } +@@ -1591,58 +1591,3 @@ void notrace __ppc64_runlatch_off(void) + mtspr(SPRN_CTRLT, ctrl); + } + #endif /* CONFIG_PPC64 */ +- +-unsigned long arch_align_stack(unsigned long sp) +-{ +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) +- sp -= get_random_int() & ~PAGE_MASK; +- return sp & ~0xf; +-} +- +-static inline unsigned long brk_rnd(void) +-{ +- unsigned long rnd = 0; +- +- /* 8MB for 32bit, 1GB for 64bit */ +- if (is_32bit_task()) +- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT))); +- else +- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT))); +- +- return rnd << PAGE_SHIFT; +-} +- +-unsigned long arch_randomize_brk(struct mm_struct *mm) +-{ +- unsigned long base = mm->brk; +- unsigned long ret; +- +-#ifdef CONFIG_PPC_STD_MMU_64 +- /* +- * If we are using 1TB segments and we are allowed to randomise +- * the heap, we can put it above 1TB so it is backed by a 1TB +- * segment. Otherwise the heap will be in the bottom 1TB +- * which always uses 256MB segments and this may result in a +- * performance penalty. +- */ +- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T)) +- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T); +-#endif +- +- ret = PAGE_ALIGN(base + brk_rnd()); +- +- if (ret < mm->brk) +- return mm->brk; +- +- return ret; +-} +- +-unsigned long randomize_et_dyn(unsigned long base) +-{ +- unsigned long ret = PAGE_ALIGN(base + brk_rnd()); +- +- if (ret < base) +- return base; +- +- return ret; +-} +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index 2e3d2bf..35df241 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1762,6 +1762,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1774,6 +1778,11 @@ long do_syscall_trace_enter(struct pt_regs *regs) + + secure_computing_strict(regs->gpr[0]); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE) && + tracehook_report_syscall_entry(regs)) + /* +@@ -1808,6 +1817,11 @@ void do_syscall_trace_leave(struct pt_regs *regs) + { + int step; + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index a67e00a..f71d8c7 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -1011,7 +1011,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka, + /* Save user registers on the stack */ + frame = &rt_sf->uc.uc_mcontext; + addr = frame; +- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) { ++ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) { + sigret = 0; + tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp; + } else { +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 8d253c2..405b337 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -758,7 +758,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info, + current->thread.fp_state.fpscr = 0; + + /* Set up to return from userspace. */ +- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) { ++ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) { + regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp; + } else { + err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]); +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 33cd7a0..d615344 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) + return flags; + } + ++extern void gr_handle_kernel_exploit(void); ++ + static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, + int signr) + { +@@ -191,6 +193,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, + panic("Fatal exception in interrupt"); + if (panic_on_oops) + panic("Fatal exception"); ++ ++ gr_handle_kernel_exploit(); ++ + do_exit(signr); + } + +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index 094e45c..d82b848 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #undef DEBUG + +@@ -221,7 +222,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + vdso_base = VDSO32_MBASE; + #endif + +- current->mm->context.vdso_base = 0; ++ current->mm->context.vdso_base = ~0UL; + + /* vDSO has a problem and was disabled, just don't "enable" it for the + * process +@@ -241,7 +242,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + vdso_base = get_unmapped_area(NULL, vdso_base, + (vdso_pages << PAGE_SHIFT) + + ((VDSO_ALIGNMENT - 1) & PAGE_MASK), +- 0, 0); ++ 0, MAP_PRIVATE | MAP_EXECUTABLE); + if (IS_ERR_VALUE(vdso_base)) { + rc = vdso_base; + goto fail_mmapsem; +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index 3cf541a..ab2d825 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -1153,7 +1153,7 @@ void kvmppc_init_lpid(unsigned long nr_lpids_param) + } + EXPORT_SYMBOL_GPL(kvmppc_init_lpid); + +-int kvm_arch_init(void *opaque) ++int kvm_arch_init(const void *opaque) + { + return 0; + } +diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c +index 5eea6f3..5d10396 100644 +--- a/arch/powerpc/lib/usercopy_64.c ++++ b/arch/powerpc/lib/usercopy_64.c +@@ -9,22 +9,6 @@ + #include + #include + +-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n) +-{ +- if (likely(access_ok(VERIFY_READ, from, n))) +- n = __copy_from_user(to, from, n); +- else +- memset(to, 0, n); +- return n; +-} +- +-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) +-{ +- if (likely(access_ok(VERIFY_WRITE, to, n))) +- n = __copy_to_user(to, from, n); +- return n; +-} +- + unsigned long copy_in_user(void __user *to, const void __user *from, + unsigned long n) + { +@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *to, const void __user *from, + return n; + } + +-EXPORT_SYMBOL(copy_from_user); +-EXPORT_SYMBOL(copy_to_user); + EXPORT_SYMBOL(copy_in_user); + +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index 51ab9e7..7d3c78b 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -33,6 +33,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + + #include + #include +@@ -69,6 +73,33 @@ static inline int notify_page_fault(struct pt_regs *regs) + } + #endif + ++#ifdef CONFIG_PAX_PAGEEXEC ++/* ++ * PaX: decide what to do with offenders (regs->nip = fault address) ++ * ++ * returns 1 when task should be killed ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ return 1; ++} ++ ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 5; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int __user *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + /* + * Check whether the instruction at regs->nip is a store using + * an update addressing form which will update r1. +@@ -216,7 +247,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address, + * indicate errors in DSISR but can validly be set in SRR1. + */ + if (trap == 0x400) +- error_code &= 0x48200000; ++ error_code &= 0x58200000; + else + is_write = error_code & DSISR_ISSTORE; + #else +@@ -378,7 +409,7 @@ good_area: + * "undefined". Of those that can be set, this is the only + * one which seems bad. + */ +- if (error_code & 0x10000000) ++ if (error_code & DSISR_GUARDED) + /* Guarded storage error. */ + goto bad_area; + #endif /* CONFIG_8xx */ +@@ -393,7 +424,7 @@ good_area: + * processors use the same I/D cache coherency mechanism + * as embedded. + */ +- if (error_code & DSISR_PROTFAULT) ++ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED)) + goto bad_area; + #endif /* CONFIG_PPC_STD_MMU */ + +@@ -483,6 +514,23 @@ bad_area: + bad_area_nosemaphore: + /* User mode accesses cause a SIGSEGV */ + if (user_mode(regs)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) { ++#ifdef CONFIG_PPC_STD_MMU ++ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) { ++#else ++ if (is_exec && regs->nip == address) { ++#endif ++ switch (pax_handle_fetch_fault(regs)) { ++ } ++ ++ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]); ++ do_group_exit(SIGKILL); ++ } ++ } ++#endif ++ + _exception(SIGSEGV, regs, code, address); + goto bail; + } +diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c +index cb8bdbe..cde4bc7 100644 +--- a/arch/powerpc/mm/mmap.c ++++ b/arch/powerpc/mm/mmap.c +@@ -53,10 +53,14 @@ static inline int mmap_is_legacy(void) + return sysctl_legacy_va_layout; + } + +-static unsigned long mmap_rnd(void) ++static unsigned long mmap_rnd(struct mm_struct *mm) + { + unsigned long rnd = 0; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + /* 8MB for 32bit, 1GB for 64bit */ + if (is_32bit_task()) +@@ -67,7 +71,7 @@ static unsigned long mmap_rnd(void) + return rnd << PAGE_SHIFT; + } + +-static inline unsigned long mmap_base(void) ++static inline unsigned long mmap_base(struct mm_struct *mm) + { + unsigned long gap = rlimit(RLIMIT_STACK); + +@@ -76,7 +80,7 @@ static inline unsigned long mmap_base(void) + else if (gap > MAX_GAP) + gap = MAX_GAP; + +- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd()); ++ return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd(mm)); + } + + /* +@@ -91,9 +95,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + */ + if (mmap_is_legacy()) { + mm->mmap_base = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + } else { +- mm->mmap_base = mmap_base(); ++ mm->mmap_base = mmap_base(mm); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; + } + } +diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c +index b0c75cc..ef7fb93 100644 +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -103,7 +103,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr, + if ((mm->task_size - len) < addr) + return 0; + vma = find_vma(mm, addr); +- return (!vma || (addr + len) <= vma->vm_start); ++ return check_heap_stack_gap(vma, addr, len, 0); + } + + static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) +@@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm, + info.align_offset = 0; + + addr = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ addr += mm->delta_mmap; ++#endif ++ + while (addr < TASK_SIZE) { + info.low_limit = addr; + if (!slice_scan_available(addr, available, 1, &addr)) +@@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len, + if (fixed && addr > (mm->task_size - len)) + return -ENOMEM; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP)) ++ addr = 0; ++#endif ++ + /* If hint, make sure it matches our alignment restrictions */ + if (!fixed && addr) { + addr = _ALIGN_UP(addr, 1ul << pshift); +diff --git a/arch/powerpc/platforms/cell/celleb_scc_pciex.c b/arch/powerpc/platforms/cell/celleb_scc_pciex.c +index 4278acf..67fd0e6 100644 +--- a/arch/powerpc/platforms/cell/celleb_scc_pciex.c ++++ b/arch/powerpc/platforms/cell/celleb_scc_pciex.c +@@ -400,8 +400,8 @@ static int scc_pciex_write_config(struct pci_bus *bus, unsigned int devfn, + } + + static struct pci_ops scc_pciex_pci_ops = { +- scc_pciex_read_config, +- scc_pciex_write_config, ++ .read = scc_pciex_read_config, ++ .write = scc_pciex_write_config, + }; + + static void pciex_clear_intr_all(unsigned int __iomem *base) +diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c +index 9098692..3d54cd1 100644 +--- a/arch/powerpc/platforms/cell/spufs/file.c ++++ b/arch/powerpc/platforms/cell/spufs/file.c +@@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf) + return VM_FAULT_NOPAGE; + } + +-static int spufs_mem_mmap_access(struct vm_area_struct *vma, ++static ssize_t spufs_mem_mmap_access(struct vm_area_struct *vma, + unsigned long address, +- void *buf, int len, int write) ++ void *buf, size_t len, int write) + { + struct spu_context *ctx = vma->vm_file->private_data; + unsigned long offset = address - vma->vm_start; +diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h +index fa9aaf7..3f5d836 100644 +--- a/arch/s390/include/asm/atomic.h ++++ b/arch/s390/include/asm/atomic.h +@@ -398,6 +398,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v) + #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0) + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() + #define smp_mb__before_atomic_inc() smp_mb() +diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h +index 4d7ccac..d03d0ad 100644 +--- a/arch/s390/include/asm/cache.h ++++ b/arch/s390/include/asm/cache.h +@@ -9,8 +9,10 @@ + #ifndef __ARCH_S390_CACHE_H + #define __ARCH_S390_CACHE_H + +-#define L1_CACHE_BYTES 256 ++#include ++ + #define L1_CACHE_SHIFT 8 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + #define NET_SKB_PAD 32 + + #define __read_mostly __attribute__((__section__(".data..read_mostly"))) +diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h +index 78f4f87..598ce39 100644 +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -162,8 +162,14 @@ extern unsigned int vdso_enabled; + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-extern unsigned long randomize_et_dyn(unsigned long base); +-#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2)) ++#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2) ++ ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL) ++ ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) ++#endif + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. */ +@@ -222,9 +228,6 @@ struct linux_binprm; + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + int arch_setup_additional_pages(struct linux_binprm *, int); + +-extern unsigned long arch_randomize_brk(struct mm_struct *mm); +-#define arch_randomize_brk arch_randomize_brk +- + void *fill_cpu_elf_notes(void *ptr, struct save_area *sa); + + #endif +diff --git a/arch/s390/include/asm/exec.h b/arch/s390/include/asm/exec.h +index c4a93d6..4d2a9b4 100644 +--- a/arch/s390/include/asm/exec.h ++++ b/arch/s390/include/asm/exec.h +@@ -7,6 +7,6 @@ + #ifndef __ASM_EXEC_H + #define __ASM_EXEC_H + +-extern unsigned long arch_align_stack(unsigned long sp); ++#define arch_align_stack(x) ((x) & ~0xfUL) + + #endif /* __ASM_EXEC_H */ +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h +index 79330af..254cf37 100644 +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -59,6 +59,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size) + __range_ok((unsigned long)(addr), (size)); \ + }) + ++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size)) + #define access_ok(type, addr, size) __access_ok(addr, size) + + /* +@@ -245,6 +246,10 @@ static inline unsigned long __must_check + copy_to_user(void __user *to, const void *from, unsigned long n) + { + might_fault(); ++ ++ if ((long)n < 0) ++ return n; ++ + return __copy_to_user(to, from, n); + } + +@@ -268,6 +273,9 @@ copy_to_user(void __user *to, const void *from, unsigned long n) + static inline unsigned long __must_check + __copy_from_user(void *to, const void __user *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + return uaccess.copy_from_user(n, from, to); + } + +@@ -296,10 +304,14 @@ __compiletime_warning("copy_from_user() buffer size is not provably correct") + static inline unsigned long __must_check + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- unsigned int sz = __compiletime_object_size(to); ++ size_t sz = __compiletime_object_size(to); + + might_fault(); +- if (unlikely(sz != -1 && sz < n)) { ++ ++ if ((long)n < 0) ++ return n; ++ ++ if (unlikely(sz != (size_t)-1 && sz < n)) { + copy_from_user_overflow(); + return n; + } +diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c +index b89b591..fd9609d 100644 +--- a/arch/s390/kernel/module.c ++++ b/arch/s390/kernel/module.c +@@ -169,11 +169,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, + + /* Increase core size by size of got & plt and set start + offsets for got and plt. */ +- me->core_size = ALIGN(me->core_size, 4); +- me->arch.got_offset = me->core_size; +- me->core_size += me->arch.got_size; +- me->arch.plt_offset = me->core_size; +- me->core_size += me->arch.plt_size; ++ me->core_size_rw = ALIGN(me->core_size_rw, 4); ++ me->arch.got_offset = me->core_size_rw; ++ me->core_size_rw += me->arch.got_size; ++ me->arch.plt_offset = me->core_size_rx; ++ me->core_size_rx += me->arch.plt_size; + return 0; + } + +@@ -289,7 +289,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + if (info->got_initialized == 0) { + Elf_Addr *gotent; + +- gotent = me->module_core + me->arch.got_offset + ++ gotent = me->module_core_rw + me->arch.got_offset + + info->got_offset; + *gotent = val; + info->got_initialized = 1; +@@ -312,7 +312,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + rc = apply_rela_bits(loc, val, 0, 64, 0); + else if (r_type == R_390_GOTENT || + r_type == R_390_GOTPLTENT) { +- val += (Elf_Addr) me->module_core - loc; ++ val += (Elf_Addr) me->module_core_rw - loc; + rc = apply_rela_bits(loc, val, 1, 32, 1); + } + break; +@@ -325,7 +325,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */ + if (info->plt_initialized == 0) { + unsigned int *ip; +- ip = me->module_core + me->arch.plt_offset + ++ ip = me->module_core_rx + me->arch.plt_offset + + info->plt_offset; + #ifndef CONFIG_64BIT + ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */ +@@ -350,7 +350,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + val - loc + 0xffffUL < 0x1ffffeUL) || + (r_type == R_390_PLT32DBL && + val - loc + 0xffffffffULL < 0x1fffffffeULL))) +- val = (Elf_Addr) me->module_core + ++ val = (Elf_Addr) me->module_core_rx + + me->arch.plt_offset + + info->plt_offset; + val += rela->r_addend - loc; +@@ -372,7 +372,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + case R_390_GOTOFF32: /* 32 bit offset to GOT. */ + case R_390_GOTOFF64: /* 64 bit offset to GOT. */ + val = val + rela->r_addend - +- ((Elf_Addr) me->module_core + me->arch.got_offset); ++ ((Elf_Addr) me->module_core_rw + me->arch.got_offset); + if (r_type == R_390_GOTOFF16) + rc = apply_rela_bits(loc, val, 0, 16, 0); + else if (r_type == R_390_GOTOFF32) +@@ -382,7 +382,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab, + break; + case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */ + case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */ +- val = (Elf_Addr) me->module_core + me->arch.got_offset + ++ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset + + rela->r_addend - loc; + if (r_type == R_390_GOTPC) + rc = apply_rela_bits(loc, val, 1, 32, 0); +diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c +index dd14532..1dfc145 100644 +--- a/arch/s390/kernel/process.c ++++ b/arch/s390/kernel/process.c +@@ -242,37 +242,3 @@ unsigned long get_wchan(struct task_struct *p) + } + return 0; + } +- +-unsigned long arch_align_stack(unsigned long sp) +-{ +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) +- sp -= get_random_int() & ~PAGE_MASK; +- return sp & ~0xf; +-} +- +-static inline unsigned long brk_rnd(void) +-{ +- /* 8MB for 32bit, 1GB for 64bit */ +- if (is_32bit_task()) +- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT; +- else +- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT; +-} +- +-unsigned long arch_randomize_brk(struct mm_struct *mm) +-{ +- unsigned long ret; +- +- ret = PAGE_ALIGN(mm->brk + brk_rnd()); +- return (ret > mm->brk) ? ret : mm->brk; +-} +- +-unsigned long randomize_et_dyn(unsigned long base) +-{ +- unsigned long ret; +- +- if (!(current->flags & PF_RANDOMIZE)) +- return base; +- ret = PAGE_ALIGN(base + brk_rnd()); +- return (ret > base) ? ret : base; +-} +diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c +index 9b436c2..54fbf0a 100644 +--- a/arch/s390/mm/mmap.c ++++ b/arch/s390/mm/mmap.c +@@ -95,9 +95,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + */ + if (mmap_is_legacy()) { + mm->mmap_base = mmap_base_legacy(); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + } else { + mm->mmap_base = mmap_base(); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; + } + } +@@ -170,9 +182,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + */ + if (mmap_is_legacy()) { + mm->mmap_base = mmap_base_legacy(); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = s390_get_unmapped_area; + } else { + mm->mmap_base = mmap_base(); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = s390_get_unmapped_area_topdown; + } + } +diff --git a/arch/score/include/asm/cache.h b/arch/score/include/asm/cache.h +index ae3d59f..f65f075 100644 +--- a/arch/score/include/asm/cache.h ++++ b/arch/score/include/asm/cache.h +@@ -1,7 +1,9 @@ + #ifndef _ASM_SCORE_CACHE_H + #define _ASM_SCORE_CACHE_H + ++#include ++ + #define L1_CACHE_SHIFT 4 +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #endif /* _ASM_SCORE_CACHE_H */ +diff --git a/arch/score/include/asm/exec.h b/arch/score/include/asm/exec.h +index f9f3cd5..58ff438 100644 +--- a/arch/score/include/asm/exec.h ++++ b/arch/score/include/asm/exec.h +@@ -1,6 +1,6 @@ + #ifndef _ASM_SCORE_EXEC_H + #define _ASM_SCORE_EXEC_H + +-extern unsigned long arch_align_stack(unsigned long sp); ++#define arch_align_stack(x) (x) + + #endif /* _ASM_SCORE_EXEC_H */ +diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c +index a1519ad3..e8ac1ff 100644 +--- a/arch/score/kernel/process.c ++++ b/arch/score/kernel/process.c +@@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task) + + return task_pt_regs(task)->cp0_epc; + } +- +-unsigned long arch_align_stack(unsigned long sp) +-{ +- return sp; +-} +diff --git a/arch/sh/include/asm/cache.h b/arch/sh/include/asm/cache.h +index ef9e555..331bd29 100644 +--- a/arch/sh/include/asm/cache.h ++++ b/arch/sh/include/asm/cache.h +@@ -9,10 +9,11 @@ + #define __ASM_SH_CACHE_H + #ifdef __KERNEL__ + ++#include + #include + #include + +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define __read_mostly __attribute__((__section__(".data..read_mostly"))) + +diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c +index 6777177..cb5e44f 100644 +--- a/arch/sh/mm/mmap.c ++++ b/arch/sh/mm/mmap.c +@@ -36,6 +36,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + if (flags & MAP_FIXED) { +@@ -55,6 +56,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + if (filp || (flags & MAP_SHARED)) + do_colour_align = 1; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_colour_align) + addr = COLOUR_ALIGN(addr, pgoff); +@@ -62,14 +67,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + + info.flags = 0; + info.length = len; +- info.low_limit = TASK_UNMAPPED_BASE; ++ info.low_limit = mm->mmap_base; + info.high_limit = TASK_SIZE; + info.align_mask = do_colour_align ? (PAGE_MASK & shm_align_mask) : 0; + info.align_offset = pgoff << PAGE_SHIFT; +@@ -85,6 +89,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + if (flags & MAP_FIXED) { +@@ -104,6 +109,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + if (filp || (flags & MAP_SHARED)) + do_colour_align = 1; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* requesting a specific address */ + if (addr) { + if (do_colour_align) +@@ -112,8 +121,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -135,6 +143,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + VM_BUG_ON(addr != -ENOMEM); + info.flags = 0; + info.low_limit = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap; ++#endif ++ + info.high_limit = TASK_SIZE; + addr = vm_unmapped_area(&info); + } +diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h +index be56a24..443328f 100644 +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -14,18 +14,40 @@ + #define ATOMIC64_INIT(i) { (i) } + + #define atomic_read(v) (*(volatile int *)&(v)->counter) ++static inline int atomic_read_unchecked(const atomic_unchecked_t *v) ++{ ++ return v->counter; ++} + #define atomic64_read(v) (*(volatile long *)&(v)->counter) ++static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ return v->counter; ++} + + #define atomic_set(v, i) (((v)->counter) = i) ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) ++{ ++ v->counter = i; ++} + #define atomic64_set(v, i) (((v)->counter) = i) ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) ++{ ++ v->counter = i; ++} + + extern void atomic_add(int, atomic_t *); ++extern void atomic_add_unchecked(int, atomic_unchecked_t *); + extern void atomic64_add(long, atomic64_t *); ++extern void atomic64_add_unchecked(long, atomic64_unchecked_t *); + extern void atomic_sub(int, atomic_t *); ++extern void atomic_sub_unchecked(int, atomic_unchecked_t *); + extern void atomic64_sub(long, atomic64_t *); ++extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *); + + extern int atomic_add_ret(int, atomic_t *); ++extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *); + extern long atomic64_add_ret(long, atomic64_t *); ++extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *); + extern int atomic_sub_ret(int, atomic_t *); + extern long atomic64_sub_ret(long, atomic64_t *); + +@@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomic64_t *); + #define atomic64_dec_return(v) atomic64_sub_ret(1, v) + + #define atomic_inc_return(v) atomic_add_ret(1, v) ++static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_ret_unchecked(1, v); ++} + #define atomic64_inc_return(v) atomic64_add_ret(1, v) ++static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) ++{ ++ return atomic64_add_ret_unchecked(1, v); ++} + + #define atomic_sub_return(i, v) atomic_sub_ret(i, v) + #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v) + + #define atomic_add_return(i, v) atomic_add_ret(i, v) ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ ++ return atomic_add_ret_unchecked(i, v); ++} + #define atomic64_add_return(i, v) atomic64_add_ret(i, v) ++static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v) ++{ ++ return atomic64_add_ret_unchecked(i, v); ++} + + /* + * atomic_inc_and_test - increment and test +@@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomic64_t *); + * other cases. + */ + #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0) ++static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_inc_return_unchecked(v) == 0; ++} + #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0) + + #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0) +@@ -59,25 +101,60 @@ extern long atomic64_sub_ret(long, atomic64_t *); + #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0) + + #define atomic_inc(v) atomic_add(1, v) ++static inline void atomic_inc_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_add_unchecked(1, v); ++} + #define atomic64_inc(v) atomic64_add(1, v) ++static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v) ++{ ++ atomic64_add_unchecked(1, v); ++} + + #define atomic_dec(v) atomic_sub(1, v) ++static inline void atomic_dec_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_sub_unchecked(1, v); ++} + #define atomic64_dec(v) atomic64_sub(1, v) ++static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v) ++{ ++ atomic64_sub_unchecked(1, v); ++} + + #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0) + #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { +- int c, old; ++ int c, old, new; + c = atomic_read(v); + for (;;) { +- if (unlikely(c == (u))) ++ if (unlikely(c == u)) + break; +- old = atomic_cmpxchg((v), c, c + (a)); ++ ++ asm volatile("addcc %2, %0, %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "tvs %%icc, 6\n" ++#endif ++ ++ : "=r" (new) ++ : "0" (c), "ir" (a) ++ : "cc"); ++ ++ old = atomic_cmpxchg(v, c, new); + if (likely(old == c)) + break; + c = old; +@@ -88,20 +165,35 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) + #define atomic64_cmpxchg(v, o, n) \ + ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n))) + #define atomic64_xchg(v, new) (xchg(&((v)->counter), new)) ++static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline long atomic64_add_unless(atomic64_t *v, long a, long u) + { +- long c, old; ++ long c, old, new; + c = atomic64_read(v); + for (;;) { +- if (unlikely(c == (u))) ++ if (unlikely(c == u)) + break; +- old = atomic64_cmpxchg((v), c, c + (a)); ++ ++ asm volatile("addcc %2, %0, %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "tvs %%xcc, 6\n" ++#endif ++ ++ : "=r" (new) ++ : "0" (c), "ir" (a) ++ : "cc"); ++ ++ old = atomic64_cmpxchg(v, c, new); + if (likely(old == c)) + break; + c = old; + } +- return c != (u); ++ return c != u; + } + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) +diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h +index 5bb6991..5c2132e 100644 +--- a/arch/sparc/include/asm/cache.h ++++ b/arch/sparc/include/asm/cache.h +@@ -7,10 +7,12 @@ + #ifndef _SPARC_CACHE_H + #define _SPARC_CACHE_H + ++#include ++ + #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long) + + #define L1_CACHE_SHIFT 5 +-#define L1_CACHE_BYTES 32 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #ifdef CONFIG_SPARC32 + #define SMP_CACHE_BYTES_SHIFT 5 +diff --git a/arch/sparc/include/asm/elf_32.h b/arch/sparc/include/asm/elf_32.h +index a24e41f..47677ff 100644 +--- a/arch/sparc/include/asm/elf_32.h ++++ b/arch/sparc/include/asm/elf_32.h +@@ -114,6 +114,13 @@ typedef struct { + + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE) + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE 0x10000UL ++ ++#define PAX_DELTA_MMAP_LEN 16 ++#define PAX_DELTA_STACK_LEN 16 ++#endif ++ + /* This yields a mask that user programs can use to figure out what + instruction set this cpu supports. This can NOT be done in userspace + on Sparc. */ +diff --git a/arch/sparc/include/asm/elf_64.h b/arch/sparc/include/asm/elf_64.h +index 370ca1e..d4f4a98 100644 +--- a/arch/sparc/include/asm/elf_64.h ++++ b/arch/sparc/include/asm/elf_64.h +@@ -189,6 +189,13 @@ typedef struct { + #define ELF_ET_DYN_BASE 0x0000010000000000UL + #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL + ++#ifdef CONFIG_PAX_ASLR ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL) ++ ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28) ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29) ++#endif ++ + extern unsigned long sparc64_elf_hwcap; + #define ELF_HWCAP sparc64_elf_hwcap + +diff --git a/arch/sparc/include/asm/pgalloc_32.h b/arch/sparc/include/asm/pgalloc_32.h +index 9b1c36d..209298b 100644 +--- a/arch/sparc/include/asm/pgalloc_32.h ++++ b/arch/sparc/include/asm/pgalloc_32.h +@@ -33,6 +33,7 @@ static inline void pgd_set(pgd_t * pgdp, pmd_t * pmdp) + } + + #define pgd_populate(MM, PGD, PMD) pgd_set(PGD, PMD) ++#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD)) + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, + unsigned long address) +diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h +index bcfe063..b333142 100644 +--- a/arch/sparc/include/asm/pgalloc_64.h ++++ b/arch/sparc/include/asm/pgalloc_64.h +@@ -26,6 +26,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) + } + + #define pud_populate(MM, PUD, PMD) pud_set(PUD, PMD) ++#define pud_populate_kernel(MM, PUD, PMD) pud_populate((MM), (PUD), (PMD)) + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr) + { +diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h +index 59ba6f6..4518128 100644 +--- a/arch/sparc/include/asm/pgtable.h ++++ b/arch/sparc/include/asm/pgtable.h +@@ -5,4 +5,8 @@ + #else + #include + #endif ++ ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++ + #endif +diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h +index 502f632..da1917f 100644 +--- a/arch/sparc/include/asm/pgtable_32.h ++++ b/arch/sparc/include/asm/pgtable_32.h +@@ -50,6 +50,9 @@ extern unsigned long calc_highpages(void); + #define PAGE_SHARED SRMMU_PAGE_SHARED + #define PAGE_COPY SRMMU_PAGE_COPY + #define PAGE_READONLY SRMMU_PAGE_RDONLY ++#define PAGE_SHARED_NOEXEC SRMMU_PAGE_SHARED_NOEXEC ++#define PAGE_COPY_NOEXEC SRMMU_PAGE_COPY_NOEXEC ++#define PAGE_READONLY_NOEXEC SRMMU_PAGE_RDONLY_NOEXEC + #define PAGE_KERNEL SRMMU_PAGE_KERNEL + + /* Top-level page directory - dummy used by init-mm. +@@ -62,18 +65,18 @@ extern unsigned long ptr_in_current_pgd; + + /* xwr */ + #define __P000 PAGE_NONE +-#define __P001 PAGE_READONLY +-#define __P010 PAGE_COPY +-#define __P011 PAGE_COPY ++#define __P001 PAGE_READONLY_NOEXEC ++#define __P010 PAGE_COPY_NOEXEC ++#define __P011 PAGE_COPY_NOEXEC + #define __P100 PAGE_READONLY + #define __P101 PAGE_READONLY + #define __P110 PAGE_COPY + #define __P111 PAGE_COPY + + #define __S000 PAGE_NONE +-#define __S001 PAGE_READONLY +-#define __S010 PAGE_SHARED +-#define __S011 PAGE_SHARED ++#define __S001 PAGE_READONLY_NOEXEC ++#define __S010 PAGE_SHARED_NOEXEC ++#define __S011 PAGE_SHARED_NOEXEC + #define __S100 PAGE_READONLY + #define __S101 PAGE_READONLY + #define __S110 PAGE_SHARED +diff --git a/arch/sparc/include/asm/pgtsrmmu.h b/arch/sparc/include/asm/pgtsrmmu.h +index 79da178..c2eede8 100644 +--- a/arch/sparc/include/asm/pgtsrmmu.h ++++ b/arch/sparc/include/asm/pgtsrmmu.h +@@ -115,6 +115,11 @@ + SRMMU_EXEC | SRMMU_REF) + #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \ + SRMMU_EXEC | SRMMU_REF) ++ ++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF) ++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF) ++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF) ++ + #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \ + SRMMU_DIRTY | SRMMU_REF) + +diff --git a/arch/sparc/include/asm/spinlock_64.h b/arch/sparc/include/asm/spinlock_64.h +index 9689176..63c18ea 100644 +--- a/arch/sparc/include/asm/spinlock_64.h ++++ b/arch/sparc/include/asm/spinlock_64.h +@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *lock, unsigned long fla + + /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */ + +-static void inline arch_read_lock(arch_rwlock_t *lock) ++static inline void arch_read_lock(arch_rwlock_t *lock) + { + unsigned long tmp1, tmp2; + + __asm__ __volatile__ ( + "1: ldsw [%2], %0\n" + " brlz,pn %0, 2f\n" +-"4: add %0, 1, %1\n" ++"4: addcc %0, 1, %1\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" tvs %%icc, 6\n" ++#endif ++ + " cas [%2], %0, %1\n" + " cmp %0, %1\n" + " bne,pn %%icc, 1b\n" +@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_rwlock_t *lock) + " .previous" + : "=&r" (tmp1), "=&r" (tmp2) + : "r" (lock) +- : "memory"); ++ : "memory", "cc"); + } + +-static int inline arch_read_trylock(arch_rwlock_t *lock) ++static inline int arch_read_trylock(arch_rwlock_t *lock) + { + int tmp1, tmp2; + +@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch_rwlock_t *lock) + "1: ldsw [%2], %0\n" + " brlz,a,pn %0, 2f\n" + " mov 0, %0\n" +-" add %0, 1, %1\n" ++" addcc %0, 1, %1\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" tvs %%icc, 6\n" ++#endif ++ + " cas [%2], %0, %1\n" + " cmp %0, %1\n" + " bne,pn %%icc, 1b\n" +@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch_rwlock_t *lock) + return tmp1; + } + +-static void inline arch_read_unlock(arch_rwlock_t *lock) ++static inline void arch_read_unlock(arch_rwlock_t *lock) + { + unsigned long tmp1, tmp2; + + __asm__ __volatile__( + "1: lduw [%2], %0\n" +-" sub %0, 1, %1\n" ++" subcc %0, 1, %1\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++" tvs %%icc, 6\n" ++#endif ++ + " cas [%2], %0, %1\n" + " cmp %0, %1\n" + " bne,pn %%xcc, 1b\n" +@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch_rwlock_t *lock) + : "memory"); + } + +-static void inline arch_write_lock(arch_rwlock_t *lock) ++static inline void arch_write_lock(arch_rwlock_t *lock) + { + unsigned long mask, tmp1, tmp2; + +@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_rwlock_t *lock) + : "memory"); + } + +-static void inline arch_write_unlock(arch_rwlock_t *lock) ++static inline void arch_write_unlock(arch_rwlock_t *lock) + { + __asm__ __volatile__( + " stw %%g0, [%0]" +@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arch_rwlock_t *lock) + : "memory"); + } + +-static int inline arch_write_trylock(arch_rwlock_t *lock) ++static inline int arch_write_trylock(arch_rwlock_t *lock) + { + unsigned long mask, tmp1, tmp2, result; + +diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h +index 96efa7a..16858bf 100644 +--- a/arch/sparc/include/asm/thread_info_32.h ++++ b/arch/sparc/include/asm/thread_info_32.h +@@ -49,6 +49,8 @@ struct thread_info { + unsigned long w_saved; + + struct restart_block restart_block; ++ ++ unsigned long lowest_stack; + }; + + /* +diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h +index a5f01ac..703b554 100644 +--- a/arch/sparc/include/asm/thread_info_64.h ++++ b/arch/sparc/include/asm/thread_info_64.h +@@ -63,6 +63,8 @@ struct thread_info { + struct pt_regs *kern_una_regs; + unsigned int kern_una_insn; + ++ unsigned long lowest_stack; ++ + unsigned long fpregs[0] __attribute__ ((aligned(64))); + }; + +@@ -188,12 +190,13 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ + /* flag bit 4 is available */ + #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */ +-/* flag bit 6 is available */ ++#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */ + #define TIF_32BIT 7 /* 32-bit binary */ + #define TIF_NOHZ 8 /* in adaptive nohz mode */ + #define TIF_SECCOMP 9 /* secure computing */ + #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */ + #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */ ++ + /* NOTE: Thread flags >= 12 should be ones we have no interest + * in using in assembly, else we can't use the mask as + * an immediate value in instructions such as andcc. +@@ -213,12 +216,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); + #define _TIF_SYSCALL_AUDIT (1< + #else +diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h +index 53a28dd..50c38c3 100644 +--- a/arch/sparc/include/asm/uaccess_32.h ++++ b/arch/sparc/include/asm/uaccess_32.h +@@ -250,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig + + static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) + { +- if (n && __access_ok((unsigned long) to, n)) ++ if ((long)n < 0) ++ return n; ++ ++ if (n && __access_ok((unsigned long) to, n)) { ++ if (!__builtin_constant_p(n)) ++ check_object_size(from, n, true); + return __copy_user(to, (__force void __user *) from, n); +- else ++ } else + return n; + } + + static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ ++ if (!__builtin_constant_p(n)) ++ check_object_size(from, n, true); ++ + return __copy_user(to, (__force void __user *) from, n); + } + + static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n) + { +- if (n && __access_ok((unsigned long) from, n)) ++ if ((long)n < 0) ++ return n; ++ ++ if (n && __access_ok((unsigned long) from, n)) { ++ if (!__builtin_constant_p(n)) ++ check_object_size(to, n, false); + return __copy_user((__force void __user *) to, from, n); +- else ++ } else + return n; + } + + static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + return __copy_user((__force void __user *) to, from, n); + } + +diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h +index ad7e178..c9e7423 100644 +--- a/arch/sparc/include/asm/uaccess_64.h ++++ b/arch/sparc/include/asm/uaccess_64.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -214,8 +215,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from, + static inline unsigned long __must_check + copy_from_user(void *to, const void __user *from, unsigned long size) + { +- unsigned long ret = ___copy_from_user(to, from, size); ++ unsigned long ret; + ++ if ((long)size < 0 || size > INT_MAX) ++ return size; ++ ++ if (!__builtin_constant_p(size)) ++ check_object_size(to, size, false); ++ ++ ret = ___copy_from_user(to, from, size); + if (unlikely(ret)) + ret = copy_from_user_fixup(to, from, size); + +@@ -231,8 +239,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from, + static inline unsigned long __must_check + copy_to_user(void __user *to, const void *from, unsigned long size) + { +- unsigned long ret = ___copy_to_user(to, from, size); ++ unsigned long ret; + ++ if ((long)size < 0 || size > INT_MAX) ++ return size; ++ ++ if (!__builtin_constant_p(size)) ++ check_object_size(from, size, true); ++ ++ ret = ___copy_to_user(to, from, size); + if (unlikely(ret)) + ret = copy_to_user_fixup(to, from, size); + return ret; +diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile +index d15cc17..d0ae796 100644 +--- a/arch/sparc/kernel/Makefile ++++ b/arch/sparc/kernel/Makefile +@@ -4,7 +4,7 @@ + # + + asflags-y := -ansi +-ccflags-y := -Werror ++#ccflags-y := -Werror + + extra-y := head_$(BITS).o + +diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c +index 510baec..9ff2607 100644 +--- a/arch/sparc/kernel/process_32.c ++++ b/arch/sparc/kernel/process_32.c +@@ -115,14 +115,14 @@ void show_regs(struct pt_regs *r) + + printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n", + r->psr, r->pc, r->npc, r->y, print_tainted()); +- printk("PC: <%pS>\n", (void *) r->pc); ++ printk("PC: <%pA>\n", (void *) r->pc); + printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", + r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3], + r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]); + printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", + r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11], + r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]); +- printk("RPC: <%pS>\n", (void *) r->u_regs[15]); ++ printk("RPC: <%pA>\n", (void *) r->u_regs[15]); + + printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n", + rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3], +@@ -159,7 +159,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp) + rw = (struct reg_window32 *) fp; + pc = rw->ins[7]; + printk("[%08lx : ", pc); +- printk("%pS ] ", (void *) pc); ++ printk("%pA ] ", (void *) pc); + fp = rw->ins[6]; + } while (++count < 16); + printk("\n"); +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index d7b4967..2edf827 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs) + printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n", + rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]); + if (regs->tstate & TSTATE_PRIV) +- printk("I7: <%pS>\n", (void *) rwk->ins[7]); ++ printk("I7: <%pA>\n", (void *) rwk->ins[7]); + } + + void show_regs(struct pt_regs *regs) +@@ -170,7 +170,7 @@ void show_regs(struct pt_regs *regs) + + printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate, + regs->tpc, regs->tnpc, regs->y, print_tainted()); +- printk("TPC: <%pS>\n", (void *) regs->tpc); ++ printk("TPC: <%pA>\n", (void *) regs->tpc); + printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n", + regs->u_regs[0], regs->u_regs[1], regs->u_regs[2], + regs->u_regs[3]); +@@ -183,7 +183,7 @@ void show_regs(struct pt_regs *regs) + printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n", + regs->u_regs[12], regs->u_regs[13], regs->u_regs[14], + regs->u_regs[15]); +- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]); ++ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]); + show_regwindow(regs); + show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]); + } +@@ -272,7 +272,7 @@ void arch_trigger_all_cpu_backtrace(void) + ((tp && tp->task) ? tp->task->pid : -1)); + + if (gp->tstate & TSTATE_PRIV) { +- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n", ++ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n", + (void *) gp->tpc, + (void *) gp->o7, + (void *) gp->i7, +diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c +index 79cc0d1..ec62734 100644 +--- a/arch/sparc/kernel/prom_common.c ++++ b/arch/sparc/kernel/prom_common.c +@@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf) + + unsigned int prom_early_allocated __initdata; + +-static struct of_pdt_ops prom_sparc_ops __initdata = { ++static struct of_pdt_ops prom_sparc_ops __initconst = { + .nextprop = prom_common_nextprop, + .getproplen = prom_getproplen, + .getproperty = prom_getproperty, +diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c +index c13c9f2..d572c34 100644 +--- a/arch/sparc/kernel/ptrace_64.c ++++ b/arch/sparc/kernel/ptrace_64.c +@@ -1060,6 +1060,10 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + asmlinkage int syscall_trace_enter(struct pt_regs *regs) + { + int ret = 0; +@@ -1070,6 +1074,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) + if (test_thread_flag(TIF_NOHZ)) + user_exit(); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + ret = tracehook_report_syscall_entry(regs); + +@@ -1093,6 +1102,11 @@ asmlinkage void syscall_trace_leave(struct pt_regs *regs) + if (test_thread_flag(TIF_NOHZ)) + user_exit(); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index b085311..6f885f7 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -870,8 +870,8 @@ extern unsigned long xcall_flush_dcache_page_cheetah; + extern unsigned long xcall_flush_dcache_page_spitfire; + + #ifdef CONFIG_DEBUG_DCFLUSH +-extern atomic_t dcpage_flushes; +-extern atomic_t dcpage_flushes_xcall; ++extern atomic_unchecked_t dcpage_flushes; ++extern atomic_unchecked_t dcpage_flushes_xcall; + #endif + + static inline void __local_flush_dcache_page(struct page *page) +@@ -895,7 +895,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu) + return; + + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + + this_cpu = get_cpu(); +@@ -919,7 +919,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu) + xcall_deliver(data0, __pa(pg_addr), + (u64) pg_addr, cpumask_of(cpu)); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes_xcall); ++ atomic_inc_unchecked(&dcpage_flushes_xcall); + #endif + } + } +@@ -938,7 +938,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page) + preempt_disable(); + + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + data0 = 0; + pg_addr = page_address(page); +@@ -955,7 +955,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page) + xcall_deliver(data0, __pa(pg_addr), + (u64) pg_addr, cpu_online_mask); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes_xcall); ++ atomic_inc_unchecked(&dcpage_flushes_xcall); + #endif + } + __local_flush_dcache_page(page); +diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c +index 3a8d184..49498a8 100644 +--- a/arch/sparc/kernel/sys_sparc_32.c ++++ b/arch/sparc/kernel/sys_sparc_32.c +@@ -52,7 +52,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + if (len > TASK_SIZE - PAGE_SIZE) + return -ENOMEM; + if (!addr) +- addr = TASK_UNMAPPED_BASE; ++ addr = current->mm->mmap_base; + + info.flags = 0; + info.length = len; +diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c +index beb0b5a..5a153f7 100644 +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -88,13 +88,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + struct vm_area_struct * vma; + unsigned long task_size = TASK_SIZE; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate + * cache aliasing constraints. + */ +- if ((flags & MAP_SHARED) && ++ if ((filp || (flags & MAP_SHARED)) && + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) + return -EINVAL; + return addr; +@@ -109,6 +110,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + if (filp || (flags & MAP_SHARED)) + do_color_align = 1; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + if (do_color_align) + addr = COLOR_ALIGN(addr, pgoff); +@@ -116,22 +121,28 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (task_size - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + + info.flags = 0; + info.length = len; +- info.low_limit = TASK_UNMAPPED_BASE; ++ info.low_limit = mm->mmap_base; + info.high_limit = min(task_size, VA_EXCLUDE_START); + info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) { + VM_BUG_ON(addr != -ENOMEM); + info.low_limit = VA_EXCLUDE_END; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap; ++#endif ++ + info.high_limit = task_size; + addr = vm_unmapped_area(&info); + } +@@ -149,6 +160,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long task_size = STACK_TOP32; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + struct vm_unmapped_area_info info; + + /* This should only ever run for 32-bit processes. */ +@@ -158,7 +170,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + /* We do not accept a shared mapping if it would violate + * cache aliasing constraints. + */ +- if ((flags & MAP_SHARED) && ++ if ((filp || (flags & MAP_SHARED)) && + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) + return -EINVAL; + return addr; +@@ -171,6 +183,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + if (filp || (flags & MAP_SHARED)) + do_color_align = 1; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* requesting a specific address */ + if (addr) { + if (do_color_align) +@@ -179,8 +195,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + addr = PAGE_ALIGN(addr); + + vma = find_vma(mm, addr); +- if (task_size - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -190,6 +205,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -202,6 +218,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + VM_BUG_ON(addr != -ENOMEM); + info.flags = 0; + info.low_limit = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap; ++#endif ++ + info.high_limit = STACK_TOP32; + addr = vm_unmapped_area(&info); + } +@@ -258,10 +280,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u + EXPORT_SYMBOL(get_fb_unmapped_area); + + /* Essentially the same as PowerPC. */ +-static unsigned long mmap_rnd(void) ++static unsigned long mmap_rnd(struct mm_struct *mm) + { + unsigned long rnd = 0UL; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (current->flags & PF_RANDOMIZE) { + unsigned long val = get_random_int(); + if (test_thread_flag(TIF_32BIT)) +@@ -274,7 +300,7 @@ static unsigned long mmap_rnd(void) + + void arch_pick_mmap_layout(struct mm_struct *mm) + { +- unsigned long random_factor = mmap_rnd(); ++ unsigned long random_factor = mmap_rnd(mm); + unsigned long gap; + + /* +@@ -287,6 +313,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + gap == RLIM_INFINITY || + sysctl_legacy_va_layout) { + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base += mm->delta_mmap; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area; + } else { + /* We know it's 32-bit */ +@@ -298,6 +330,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + gap = (task_size / 6 * 5); + + mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++#endif ++ + mm->get_unmapped_area = arch_get_unmapped_area_topdown; + } + } +diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S +index 33a17e7..d87fb1f 100644 +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -52,7 +52,7 @@ sys32_rt_sigreturn: + #endif + .align 32 + 1: ldx [%g6 + TI_FLAGS], %l5 +- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0 ++ andcc %l5, _TIF_WORK_SYSCALL, %g0 + be,pt %icc, rtrap + nop + call syscall_trace_leave +@@ -184,7 +184,7 @@ linux_sparc_syscall32: + + srl %i3, 0, %o3 ! IEU0 + srl %i2, 0, %o2 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 + 5: call %l7 ! CTI Group brk forced +@@ -208,7 +208,7 @@ linux_sparc_syscall: + + mov %i3, %o3 ! IEU1 + mov %i4, %o4 ! IEU0 Group +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + bne,pn %icc, linux_syscall_trace ! CTI Group + mov %i0, %l5 ! IEU0 + 2: call %l7 ! CTI Group brk forced +@@ -223,7 +223,7 @@ ret_sys_call: + + cmp %o0, -ERESTART_RESTARTBLOCK + bgeu,pn %xcc, 1f +- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0 ++ andcc %l0, _TIF_WORK_SYSCALL, %g0 + ldx [%sp + PTREGS_OFF + PT_V9_TNPC], %l1 ! pc = npc + + 2: +diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c +index 6629829..036032d 100644 +--- a/arch/sparc/kernel/traps_32.c ++++ b/arch/sparc/kernel/traps_32.c +@@ -44,6 +44,8 @@ static void instruction_dump(unsigned long *pc) + #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t") + #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t") + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_regs *regs) + count++ < 30 && + (((unsigned long) rw) >= PAGE_OFFSET) && + !(((unsigned long) rw) & 0x7)) { +- printk("Caller[%08lx]: %pS\n", rw->ins[7], ++ printk("Caller[%08lx]: %pA\n", rw->ins[7], + (void *) rw->ins[7]); + rw = (struct reg_window32 *)rw->ins[6]; + } + } + printk("Instruction DUMP:"); + instruction_dump ((unsigned long *) regs->pc); +- if(regs->psr & PSR_PS) ++ if(regs->psr & PSR_PS) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } + do_exit(SIGSEGV); + } + +diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c +index 4ced92f..965eeed 100644 +--- a/arch/sparc/kernel/traps_64.c ++++ b/arch/sparc/kernel/traps_64.c +@@ -77,7 +77,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p) + i + 1, + p->trapstack[i].tstate, p->trapstack[i].tpc, + p->trapstack[i].tnpc, p->trapstack[i].tt); +- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc); ++ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc); + } + } + +@@ -97,6 +97,12 @@ void bad_trap(struct pt_regs *regs, long lvl) + + lvl -= 0x100; + if (regs->tstate & TSTATE_PRIV) { ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ if (lvl == 6) ++ pax_report_refcount_overflow(regs); ++#endif ++ + sprintf(buffer, "Kernel bad sw trap %lx", lvl); + die_if_kernel(buffer, regs); + } +@@ -115,11 +121,16 @@ void bad_trap(struct pt_regs *regs, long lvl) + void bad_trap_tl1(struct pt_regs *regs, long lvl) + { + char buffer[32]; +- ++ + if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs, + 0, lvl, SIGTRAP) == NOTIFY_STOP) + return; + ++#ifdef CONFIG_PAX_REFCOUNT ++ if (lvl == 6) ++ pax_report_refcount_overflow(regs); ++#endif ++ + dump_tl1_traplog((struct tl1_traplog *)(regs + 1)); + + sprintf (buffer, "Bad trap %lx at tl>0", lvl); +@@ -1149,7 +1160,7 @@ static void cheetah_log_errors(struct pt_regs *regs, struct cheetah_err_info *in + regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate); + printk("%s" "ERROR(%d): ", + (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id()); +- printk("TPC<%pS>\n", (void *) regs->tpc); ++ printk("TPC<%pA>\n", (void *) regs->tpc); + printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n", + (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(), + (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT, +@@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs) + smp_processor_id(), + (type & 0x1) ? 'I' : 'D', + regs->tpc); +- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc); ++ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc); + panic("Irrecoverable Cheetah+ parity error."); + } + +@@ -1764,7 +1775,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs) + smp_processor_id(), + (type & 0x1) ? 'I' : 'D', + regs->tpc); +- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc); ++ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc); + } + + struct sun4v_error_entry { +@@ -1837,8 +1848,8 @@ struct sun4v_error_entry { + /*0x38*/u64 reserved_5; + }; + +-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0); +-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0); ++static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0); ++static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0); + + static const char *sun4v_err_type_to_str(u8 type) + { +@@ -1930,7 +1941,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs) + } + + static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent, +- int cpu, const char *pfx, atomic_t *ocnt) ++ int cpu, const char *pfx, atomic_unchecked_t *ocnt) + { + u64 *raw_ptr = (u64 *) ent; + u32 attrs; +@@ -1988,8 +1999,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent, + + show_regs(regs); + +- if ((cnt = atomic_read(ocnt)) != 0) { +- atomic_set(ocnt, 0); ++ if ((cnt = atomic_read_unchecked(ocnt)) != 0) { ++ atomic_set_unchecked(ocnt, 0); + wmb(); + printk("%s: Queue overflowed %d times.\n", + pfx, cnt); +@@ -2046,7 +2057,7 @@ out: + */ + void sun4v_resum_overflow(struct pt_regs *regs) + { +- atomic_inc(&sun4v_resum_oflow_cnt); ++ atomic_inc_unchecked(&sun4v_resum_oflow_cnt); + } + + /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate. +@@ -2099,7 +2110,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs) + /* XXX Actually even this can make not that much sense. Perhaps + * XXX we should just pull the plug and panic directly from here? + */ +- atomic_inc(&sun4v_nonresum_oflow_cnt); ++ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt); + } + + unsigned long sun4v_err_itlb_vaddr; +@@ -2114,9 +2125,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl) + + printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", + regs->tpc, tl); +- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc); ++ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc); + printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]); +- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n", ++ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n", + (void *) regs->u_regs[UREG_I7]); + printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] " + "pte[%lx] error[%lx]\n", +@@ -2138,9 +2149,9 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl) + + printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n", + regs->tpc, tl); +- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc); ++ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc); + printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]); +- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n", ++ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n", + (void *) regs->u_regs[UREG_I7]); + printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] " + "pte[%lx] error[%lx]\n", +@@ -2359,13 +2370,13 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp) + fp = (unsigned long)sf->fp + STACK_BIAS; + } + +- printk(" [%016lx] %pS\n", pc, (void *) pc); ++ printk(" [%016lx] %pA\n", pc, (void *) pc); + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + if ((pc + 8UL) == (unsigned long) &return_to_handler) { + int index = tsk->curr_ret_stack; + if (tsk->ret_stack && index >= graph) { + pc = tsk->ret_stack[index - graph].ret; +- printk(" [%016lx] %pS\n", pc, (void *) pc); ++ printk(" [%016lx] %pA\n", pc, (void *) pc); + graph++; + } + } +@@ -2383,6 +2394,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw) + return (struct reg_window *) (fp + STACK_BIAS); + } + ++extern void gr_handle_kernel_exploit(void); ++ + void die_if_kernel(char *str, struct pt_regs *regs) + { + static int die_counter; +@@ -2411,7 +2424,7 @@ void die_if_kernel(char *str, struct pt_regs *regs) + while (rw && + count++ < 30 && + kstack_valid(tp, (unsigned long) rw)) { +- printk("Caller[%016lx]: %pS\n", rw->ins[7], ++ printk("Caller[%016lx]: %pA\n", rw->ins[7], + (void *) rw->ins[7]); + + rw = kernel_stack_up(rw); +@@ -2424,8 +2437,10 @@ void die_if_kernel(char *str, struct pt_regs *regs) + } + user_instruction_dump ((unsigned int __user *) regs->tpc); + } +- if (regs->tstate & TSTATE_PRIV) ++ if (regs->tstate & TSTATE_PRIV) { ++ gr_handle_kernel_exploit(); + do_exit(SIGKILL); ++ } + do_exit(SIGSEGV); + } + EXPORT_SYMBOL(die_if_kernel); +diff --git a/arch/sparc/kernel/unaligned_64.c b/arch/sparc/kernel/unaligned_64.c +index 3c1a7cb..73e1923 100644 +--- a/arch/sparc/kernel/unaligned_64.c ++++ b/arch/sparc/kernel/unaligned_64.c +@@ -289,7 +289,7 @@ static void log_unaligned(struct pt_regs *regs) + static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5); + + if (__ratelimit(&ratelimit)) { +- printk("Kernel unaligned access at TPC[%lx] %pS\n", ++ printk("Kernel unaligned access at TPC[%lx] %pA\n", + regs->tpc, (void *) regs->tpc); + } + } +diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile +index dbe119b..089c7c1 100644 +--- a/arch/sparc/lib/Makefile ++++ b/arch/sparc/lib/Makefile +@@ -2,7 +2,7 @@ + # + + asflags-y := -ansi -DST_DIV0=0x02 +-ccflags-y := -Werror ++#ccflags-y := -Werror + + lib-$(CONFIG_SPARC32) += ashrdi3.o + lib-$(CONFIG_SPARC32) += memcpy.o memset.o +diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S +index 85c233d..68500e0 100644 +--- a/arch/sparc/lib/atomic_64.S ++++ b/arch/sparc/lib/atomic_64.S +@@ -17,7 +17,12 @@ + ENTRY(atomic_add) /* %o0 = increment, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: lduw [%o1], %g1 +- add %g1, %o0, %g7 ++ addcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %icc, 6 ++#endif ++ + cas [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %icc, BACKOFF_LABEL(2f, 1b) +@@ -27,10 +32,28 @@ ENTRY(atomic_add) /* %o0 = increment, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic_add) + ++ENTRY(atomic_add_unchecked) /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: lduw [%o1], %g1 ++ add %g1, %o0, %g7 ++ cas [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %icc, 2f ++ nop ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic_add_unchecked) ++ + ENTRY(atomic_sub) /* %o0 = decrement, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: lduw [%o1], %g1 +- sub %g1, %o0, %g7 ++ subcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %icc, 6 ++#endif ++ + cas [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %icc, BACKOFF_LABEL(2f, 1b) +@@ -40,10 +63,28 @@ ENTRY(atomic_sub) /* %o0 = decrement, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic_sub) + ++ENTRY(atomic_sub_unchecked) /* %o0 = decrement, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: lduw [%o1], %g1 ++ sub %g1, %o0, %g7 ++ cas [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %icc, 2f ++ nop ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic_sub_unchecked) ++ + ENTRY(atomic_add_ret) /* %o0 = increment, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: lduw [%o1], %g1 +- add %g1, %o0, %g7 ++ addcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %icc, 6 ++#endif ++ + cas [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %icc, BACKOFF_LABEL(2f, 1b) +@@ -53,10 +94,29 @@ ENTRY(atomic_add_ret) /* %o0 = increment, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic_add_ret) + ++ENTRY(atomic_add_ret_unchecked) /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: lduw [%o1], %g1 ++ addcc %g1, %o0, %g7 ++ cas [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %icc, 2f ++ add %g7, %o0, %g7 ++ sra %g7, 0, %o0 ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic_add_ret_unchecked) ++ + ENTRY(atomic_sub_ret) /* %o0 = decrement, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: lduw [%o1], %g1 +- sub %g1, %o0, %g7 ++ subcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %icc, 6 ++#endif ++ + cas [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %icc, BACKOFF_LABEL(2f, 1b) +@@ -69,7 +129,12 @@ ENDPROC(atomic_sub_ret) + ENTRY(atomic64_add) /* %o0 = increment, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: ldx [%o1], %g1 +- add %g1, %o0, %g7 ++ addcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %xcc, 6 ++#endif ++ + casx [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %xcc, BACKOFF_LABEL(2f, 1b) +@@ -79,10 +144,28 @@ ENTRY(atomic64_add) /* %o0 = increment, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic64_add) + ++ENTRY(atomic64_add_unchecked) /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: ldx [%o1], %g1 ++ addcc %g1, %o0, %g7 ++ casx [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %xcc, 2f ++ nop ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic64_add_unchecked) ++ + ENTRY(atomic64_sub) /* %o0 = decrement, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: ldx [%o1], %g1 +- sub %g1, %o0, %g7 ++ subcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %xcc, 6 ++#endif ++ + casx [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %xcc, BACKOFF_LABEL(2f, 1b) +@@ -92,10 +175,28 @@ ENTRY(atomic64_sub) /* %o0 = decrement, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic64_sub) + ++ENTRY(atomic64_sub_unchecked) /* %o0 = decrement, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: ldx [%o1], %g1 ++ subcc %g1, %o0, %g7 ++ casx [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %xcc, 2f ++ nop ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic64_sub_unchecked) ++ + ENTRY(atomic64_add_ret) /* %o0 = increment, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: ldx [%o1], %g1 +- add %g1, %o0, %g7 ++ addcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %xcc, 6 ++#endif ++ + casx [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %xcc, BACKOFF_LABEL(2f, 1b) +@@ -105,10 +206,29 @@ ENTRY(atomic64_add_ret) /* %o0 = increment, %o1 = atomic_ptr */ + 2: BACKOFF_SPIN(%o2, %o3, 1b) + ENDPROC(atomic64_add_ret) + ++ENTRY(atomic64_add_ret_unchecked) /* %o0 = increment, %o1 = atomic_ptr */ ++ BACKOFF_SETUP(%o2) ++1: ldx [%o1], %g1 ++ addcc %g1, %o0, %g7 ++ casx [%o1], %g1, %g7 ++ cmp %g1, %g7 ++ bne,pn %xcc, 2f ++ add %g7, %o0, %g7 ++ mov %g7, %o0 ++ retl ++ nop ++2: BACKOFF_SPIN(%o2, %o3, 1b) ++ENDPROC(atomic64_add_ret_unchecked) ++ + ENTRY(atomic64_sub_ret) /* %o0 = decrement, %o1 = atomic_ptr */ + BACKOFF_SETUP(%o2) + 1: ldx [%o1], %g1 +- sub %g1, %o0, %g7 ++ subcc %g1, %o0, %g7 ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ tvs %xcc, 6 ++#endif ++ + casx [%o1], %g1, %g7 + cmp %g1, %g7 + bne,pn %xcc, BACKOFF_LABEL(2f, 1b) +diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c +index 323335b..ed85ea2 100644 +--- a/arch/sparc/lib/ksyms.c ++++ b/arch/sparc/lib/ksyms.c +@@ -100,12 +100,18 @@ EXPORT_SYMBOL(__clear_user); + + /* Atomic counter implementation. */ + EXPORT_SYMBOL(atomic_add); ++EXPORT_SYMBOL(atomic_add_unchecked); + EXPORT_SYMBOL(atomic_add_ret); ++EXPORT_SYMBOL(atomic_add_ret_unchecked); + EXPORT_SYMBOL(atomic_sub); ++EXPORT_SYMBOL(atomic_sub_unchecked); + EXPORT_SYMBOL(atomic_sub_ret); + EXPORT_SYMBOL(atomic64_add); ++EXPORT_SYMBOL(atomic64_add_unchecked); + EXPORT_SYMBOL(atomic64_add_ret); ++EXPORT_SYMBOL(atomic64_add_ret_unchecked); + EXPORT_SYMBOL(atomic64_sub); ++EXPORT_SYMBOL(atomic64_sub_unchecked); + EXPORT_SYMBOL(atomic64_sub_ret); + EXPORT_SYMBOL(atomic64_dec_if_positive); + +diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile +index 30c3ecc..736f015 100644 +--- a/arch/sparc/mm/Makefile ++++ b/arch/sparc/mm/Makefile +@@ -2,7 +2,7 @@ + # + + asflags-y := -ansi +-ccflags-y := -Werror ++#ccflags-y := -Werror + + obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o + obj-y += fault_$(BITS).o +diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c +index 59dbd46..1dd7f5e 100644 +--- a/arch/sparc/mm/fault_32.c ++++ b/arch/sparc/mm/fault_32.c +@@ -21,6 +21,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include + #include +@@ -159,6 +162,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault) + return safe_compute_effective_address(regs, insn); + } + ++#ifdef CONFIG_PAX_PAGEEXEC ++#ifdef CONFIG_PAX_DLRESOLVE ++static void pax_emuplt_close(struct vm_area_struct *vma) ++{ ++ vma->vm_mm->call_dl_resolve = 0UL; ++} ++ ++static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf) ++{ ++ unsigned int *kaddr; ++ ++ vmf->page = alloc_page(GFP_HIGHUSER); ++ if (!vmf->page) ++ return VM_FAULT_OOM; ++ ++ kaddr = kmap(vmf->page); ++ memset(kaddr, 0, PAGE_SIZE); ++ kaddr[0] = 0x9DE3BFA8U; /* save */ ++ flush_dcache_page(vmf->page); ++ kunmap(vmf->page); ++ return VM_FAULT_MAJOR; ++} ++ ++static const struct vm_operations_struct pax_vm_ops = { ++ .close = pax_emuplt_close, ++ .fault = pax_emuplt_fault ++}; ++ ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) ++{ ++ int ret; ++ ++ INIT_LIST_HEAD(&vma->anon_vma_chain); ++ vma->vm_mm = current->mm; ++ vma->vm_start = addr; ++ vma->vm_end = addr + PAGE_SIZE; ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC; ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); ++ vma->vm_ops = &pax_vm_ops; ++ ++ ret = insert_vm_struct(current->mm, vma); ++ if (ret) ++ return ret; ++ ++ ++current->mm->total_vm; ++ return 0; ++} ++#endif ++ ++/* ++ * PaX: decide what to do with offenders (regs->pc = fault address) ++ * ++ * returns 1 when task should be killed ++ * 2 when patched PLT trampoline was detected ++ * 3 when unpatched PLT trampoline was detected ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ ++#ifdef CONFIG_PAX_EMUPLT ++ int err; ++ ++ do { /* PaX: patched PLT emulation #1 */ ++ unsigned int sethi1, sethi2, jmpl; ++ ++ err = get_user(sethi1, (unsigned int *)regs->pc); ++ err |= get_user(sethi2, (unsigned int *)(regs->pc+4)); ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U && ++ (sethi2 & 0xFFC00000U) == 0x03000000U && ++ (jmpl & 0xFFFFE000U) == 0x81C06000U) ++ { ++ unsigned int addr; ++ ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10; ++ addr = regs->u_regs[UREG_G1]; ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); ++ regs->pc = addr; ++ regs->npc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #2 */ ++ unsigned int ba; ++ ++ err = get_user(ba, (unsigned int *)regs->pc); ++ ++ if (err) ++ break; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) { ++ unsigned int addr; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); ++ else ++ addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); ++ regs->pc = addr; ++ regs->npc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #3 */ ++ unsigned int sethi, bajmpl, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->pc); ++ err |= get_user(bajmpl, (unsigned int *)(regs->pc+4)); ++ err |= get_user(nop, (unsigned int *)(regs->pc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) && ++ nop == 0x01000000U) ++ { ++ unsigned int addr; ++ ++ addr = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G1] = addr; ++ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U) ++ addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); ++ else ++ addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); ++ regs->pc = addr; ++ regs->npc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: unpatched PLT emulation step 1 */ ++ unsigned int sethi, ba, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->pc); ++ err |= get_user(ba, (unsigned int *)(regs->pc+4)); ++ err |= get_user(nop, (unsigned int *)(regs->pc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) && ++ nop == 0x01000000U) ++ { ++ unsigned int addr, save, call; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); ++ else ++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); ++ ++ err = get_user(save, (unsigned int *)addr); ++ err |= get_user(call, (unsigned int *)(addr+4)); ++ err |= get_user(nop, (unsigned int *)(addr+8)); ++ if (err) ++ break; ++ ++#ifdef CONFIG_PAX_DLRESOLVE ++ if (save == 0x9DE3BFA8U && ++ (call & 0xC0000000U) == 0x40000000U && ++ nop == 0x01000000U) ++ { ++ struct vm_area_struct *vma; ++ unsigned long call_dl_resolve; ++ ++ down_read(¤t->mm->mmap_sem); ++ call_dl_resolve = current->mm->call_dl_resolve; ++ up_read(¤t->mm->mmap_sem); ++ if (likely(call_dl_resolve)) ++ goto emulate; ++ ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); ++ ++ down_write(¤t->mm->mmap_sem); ++ if (current->mm->call_dl_resolve) { ++ call_dl_resolve = current->mm->call_dl_resolve; ++ up_write(¤t->mm->mmap_sem); ++ if (vma) ++ kmem_cache_free(vm_area_cachep, vma); ++ goto emulate; ++ } ++ ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE); ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) { ++ up_write(¤t->mm->mmap_sem); ++ if (vma) ++ kmem_cache_free(vm_area_cachep, vma); ++ return 1; ++ } ++ ++ if (pax_insert_vma(vma, call_dl_resolve)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return 1; ++ } ++ ++ current->mm->call_dl_resolve = call_dl_resolve; ++ up_write(¤t->mm->mmap_sem); ++ ++emulate: ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; ++ regs->pc = call_dl_resolve; ++ regs->npc = addr+4; ++ return 3; ++ } ++#endif ++ ++ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */ ++ if ((save & 0xFFC00000U) == 0x05000000U && ++ (call & 0xFFFFE000U) == 0x85C0A000U && ++ nop == 0x01000000U) ++ { ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G2] = addr + 4; ++ addr = (save & 0x003FFFFFU) << 10; ++ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); ++ regs->pc = addr; ++ regs->npc = addr+4; ++ return 3; ++ } ++ } ++ } while (0); ++ ++ do { /* PaX: unpatched PLT emulation step 2 */ ++ unsigned int save, call, nop; ++ ++ err = get_user(save, (unsigned int *)(regs->pc-4)); ++ err |= get_user(call, (unsigned int *)regs->pc); ++ err |= get_user(nop, (unsigned int *)(regs->pc+4)); ++ if (err) ++ break; ++ ++ if (save == 0x9DE3BFA8U && ++ (call & 0xC0000000U) == 0x40000000U && ++ nop == 0x01000000U) ++ { ++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2); ++ ++ regs->u_regs[UREG_RETPC] = regs->pc; ++ regs->pc = dl_resolve; ++ regs->npc = dl_resolve+4; ++ return 3; ++ } ++ } while (0); ++#endif ++ ++ return 1; ++} ++ ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 8; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs, + int text_fault) + { +@@ -229,6 +503,24 @@ good_area: + if (!(vma->vm_flags & VM_WRITE)) + goto bad_area; + } else { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) { ++ up_read(&mm->mmap_sem); ++ switch (pax_handle_fetch_fault(regs)) { ++ ++#ifdef CONFIG_PAX_EMUPLT ++ case 2: ++ case 3: ++ return; ++#endif ++ ++ } ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + /* Allow reads even for write-only mappings */ + if (!(vma->vm_flags & (VM_READ | VM_EXEC))) + goto bad_area; +diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c +index 69bb818..6ca35c8 100644 +--- a/arch/sparc/mm/fault_64.c ++++ b/arch/sparc/mm/fault_64.c +@@ -22,6 +22,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include + #include +@@ -75,7 +78,7 @@ static void __kprobes bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr) + printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n", + regs->tpc); + printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]); +- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]); ++ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]); + printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr); + dump_stack(); + unhandled_fault(regs->tpc, current, regs); +@@ -271,6 +274,466 @@ static void noinline __kprobes bogus_32bit_fault_address(struct pt_regs *regs, + show_regs(regs); + } + ++#ifdef CONFIG_PAX_PAGEEXEC ++#ifdef CONFIG_PAX_DLRESOLVE ++static void pax_emuplt_close(struct vm_area_struct *vma) ++{ ++ vma->vm_mm->call_dl_resolve = 0UL; ++} ++ ++static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf) ++{ ++ unsigned int *kaddr; ++ ++ vmf->page = alloc_page(GFP_HIGHUSER); ++ if (!vmf->page) ++ return VM_FAULT_OOM; ++ ++ kaddr = kmap(vmf->page); ++ memset(kaddr, 0, PAGE_SIZE); ++ kaddr[0] = 0x9DE3BFA8U; /* save */ ++ flush_dcache_page(vmf->page); ++ kunmap(vmf->page); ++ return VM_FAULT_MAJOR; ++} ++ ++static const struct vm_operations_struct pax_vm_ops = { ++ .close = pax_emuplt_close, ++ .fault = pax_emuplt_fault ++}; ++ ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr) ++{ ++ int ret; ++ ++ INIT_LIST_HEAD(&vma->anon_vma_chain); ++ vma->vm_mm = current->mm; ++ vma->vm_start = addr; ++ vma->vm_end = addr + PAGE_SIZE; ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC; ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); ++ vma->vm_ops = &pax_vm_ops; ++ ++ ret = insert_vm_struct(current->mm, vma); ++ if (ret) ++ return ret; ++ ++ ++current->mm->total_vm; ++ return 0; ++} ++#endif ++ ++/* ++ * PaX: decide what to do with offenders (regs->tpc = fault address) ++ * ++ * returns 1 when task should be killed ++ * 2 when patched PLT trampoline was detected ++ * 3 when unpatched PLT trampoline was detected ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ ++#ifdef CONFIG_PAX_EMUPLT ++ int err; ++ ++ do { /* PaX: patched PLT emulation #1 */ ++ unsigned int sethi1, sethi2, jmpl; ++ ++ err = get_user(sethi1, (unsigned int *)regs->tpc); ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U && ++ (sethi2 & 0xFFC00000U) == 0x03000000U && ++ (jmpl & 0xFFFFE000U) == 0x81C06000U) ++ { ++ unsigned long addr; ++ ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10; ++ addr = regs->u_regs[UREG_G1]; ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #2 */ ++ unsigned int ba; ++ ++ err = get_user(ba, (unsigned int *)regs->tpc); ++ ++ if (err) ++ break; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) { ++ unsigned long addr; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); ++ else ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #3 */ ++ unsigned int sethi, bajmpl, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) && ++ nop == 0x01000000U) ++ { ++ unsigned long addr; ++ ++ addr = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G1] = addr; ++ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U) ++ addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); ++ else ++ addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #4 */ ++ unsigned int sethi, mov1, call, mov2; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(mov1, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(call, (unsigned int *)(regs->tpc+8)); ++ err |= get_user(mov2, (unsigned int *)(regs->tpc+12)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ mov1 == 0x8210000FU && ++ (call & 0xC0000000U) == 0x40000000U && ++ mov2 == 0x9E100001U) ++ { ++ unsigned long addr; ++ ++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC]; ++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #5 */ ++ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8)); ++ err |= get_user(or1, (unsigned int *)(regs->tpc+12)); ++ err |= get_user(or2, (unsigned int *)(regs->tpc+16)); ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+20)); ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24)); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+28)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ (sethi1 & 0xFFC00000U) == 0x03000000U && ++ (sethi2 & 0xFFC00000U) == 0x0B000000U && ++ (or1 & 0xFFFFE000U) == 0x82106000U && ++ (or2 & 0xFFFFE000U) == 0x8A116000U && ++ sllx == 0x83287020U && ++ jmpl == 0x81C04005U && ++ nop == 0x01000000U) ++ { ++ unsigned long addr; ++ ++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU); ++ regs->u_regs[UREG_G1] <<= 32; ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU); ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5]; ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: patched PLT emulation #6 */ ++ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8)); ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+12)); ++ err |= get_user(or, (unsigned int *)(regs->tpc+16)); ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20)); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+24)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ (sethi1 & 0xFFC00000U) == 0x03000000U && ++ (sethi2 & 0xFFC00000U) == 0x0B000000U && ++ sllx == 0x83287020U && ++ (or & 0xFFFFE000U) == 0x8A116000U && ++ jmpl == 0x81C04005U && ++ nop == 0x01000000U) ++ { ++ unsigned long addr; ++ ++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G1] <<= 32; ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU); ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5]; ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: unpatched PLT emulation step 1 */ ++ unsigned int sethi, ba, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) && ++ nop == 0x01000000U) ++ { ++ unsigned long addr; ++ unsigned int save, call; ++ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); ++ else ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ err = get_user(save, (unsigned int *)addr); ++ err |= get_user(call, (unsigned int *)(addr+4)); ++ err |= get_user(nop, (unsigned int *)(addr+8)); ++ if (err) ++ break; ++ ++#ifdef CONFIG_PAX_DLRESOLVE ++ if (save == 0x9DE3BFA8U && ++ (call & 0xC0000000U) == 0x40000000U && ++ nop == 0x01000000U) ++ { ++ struct vm_area_struct *vma; ++ unsigned long call_dl_resolve; ++ ++ down_read(¤t->mm->mmap_sem); ++ call_dl_resolve = current->mm->call_dl_resolve; ++ up_read(¤t->mm->mmap_sem); ++ if (likely(call_dl_resolve)) ++ goto emulate; ++ ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); ++ ++ down_write(¤t->mm->mmap_sem); ++ if (current->mm->call_dl_resolve) { ++ call_dl_resolve = current->mm->call_dl_resolve; ++ up_write(¤t->mm->mmap_sem); ++ if (vma) ++ kmem_cache_free(vm_area_cachep, vma); ++ goto emulate; ++ } ++ ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE); ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) { ++ up_write(¤t->mm->mmap_sem); ++ if (vma) ++ kmem_cache_free(vm_area_cachep, vma); ++ return 1; ++ } ++ ++ if (pax_insert_vma(vma, call_dl_resolve)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return 1; ++ } ++ ++ current->mm->call_dl_resolve = call_dl_resolve; ++ up_write(¤t->mm->mmap_sem); ++ ++emulate: ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; ++ regs->tpc = call_dl_resolve; ++ regs->tnpc = addr+4; ++ return 3; ++ } ++#endif ++ ++ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */ ++ if ((save & 0xFFC00000U) == 0x05000000U && ++ (call & 0xFFFFE000U) == 0x85C0A000U && ++ nop == 0x01000000U) ++ { ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G2] = addr + 4; ++ addr = (save & 0x003FFFFFU) << 10; ++ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 3; ++ } ++ ++ /* PaX: 64-bit PLT stub */ ++ err = get_user(sethi1, (unsigned int *)addr); ++ err |= get_user(sethi2, (unsigned int *)(addr+4)); ++ err |= get_user(or1, (unsigned int *)(addr+8)); ++ err |= get_user(or2, (unsigned int *)(addr+12)); ++ err |= get_user(sllx, (unsigned int *)(addr+16)); ++ err |= get_user(add, (unsigned int *)(addr+20)); ++ err |= get_user(jmpl, (unsigned int *)(addr+24)); ++ err |= get_user(nop, (unsigned int *)(addr+28)); ++ if (err) ++ break; ++ ++ if ((sethi1 & 0xFFC00000U) == 0x09000000U && ++ (sethi2 & 0xFFC00000U) == 0x0B000000U && ++ (or1 & 0xFFFFE000U) == 0x88112000U && ++ (or2 & 0xFFFFE000U) == 0x8A116000U && ++ sllx == 0x89293020U && ++ add == 0x8A010005U && ++ jmpl == 0x89C14000U && ++ nop == 0x01000000U) ++ { ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU); ++ regs->u_regs[UREG_G4] <<= 32; ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU); ++ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4]; ++ regs->u_regs[UREG_G4] = addr + 24; ++ addr = regs->u_regs[UREG_G5]; ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 3; ++ } ++ } ++ } while (0); ++ ++#ifdef CONFIG_PAX_DLRESOLVE ++ do { /* PaX: unpatched PLT emulation step 2 */ ++ unsigned int save, call, nop; ++ ++ err = get_user(save, (unsigned int *)(regs->tpc-4)); ++ err |= get_user(call, (unsigned int *)regs->tpc); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+4)); ++ if (err) ++ break; ++ ++ if (save == 0x9DE3BFA8U && ++ (call & 0xC0000000U) == 0x40000000U && ++ nop == 0x01000000U) ++ { ++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ dl_resolve &= 0xFFFFFFFFUL; ++ ++ regs->u_regs[UREG_RETPC] = regs->tpc; ++ regs->tpc = dl_resolve; ++ regs->tnpc = dl_resolve+4; ++ return 3; ++ } ++ } while (0); ++#endif ++ ++ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */ ++ unsigned int sethi, ba, nop; ++ ++ err = get_user(sethi, (unsigned int *)regs->tpc); ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8)); ++ ++ if (err) ++ break; ++ ++ if ((sethi & 0xFFC00000U) == 0x03000000U && ++ (ba & 0xFFF00000U) == 0x30600000U && ++ nop == 0x01000000U) ++ { ++ unsigned long addr; ++ ++ addr = (sethi & 0x003FFFFFU) << 10; ++ regs->u_regs[UREG_G1] = addr; ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); ++ ++ if (test_thread_flag(TIF_32BIT)) ++ addr &= 0xFFFFFFFFUL; ++ ++ regs->tpc = addr; ++ regs->tnpc = addr+4; ++ return 2; ++ } ++ } while (0); ++ ++#endif ++ ++ return 1; ++} ++ ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ unsigned long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 8; i++) { ++ unsigned int c; ++ if (get_user(c, (unsigned int *)pc+i)) ++ printk(KERN_CONT "???????? "); ++ else ++ printk(KERN_CONT "%08x ", c); ++ } ++ printk("\n"); ++} ++#endif ++ + asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs) + { + enum ctx_state prev_state = exception_enter(); +@@ -344,6 +807,29 @@ retry: + if (!vma) + goto bad_area; + ++#ifdef CONFIG_PAX_PAGEEXEC ++ /* PaX: detect ITLB misses on non-exec pages */ ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address && ++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB)) ++ { ++ if (address != regs->tpc) ++ goto good_area; ++ ++ up_read(&mm->mmap_sem); ++ switch (pax_handle_fetch_fault(regs)) { ++ ++#ifdef CONFIG_PAX_EMUPLT ++ case 2: ++ case 3: ++ return; ++#endif ++ ++ } ++ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS)); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + /* Pure DTLB misses do not tell us whether the fault causing + * load/store/atomic was a write or not, it only says that there + * was no match. So in such a case we (carefully) read the +diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c +index 9bd9ce8..a502d99 100644 +--- a/arch/sparc/mm/hugetlbpage.c ++++ b/arch/sparc/mm/hugetlbpage.c +@@ -25,7 +25,8 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + unsigned long addr, + unsigned long len, + unsigned long pgoff, +- unsigned long flags) ++ unsigned long flags, ++ unsigned long offset) + { + unsigned long task_size = TASK_SIZE; + struct vm_unmapped_area_info info; +@@ -35,15 +36,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + + info.flags = 0; + info.length = len; +- info.low_limit = TASK_UNMAPPED_BASE; ++ info.low_limit = mm->mmap_base; + info.high_limit = min(task_size, VA_EXCLUDE_START); + info.align_mask = PAGE_MASK & ~HPAGE_MASK; + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) { + VM_BUG_ON(addr != -ENOMEM); + info.low_limit = VA_EXCLUDE_END; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap; ++#endif ++ + info.high_limit = task_size; + addr = vm_unmapped_area(&info); + } +@@ -55,7 +63,8 @@ static unsigned long + hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + const unsigned long len, + const unsigned long pgoff, +- const unsigned long flags) ++ const unsigned long flags, ++ const unsigned long offset) + { + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; +@@ -70,6 +79,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = PAGE_MASK & ~HPAGE_MASK; + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -82,6 +92,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + VM_BUG_ON(addr != -ENOMEM); + info.flags = 0; + info.low_limit = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap; ++#endif ++ + info.high_limit = STACK_TOP32; + addr = vm_unmapped_area(&info); + } +@@ -96,6 +112,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -111,19 +128,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + return addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + addr = ALIGN(addr, HPAGE_SIZE); + vma = find_vma(mm, addr); +- if (task_size - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + if (mm->get_unmapped_area == arch_get_unmapped_area) + return hugetlb_get_unmapped_area_bottomup(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + else + return hugetlb_get_unmapped_area_topdown(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + } + + pte_t *huge_pte_alloc(struct mm_struct *mm, +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c +index eafbc65..5a8070d 100644 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -188,9 +188,9 @@ unsigned long sparc64_kern_sec_context __read_mostly; + int num_kernel_image_mappings; + + #ifdef CONFIG_DEBUG_DCFLUSH +-atomic_t dcpage_flushes = ATOMIC_INIT(0); ++atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0); + #ifdef CONFIG_SMP +-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0); ++atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0); + #endif + #endif + +@@ -198,7 +198,7 @@ inline void flush_dcache_page_impl(struct page *page) + { + BUG_ON(tlb_type == hypervisor); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + + #ifdef DCACHE_ALIASING_POSSIBLE +@@ -466,10 +466,10 @@ void mmu_info(struct seq_file *m) + + #ifdef CONFIG_DEBUG_DCFLUSH + seq_printf(m, "DCPageFlushes\t: %d\n", +- atomic_read(&dcpage_flushes)); ++ atomic_read_unchecked(&dcpage_flushes)); + #ifdef CONFIG_SMP + seq_printf(m, "DCPageFlushesXC\t: %d\n", +- atomic_read(&dcpage_flushes_xcall)); ++ atomic_read_unchecked(&dcpage_flushes_xcall)); + #endif /* CONFIG_SMP */ + #endif /* CONFIG_DEBUG_DCFLUSH */ + } +diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig +index b3692ce..e4517c9 100644 +--- a/arch/tile/Kconfig ++++ b/arch/tile/Kconfig +@@ -184,6 +184,7 @@ source "kernel/Kconfig.hz" + + config KEXEC + bool "kexec system call" ++ depends on !GRKERNSEC_KMEM + ---help--- + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h +index ad220ee..2f537b3 100644 +--- a/arch/tile/include/asm/atomic_64.h ++++ b/arch/tile/include/asm/atomic_64.h +@@ -105,6 +105,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + /* Atomic dec and inc don't implement barrier, so provide them if needed. */ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() +diff --git a/arch/tile/include/asm/cache.h b/arch/tile/include/asm/cache.h +index 6160761..00cac88 100644 +--- a/arch/tile/include/asm/cache.h ++++ b/arch/tile/include/asm/cache.h +@@ -15,11 +15,12 @@ + #ifndef _ASM_TILE_CACHE_H + #define _ASM_TILE_CACHE_H + ++#include + #include + + /* bytes per L1 data cache line */ + #define L1_CACHE_SHIFT CHIP_L1D_LOG_LINE_SIZE() +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + /* bytes per L2 cache line */ + #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE() +diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h +index b6cde32..c0cb736 100644 +--- a/arch/tile/include/asm/uaccess.h ++++ b/arch/tile/include/asm/uaccess.h +@@ -414,9 +414,9 @@ static inline unsigned long __must_check copy_from_user(void *to, + const void __user *from, + unsigned long n) + { +- int sz = __compiletime_object_size(to); ++ size_t sz = __compiletime_object_size(to); + +- if (likely(sz == -1 || sz >= n)) ++ if (likely(sz == (size_t)-1 || sz >= n)) + n = _copy_from_user(to, from, n); + else + copy_from_user_overflow(); +diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c +index 0cb3bba..7338b2d 100644 +--- a/arch/tile/mm/hugetlbpage.c ++++ b/arch/tile/mm/hugetlbpage.c +@@ -212,6 +212,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, + info.high_limit = TASK_SIZE; + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; ++ info.threadstack_offset = 0; + return vm_unmapped_area(&info); + } + +@@ -229,6 +230,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, + info.high_limit = current->mm->mmap_base; + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; ++ info.threadstack_offset = 0; + addr = vm_unmapped_area(&info); + + /* +diff --git a/arch/um/Makefile b/arch/um/Makefile +index 36e658a..71a5c5a 100644 +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -72,6 +72,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -D__KERNEL__,,\ + $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \ + $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64 -idirafter include + ++ifdef CONSTIFY_PLUGIN ++USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify ++endif ++ + #This will adjust *FLAGS accordingly to the platform. + include $(srctree)/$(ARCH_DIR)/Makefile-os-$(OS) + +diff --git a/arch/um/include/asm/cache.h b/arch/um/include/asm/cache.h +index 19e1bdd..3665b77 100644 +--- a/arch/um/include/asm/cache.h ++++ b/arch/um/include/asm/cache.h +@@ -1,6 +1,7 @@ + #ifndef __UM_CACHE_H + #define __UM_CACHE_H + ++#include + + #if defined(CONFIG_UML_X86) && !defined(CONFIG_64BIT) + # define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT) +@@ -12,6 +13,6 @@ + # define L1_CACHE_SHIFT 5 + #endif + +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #endif +diff --git a/arch/um/include/asm/kmap_types.h b/arch/um/include/asm/kmap_types.h +index 2e0a6b1..a64d0f5 100644 +--- a/arch/um/include/asm/kmap_types.h ++++ b/arch/um/include/asm/kmap_types.h +@@ -8,6 +8,6 @@ + + /* No more #include "asm/arch/kmap_types.h" ! */ + +-#define KM_TYPE_NR 14 ++#define KM_TYPE_NR 15 + + #endif +diff --git a/arch/um/include/asm/page.h b/arch/um/include/asm/page.h +index 5ff53d9..5850cdf 100644 +--- a/arch/um/include/asm/page.h ++++ b/arch/um/include/asm/page.h +@@ -14,6 +14,9 @@ + #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT) + #define PAGE_MASK (~(PAGE_SIZE-1)) + ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++ + #ifndef __ASSEMBLY__ + + struct page; +diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h +index 0032f92..cd151e0 100644 +--- a/arch/um/include/asm/pgtable-3level.h ++++ b/arch/um/include/asm/pgtable-3level.h +@@ -58,6 +58,7 @@ + #define pud_present(x) (pud_val(x) & _PAGE_PRESENT) + #define pud_populate(mm, pud, pmd) \ + set_pud(pud, __pud(_PAGE_TABLE + __pa(pmd))) ++#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd)) + + #ifdef CONFIG_64BIT + #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval)) +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index eecc414..48adb87 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -356,22 +356,6 @@ int singlestepping(void * t) + return 2; + } + +-/* +- * Only x86 and x86_64 have an arch_align_stack(). +- * All other arches have "#define arch_align_stack(x) (x)" +- * in their asm/system.h +- * As this is included in UML from asm-um/system-generic.h, +- * we can use it to behave as the subarch does. +- */ +-#ifndef arch_align_stack +-unsigned long arch_align_stack(unsigned long sp) +-{ +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) +- sp -= get_random_int() % 8192; +- return sp & ~0xf; +-} +-#endif +- + unsigned long get_wchan(struct task_struct *p) + { + unsigned long stack_page, sp, ip; +diff --git a/arch/unicore32/include/asm/cache.h b/arch/unicore32/include/asm/cache.h +index ad8f795..2c7eec6 100644 +--- a/arch/unicore32/include/asm/cache.h ++++ b/arch/unicore32/include/asm/cache.h +@@ -12,8 +12,10 @@ + #ifndef __UNICORE_CACHE_H__ + #define __UNICORE_CACHE_H__ + +-#define L1_CACHE_SHIFT (5) +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#include ++ ++#define L1_CACHE_SHIFT 5 ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + /* + * Memory returned by kmalloc() may be used for DMA, so we must make +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 0af5250..59f9597 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -126,7 +126,7 @@ config X86 + select RTC_LIB + select HAVE_DEBUG_STACKOVERFLOW + select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 +- select HAVE_CC_STACKPROTECTOR ++ select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF + + config INSTRUCTION_DECODER + def_bool y +@@ -251,7 +251,7 @@ config X86_HT + + config X86_32_LAZY_GS + def_bool y +- depends on X86_32 && !CC_STACKPROTECTOR ++ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF + + config ARCH_HWEIGHT_CFLAGS + string +@@ -589,6 +589,7 @@ config SCHED_OMIT_FRAME_POINTER + + menuconfig HYPERVISOR_GUEST + bool "Linux guest support" ++ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_GUEST || (GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_XEN) + ---help--- + Say Y here to enable options for running Linux under various hyper- + visors. This option enables basic hypervisor detection and platform +@@ -1111,7 +1112,7 @@ choice + + config NOHIGHMEM + bool "off" +- depends on !X86_NUMAQ ++ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE) + ---help--- + Linux can use up to 64 Gigabytes of physical memory on x86 systems. + However, the address space of 32-bit x86 processors is only 4 +@@ -1148,7 +1149,7 @@ config NOHIGHMEM + + config HIGHMEM4G + bool "4GB" +- depends on !X86_NUMAQ ++ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE) + ---help--- + Select this if you have a 32-bit processor and between 1 and 4 + gigabytes of physical RAM. +@@ -1201,7 +1202,7 @@ config PAGE_OFFSET + hex + default 0xB0000000 if VMSPLIT_3G_OPT + default 0x80000000 if VMSPLIT_2G +- default 0x78000000 if VMSPLIT_2G_OPT ++ default 0x70000000 if VMSPLIT_2G_OPT + default 0x40000000 if VMSPLIT_1G + default 0xC0000000 + depends on X86_32 +@@ -1605,6 +1606,7 @@ source kernel/Kconfig.hz + + config KEXEC + bool "kexec system call" ++ depends on !GRKERNSEC_KMEM + ---help--- + kexec is a system call that implements the ability to shutdown your + current kernel, and to start another kernel. It is like a reboot +@@ -1756,7 +1758,9 @@ config X86_NEED_RELOCS + + config PHYSICAL_ALIGN + hex "Alignment value to which kernel should be aligned" +- default "0x200000" ++ default "0x1000000" ++ range 0x200000 0x1000000 if PAX_KERNEXEC && X86_PAE ++ range 0x400000 0x1000000 if PAX_KERNEXEC && !X86_PAE + range 0x2000 0x1000000 if X86_32 + range 0x200000 0x1000000 if X86_64 + ---help--- +@@ -1836,9 +1840,10 @@ config DEBUG_HOTPLUG_CPU0 + If unsure, say N. + + config COMPAT_VDSO +- def_bool y ++ def_bool n + prompt "Compat VDSO support" + depends on X86_32 || IA32_EMULATION ++ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF + ---help--- + Map the 32-bit VDSO to the predictable old-style address too. + +diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu +index f3aaf23..a1d3c49 100644 +--- a/arch/x86/Kconfig.cpu ++++ b/arch/x86/Kconfig.cpu +@@ -319,7 +319,7 @@ config X86_PPRO_FENCE + + config X86_F00F_BUG + def_bool y +- depends on M586MMX || M586TSC || M586 || M486 ++ depends on (M586MMX || M586TSC || M586 || M486) && !PAX_KERNEXEC + + config X86_INVD_BUG + def_bool y +@@ -327,7 +327,7 @@ config X86_INVD_BUG + + config X86_ALIGNMENT_16 + def_bool y +- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1 ++ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1 + + config X86_INTEL_USERCOPY + def_bool y +@@ -369,7 +369,7 @@ config X86_CMPXCHG64 + # generates cmov. + config X86_CMOV + def_bool y +- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) ++ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) + + config X86_MINIMUM_CPU_FAMILY + int +diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug +index 321a52c..3d51a5e 100644 +--- a/arch/x86/Kconfig.debug ++++ b/arch/x86/Kconfig.debug +@@ -84,7 +84,7 @@ config X86_PTDUMP + config DEBUG_RODATA + bool "Write protect kernel read-only data structures" + default y +- depends on DEBUG_KERNEL ++ depends on DEBUG_KERNEL && BROKEN + ---help--- + Mark the kernel read-only data as write-protected in the pagetables, + in order to catch accidental (and incorrect) writes to such const +@@ -102,7 +102,7 @@ config DEBUG_RODATA_TEST + + config DEBUG_SET_MODULE_RONX + bool "Set loadable kernel module data as NX and text as RO" +- depends on MODULES ++ depends on MODULES && BROKEN + ---help--- + This option helps catch unintended modifications to loadable + kernel module's text and read-only data. It also prevents execution +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index eeda43a..5a238be 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -71,14 +71,12 @@ ifeq ($(CONFIG_X86_32),y) + # CPU-specific tuning. Anything which can be shared with UML should go here. + include $(srctree)/arch/x86/Makefile_32.cpu + KBUILD_CFLAGS += $(cflags-y) +- +- # temporary until string.h is fixed +- KBUILD_CFLAGS += -ffreestanding + else + BITS := 64 + UTS_MACHINE := x86_64 + CHECKFLAGS += -D__x86_64__ -m64 + ++ biarch := $(call cc-option,-m64) + KBUILD_AFLAGS += -m64 + KBUILD_CFLAGS += -m64 + +@@ -111,6 +109,9 @@ else + KBUILD_CFLAGS += -maccumulate-outgoing-args + endif + ++# temporary until string.h is fixed ++KBUILD_CFLAGS += -ffreestanding ++ + # Make sure compiler does not have buggy stack-protector support. + ifdef CONFIG_CC_STACKPROTECTOR + cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh +@@ -267,3 +268,12 @@ define archhelp + echo ' FDINITRD=file initrd for the booted kernel' + echo ' kvmconfig - Enable additional options for guest kernel support' + endef ++ ++define OLD_LD ++ ++*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils. ++*** Please upgrade your binutils to 2.18 or newer ++endef ++ ++archprepare: ++ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD))) +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 878df7e..a803913 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -52,6 +52,9 @@ $(obj)/cpustr.h: $(obj)/mkcpustr FORCE + # --------------------------------------------------------------------------- + + KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP ++ifdef CONSTIFY_PLUGIN ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify ++endif + KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ + GCOV_PROFILE := n + +diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h +index 878e4b9..20537ab 100644 +--- a/arch/x86/boot/bitops.h ++++ b/arch/x86/boot/bitops.h +@@ -26,7 +26,7 @@ static inline int variable_test_bit(int nr, const void *addr) + u8 v; + const u32 *p = (const u32 *)addr; + +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr)); ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr)); + return v; + } + +@@ -37,7 +37,7 @@ static inline int variable_test_bit(int nr, const void *addr) + + static inline void set_bit(int nr, void *addr) + { +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr)); ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr)); + } + + #endif /* BOOT_BITOPS_H */ +diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h +index 50f8c5e..4f84fff 100644 +--- a/arch/x86/boot/boot.h ++++ b/arch/x86/boot/boot.h +@@ -84,7 +84,7 @@ static inline void io_delay(void) + static inline u16 ds(void) + { + u16 seg; +- asm("movw %%ds,%0" : "=rm" (seg)); ++ asm volatile("movw %%ds,%0" : "=rm" (seg)); + return seg; + } + +@@ -180,7 +180,7 @@ static inline void wrgs32(u32 v, addr_t addr) + static inline int memcmp(const void *s1, const void *s2, size_t len) + { + u8 diff; +- asm("repe; cmpsb; setnz %0" ++ asm volatile("repe; cmpsb; setnz %0" + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len)); + return diff; + } +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 0fcd913..3bb5c42 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -16,6 +16,9 @@ KBUILD_CFLAGS += $(cflags-y) + KBUILD_CFLAGS += -mno-mmx -mno-sse + KBUILD_CFLAGS += $(call cc-option,-ffreestanding) + KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) ++ifdef CONSTIFY_PLUGIN ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify ++endif + + KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ + GCOV_PROFILE := n +diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S +index a53440e..c3dbf1e 100644 +--- a/arch/x86/boot/compressed/efi_stub_32.S ++++ b/arch/x86/boot/compressed/efi_stub_32.S +@@ -46,16 +46,13 @@ ENTRY(efi_call_phys) + * parameter 2, ..., param n. To make things easy, we save the return + * address of efi_call_phys in a global variable. + */ +- popl %ecx +- movl %ecx, saved_return_addr(%edx) +- /* get the function pointer into ECX*/ +- popl %ecx +- movl %ecx, efi_rt_function_ptr(%edx) ++ popl saved_return_addr(%edx) ++ popl efi_rt_function_ptr(%edx) + + /* + * 3. Call the physical function. + */ +- call *%ecx ++ call *efi_rt_function_ptr(%edx) + + /* + * 4. Balance the stack. And because EAX contain the return value, +@@ -67,15 +64,12 @@ ENTRY(efi_call_phys) + 1: popl %edx + subl $1b, %edx + +- movl efi_rt_function_ptr(%edx), %ecx +- pushl %ecx ++ pushl efi_rt_function_ptr(%edx) + + /* + * 10. Push the saved return address onto the stack and return. + */ +- movl saved_return_addr(%edx), %ecx +- pushl %ecx +- ret ++ jmpl *saved_return_addr(%edx) + ENDPROC(efi_call_phys) + .previous + +diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S +index 9116aac..abbcdb1 100644 +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -117,10 +117,10 @@ preferred_addr: + addl %eax, %ebx + notl %eax + andl %eax, %ebx +- cmpl $LOAD_PHYSICAL_ADDR, %ebx ++ cmpl $____LOAD_PHYSICAL_ADDR, %ebx + jge 1f + #endif +- movl $LOAD_PHYSICAL_ADDR, %ebx ++ movl $____LOAD_PHYSICAL_ADDR, %ebx + 1: + + /* Target address to relocate to for decompression */ +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index c5c1ae0..2e76d0e 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -94,10 +94,10 @@ ENTRY(startup_32) + addl %eax, %ebx + notl %eax + andl %eax, %ebx +- cmpl $LOAD_PHYSICAL_ADDR, %ebx ++ cmpl $____LOAD_PHYSICAL_ADDR, %ebx + jge 1f + #endif +- movl $LOAD_PHYSICAL_ADDR, %ebx ++ movl $____LOAD_PHYSICAL_ADDR, %ebx + 1: + + /* Target address to relocate to for decompression */ +@@ -271,10 +271,10 @@ preferred_addr: + addq %rax, %rbp + notq %rax + andq %rax, %rbp +- cmpq $LOAD_PHYSICAL_ADDR, %rbp ++ cmpq $____LOAD_PHYSICAL_ADDR, %rbp + jge 1f + #endif +- movq $LOAD_PHYSICAL_ADDR, %rbp ++ movq $____LOAD_PHYSICAL_ADDR, %rbp + 1: + + /* Target address to relocate to for decompression */ +@@ -366,8 +366,8 @@ gdt: + .long gdt + .word 0 + .quad 0x0000000000000000 /* NULL descriptor */ +- .quad 0x00af9a000000ffff /* __KERNEL_CS */ +- .quad 0x00cf92000000ffff /* __KERNEL_DS */ ++ .quad 0x00af9b000000ffff /* __KERNEL_CS */ ++ .quad 0x00cf93000000ffff /* __KERNEL_DS */ + .quad 0x0080890000000000 /* TS descriptor */ + .quad 0x0000000000000000 /* TS continued */ + gdt_end: +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index 196eaf3..c96716d 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -218,7 +218,7 @@ void __putstr(const char *s) + + void *memset(void *s, int c, size_t n) + { +- int i; ++ size_t i; + char *ss = s; + + for (i = 0; i < n; i++) +@@ -277,7 +277,7 @@ static void handle_relocations(void *output, unsigned long output_len) + * Calculate the delta between where vmlinux was linked to load + * and where it was actually loaded. + */ +- delta = min_addr - LOAD_PHYSICAL_ADDR; ++ delta = min_addr - ____LOAD_PHYSICAL_ADDR; + if (!delta) { + debug_putstr("No relocation needed... "); + return; +@@ -347,7 +347,7 @@ static void parse_elf(void *output) + Elf32_Ehdr ehdr; + Elf32_Phdr *phdrs, *phdr; + #endif +- void *dest; ++ void *dest, *prev; + int i; + + memcpy(&ehdr, output, sizeof(ehdr)); +@@ -374,13 +374,16 @@ static void parse_elf(void *output) + case PT_LOAD: + #ifdef CONFIG_RELOCATABLE + dest = output; +- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR); ++ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR); + #else + dest = (void *)(phdr->p_paddr); + #endif + memcpy(dest, + output + phdr->p_offset, + phdr->p_filesz); ++ if (i) ++ memset(prev, 0xff, dest - prev); ++ prev = dest + phdr->p_filesz; + break; + default: /* Ignore other PT_* */ break; + } +@@ -430,7 +433,7 @@ asmlinkage void *decompress_kernel(void *rmode, memptr heap, + error("Destination address too large"); + #endif + #ifndef CONFIG_RELOCATABLE +- if ((unsigned long)output != LOAD_PHYSICAL_ADDR) ++ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR) + error("Wrong destination address"); + #endif + +diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c +index 100a9a1..bb3bdb0 100644 +--- a/arch/x86/boot/cpucheck.c ++++ b/arch/x86/boot/cpucheck.c +@@ -117,9 +117,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr) + u32 ecx = MSR_K7_HWCR; + u32 eax, edx; + +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); + eax &= ~(1 << 15); +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); + + get_cpuflags(); /* Make sure it really did something */ + err = check_cpuflags(); +@@ -132,9 +132,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr) + u32 ecx = MSR_VIA_FCR; + u32 eax, edx; + +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); + eax |= (1<<1)|(1<<7); +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); + + set_bit(X86_FEATURE_CX8, cpu.flags); + err = check_cpuflags(); +@@ -145,12 +145,12 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr) + u32 eax, edx; + u32 level = 1; + +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx)); +- asm("cpuid" ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx)); ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx)); ++ asm volatile("cpuid" + : "+a" (level), "=d" (cpu.flags[0]) + : : "ecx", "ebx"); +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx)); + + err = check_cpuflags(); + } +diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S +index ec3b8ba..6a0db1f 100644 +--- a/arch/x86/boot/header.S ++++ b/arch/x86/boot/header.S +@@ -416,10 +416,14 @@ setup_data: .quad 0 # 64-bit physical pointer to + # single linked list of + # struct setup_data + +-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr ++pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr + + #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR) ++#else + #define VO_INIT_SIZE (VO__end - VO__text) ++#endif + #if ZO_INIT_SIZE > VO_INIT_SIZE + #define INIT_SIZE ZO_INIT_SIZE + #else +diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c +index db75d07..8e6d0af 100644 +--- a/arch/x86/boot/memory.c ++++ b/arch/x86/boot/memory.c +@@ -19,7 +19,7 @@ + + static int detect_memory_e820(void) + { +- int count = 0; ++ unsigned int count = 0; + struct biosregs ireg, oreg; + struct e820entry *desc = boot_params.e820_map; + static struct e820entry buf; /* static so it is zeroed */ +diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c +index 11e8c6e..fdbb1ed 100644 +--- a/arch/x86/boot/video-vesa.c ++++ b/arch/x86/boot/video-vesa.c +@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void) + + boot_params.screen_info.vesapm_seg = oreg.es; + boot_params.screen_info.vesapm_off = oreg.di; ++ boot_params.screen_info.vesapm_size = oreg.cx; + } + + /* +diff --git a/arch/x86/boot/video.c b/arch/x86/boot/video.c +index 43eda28..5ab5fdb 100644 +--- a/arch/x86/boot/video.c ++++ b/arch/x86/boot/video.c +@@ -96,7 +96,7 @@ static void store_mode_params(void) + static unsigned int get_entry(void) + { + char entry_buf[4]; +- int i, len = 0; ++ unsigned int i, len = 0; + int key; + unsigned int v; + +diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S +index 9105655..41779c1 100644 +--- a/arch/x86/crypto/aes-x86_64-asm_64.S ++++ b/arch/x86/crypto/aes-x86_64-asm_64.S +@@ -8,6 +8,8 @@ + * including this sentence is retained in full. + */ + ++#include ++ + .extern crypto_ft_tab + .extern crypto_it_tab + .extern crypto_fl_tab +@@ -70,6 +72,8 @@ + je B192; \ + leaq 32(r9),r9; + ++#define ret pax_force_retaddr; ret ++ + #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \ + movq r1,r2; \ + movq r3,r4; \ +diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S +index 477e9d7..c92c7d8 100644 +--- a/arch/x86/crypto/aesni-intel_asm.S ++++ b/arch/x86/crypto/aesni-intel_asm.S +@@ -31,6 +31,7 @@ + + #include + #include ++#include + + #ifdef __x86_64__ + .data +@@ -205,7 +206,7 @@ enc: .octa 0x2 + * num_initial_blocks = b mod 4 + * encrypt the initial num_initial_blocks blocks and apply ghash on + * the ciphertext +-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers ++* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers + * are clobbered + * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified + */ +@@ -214,8 +215,8 @@ enc: .octa 0x2 + .macro INITIAL_BLOCKS_DEC num_initial_blocks TMP1 TMP2 TMP3 TMP4 TMP5 XMM0 XMM1 \ + XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation + mov arg7, %r10 # %r10 = AAD +- mov arg8, %r12 # %r12 = aadLen +- mov %r12, %r11 ++ mov arg8, %r15 # %r15 = aadLen ++ mov %r15, %r11 + pxor %xmm\i, %xmm\i + _get_AAD_loop\num_initial_blocks\operation: + movd (%r10), \TMP1 +@@ -223,15 +224,15 @@ _get_AAD_loop\num_initial_blocks\operation: + psrldq $4, %xmm\i + pxor \TMP1, %xmm\i + add $4, %r10 +- sub $4, %r12 ++ sub $4, %r15 + jne _get_AAD_loop\num_initial_blocks\operation + cmp $16, %r11 + je _get_AAD_loop2_done\num_initial_blocks\operation +- mov $16, %r12 ++ mov $16, %r15 + _get_AAD_loop2\num_initial_blocks\operation: + psrldq $4, %xmm\i +- sub $4, %r12 +- cmp %r11, %r12 ++ sub $4, %r15 ++ cmp %r11, %r15 + jne _get_AAD_loop2\num_initial_blocks\operation + _get_AAD_loop2_done\num_initial_blocks\operation: + movdqa SHUF_MASK(%rip), %xmm14 +@@ -443,7 +444,7 @@ _initial_blocks_done\num_initial_blocks\operation: + * num_initial_blocks = b mod 4 + * encrypt the initial num_initial_blocks blocks and apply ghash on + * the ciphertext +-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers ++* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers + * are clobbered + * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified + */ +@@ -452,8 +453,8 @@ _initial_blocks_done\num_initial_blocks\operation: + .macro INITIAL_BLOCKS_ENC num_initial_blocks TMP1 TMP2 TMP3 TMP4 TMP5 XMM0 XMM1 \ + XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation + mov arg7, %r10 # %r10 = AAD +- mov arg8, %r12 # %r12 = aadLen +- mov %r12, %r11 ++ mov arg8, %r15 # %r15 = aadLen ++ mov %r15, %r11 + pxor %xmm\i, %xmm\i + _get_AAD_loop\num_initial_blocks\operation: + movd (%r10), \TMP1 +@@ -461,15 +462,15 @@ _get_AAD_loop\num_initial_blocks\operation: + psrldq $4, %xmm\i + pxor \TMP1, %xmm\i + add $4, %r10 +- sub $4, %r12 ++ sub $4, %r15 + jne _get_AAD_loop\num_initial_blocks\operation + cmp $16, %r11 + je _get_AAD_loop2_done\num_initial_blocks\operation +- mov $16, %r12 ++ mov $16, %r15 + _get_AAD_loop2\num_initial_blocks\operation: + psrldq $4, %xmm\i +- sub $4, %r12 +- cmp %r11, %r12 ++ sub $4, %r15 ++ cmp %r11, %r15 + jne _get_AAD_loop2\num_initial_blocks\operation + _get_AAD_loop2_done\num_initial_blocks\operation: + movdqa SHUF_MASK(%rip), %xmm14 +@@ -1269,7 +1270,7 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + * + *****************************************************************************/ + ENTRY(aesni_gcm_dec) +- push %r12 ++ push %r15 + push %r13 + push %r14 + mov %rsp, %r14 +@@ -1279,8 +1280,8 @@ ENTRY(aesni_gcm_dec) + */ + sub $VARIABLE_OFFSET, %rsp + and $~63, %rsp # align rsp to 64 bytes +- mov %arg6, %r12 +- movdqu (%r12), %xmm13 # %xmm13 = HashKey ++ mov %arg6, %r15 ++ movdqu (%r15), %xmm13 # %xmm13 = HashKey + movdqa SHUF_MASK(%rip), %xmm2 + PSHUFB_XMM %xmm2, %xmm13 + +@@ -1308,10 +1309,10 @@ ENTRY(aesni_gcm_dec) + movdqa %xmm13, HashKey(%rsp) # store HashKey<<1 (mod poly) + mov %arg4, %r13 # save the number of bytes of plaintext/ciphertext + and $-16, %r13 # %r13 = %r13 - (%r13 mod 16) +- mov %r13, %r12 +- and $(3<<4), %r12 ++ mov %r13, %r15 ++ and $(3<<4), %r15 + jz _initial_num_blocks_is_0_decrypt +- cmp $(2<<4), %r12 ++ cmp $(2<<4), %r15 + jb _initial_num_blocks_is_1_decrypt + je _initial_num_blocks_is_2_decrypt + _initial_num_blocks_is_3_decrypt: +@@ -1361,16 +1362,16 @@ _zero_cipher_left_decrypt: + sub $16, %r11 + add %r13, %r11 + movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte block +- lea SHIFT_MASK+16(%rip), %r12 +- sub %r13, %r12 ++ lea SHIFT_MASK+16(%rip), %r15 ++ sub %r13, %r15 + # adjust the shuffle mask pointer to be able to shift 16-%r13 bytes + # (%r13 is the number of bytes in plaintext mod 16) +- movdqu (%r12), %xmm2 # get the appropriate shuffle mask ++ movdqu (%r15), %xmm2 # get the appropriate shuffle mask + PSHUFB_XMM %xmm2, %xmm1 # right shift 16-%r13 butes + + movdqa %xmm1, %xmm2 + pxor %xmm1, %xmm0 # Ciphertext XOR E(K, Yn) +- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1 ++ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1 + # get the appropriate mask to mask out top 16-%r13 bytes of %xmm0 + pand %xmm1, %xmm0 # mask out top 16-%r13 bytes of %xmm0 + pand %xmm1, %xmm2 +@@ -1399,9 +1400,9 @@ _less_than_8_bytes_left_decrypt: + sub $1, %r13 + jne _less_than_8_bytes_left_decrypt + _multiple_of_16_bytes_decrypt: +- mov arg8, %r12 # %r13 = aadLen (number of bytes) +- shl $3, %r12 # convert into number of bits +- movd %r12d, %xmm15 # len(A) in %xmm15 ++ mov arg8, %r15 # %r13 = aadLen (number of bytes) ++ shl $3, %r15 # convert into number of bits ++ movd %r15d, %xmm15 # len(A) in %xmm15 + shl $3, %arg4 # len(C) in bits (*128) + MOVQ_R64_XMM %arg4, %xmm1 + pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000 +@@ -1440,7 +1441,8 @@ _return_T_done_decrypt: + mov %r14, %rsp + pop %r14 + pop %r13 +- pop %r12 ++ pop %r15 ++ pax_force_retaddr + ret + ENDPROC(aesni_gcm_dec) + +@@ -1529,7 +1531,7 @@ ENDPROC(aesni_gcm_dec) + * poly = x^128 + x^127 + x^126 + x^121 + 1 + ***************************************************************************/ + ENTRY(aesni_gcm_enc) +- push %r12 ++ push %r15 + push %r13 + push %r14 + mov %rsp, %r14 +@@ -1539,8 +1541,8 @@ ENTRY(aesni_gcm_enc) + # + sub $VARIABLE_OFFSET, %rsp + and $~63, %rsp +- mov %arg6, %r12 +- movdqu (%r12), %xmm13 ++ mov %arg6, %r15 ++ movdqu (%r15), %xmm13 + movdqa SHUF_MASK(%rip), %xmm2 + PSHUFB_XMM %xmm2, %xmm13 + +@@ -1564,13 +1566,13 @@ ENTRY(aesni_gcm_enc) + movdqa %xmm13, HashKey(%rsp) + mov %arg4, %r13 # %xmm13 holds HashKey<<1 (mod poly) + and $-16, %r13 +- mov %r13, %r12 ++ mov %r13, %r15 + + # Encrypt first few blocks + +- and $(3<<4), %r12 ++ and $(3<<4), %r15 + jz _initial_num_blocks_is_0_encrypt +- cmp $(2<<4), %r12 ++ cmp $(2<<4), %r15 + jb _initial_num_blocks_is_1_encrypt + je _initial_num_blocks_is_2_encrypt + _initial_num_blocks_is_3_encrypt: +@@ -1623,14 +1625,14 @@ _zero_cipher_left_encrypt: + sub $16, %r11 + add %r13, %r11 + movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte blocks +- lea SHIFT_MASK+16(%rip), %r12 +- sub %r13, %r12 ++ lea SHIFT_MASK+16(%rip), %r15 ++ sub %r13, %r15 + # adjust the shuffle mask pointer to be able to shift 16-r13 bytes + # (%r13 is the number of bytes in plaintext mod 16) +- movdqu (%r12), %xmm2 # get the appropriate shuffle mask ++ movdqu (%r15), %xmm2 # get the appropriate shuffle mask + PSHUFB_XMM %xmm2, %xmm1 # shift right 16-r13 byte + pxor %xmm1, %xmm0 # Plaintext XOR Encrypt(K, Yn) +- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1 ++ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1 + # get the appropriate mask to mask out top 16-r13 bytes of xmm0 + pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0 + movdqa SHUF_MASK(%rip), %xmm10 +@@ -1663,9 +1665,9 @@ _less_than_8_bytes_left_encrypt: + sub $1, %r13 + jne _less_than_8_bytes_left_encrypt + _multiple_of_16_bytes_encrypt: +- mov arg8, %r12 # %r12 = addLen (number of bytes) +- shl $3, %r12 +- movd %r12d, %xmm15 # len(A) in %xmm15 ++ mov arg8, %r15 # %r15 = addLen (number of bytes) ++ shl $3, %r15 ++ movd %r15d, %xmm15 # len(A) in %xmm15 + shl $3, %arg4 # len(C) in bits (*128) + MOVQ_R64_XMM %arg4, %xmm1 + pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000 +@@ -1704,7 +1706,8 @@ _return_T_done_encrypt: + mov %r14, %rsp + pop %r14 + pop %r13 +- pop %r12 ++ pop %r15 ++ pax_force_retaddr + ret + ENDPROC(aesni_gcm_enc) + +@@ -1722,6 +1725,7 @@ _key_expansion_256a: + pxor %xmm1, %xmm0 + movaps %xmm0, (TKEYP) + add $0x10, TKEYP ++ pax_force_retaddr + ret + ENDPROC(_key_expansion_128) + ENDPROC(_key_expansion_256a) +@@ -1748,6 +1752,7 @@ _key_expansion_192a: + shufps $0b01001110, %xmm2, %xmm1 + movaps %xmm1, 0x10(TKEYP) + add $0x20, TKEYP ++ pax_force_retaddr + ret + ENDPROC(_key_expansion_192a) + +@@ -1768,6 +1773,7 @@ _key_expansion_192b: + + movaps %xmm0, (TKEYP) + add $0x10, TKEYP ++ pax_force_retaddr + ret + ENDPROC(_key_expansion_192b) + +@@ -1781,6 +1787,7 @@ _key_expansion_256b: + pxor %xmm1, %xmm2 + movaps %xmm2, (TKEYP) + add $0x10, TKEYP ++ pax_force_retaddr + ret + ENDPROC(_key_expansion_256b) + +@@ -1894,6 +1901,7 @@ ENTRY(aesni_set_key) + #ifndef __x86_64__ + popl KEYP + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_set_key) + +@@ -1916,6 +1924,7 @@ ENTRY(aesni_enc) + popl KLEN + popl KEYP + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_enc) + +@@ -1974,6 +1983,7 @@ _aesni_enc1: + AESENC KEY STATE + movaps 0x70(TKEYP), KEY + AESENCLAST KEY STATE ++ pax_force_retaddr + ret + ENDPROC(_aesni_enc1) + +@@ -2083,6 +2093,7 @@ _aesni_enc4: + AESENCLAST KEY STATE2 + AESENCLAST KEY STATE3 + AESENCLAST KEY STATE4 ++ pax_force_retaddr + ret + ENDPROC(_aesni_enc4) + +@@ -2106,6 +2117,7 @@ ENTRY(aesni_dec) + popl KLEN + popl KEYP + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_dec) + +@@ -2164,6 +2176,7 @@ _aesni_dec1: + AESDEC KEY STATE + movaps 0x70(TKEYP), KEY + AESDECLAST KEY STATE ++ pax_force_retaddr + ret + ENDPROC(_aesni_dec1) + +@@ -2273,6 +2286,7 @@ _aesni_dec4: + AESDECLAST KEY STATE2 + AESDECLAST KEY STATE3 + AESDECLAST KEY STATE4 ++ pax_force_retaddr + ret + ENDPROC(_aesni_dec4) + +@@ -2331,6 +2345,7 @@ ENTRY(aesni_ecb_enc) + popl KEYP + popl LEN + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_ecb_enc) + +@@ -2390,6 +2405,7 @@ ENTRY(aesni_ecb_dec) + popl KEYP + popl LEN + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_ecb_dec) + +@@ -2432,6 +2448,7 @@ ENTRY(aesni_cbc_enc) + popl LEN + popl IVP + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_cbc_enc) + +@@ -2523,6 +2540,7 @@ ENTRY(aesni_cbc_dec) + popl LEN + popl IVP + #endif ++ pax_force_retaddr + ret + ENDPROC(aesni_cbc_dec) + +@@ -2550,6 +2568,7 @@ _aesni_inc_init: + mov $1, TCTR_LOW + MOVQ_R64_XMM TCTR_LOW INC + MOVQ_R64_XMM CTR TCTR_LOW ++ pax_force_retaddr + ret + ENDPROC(_aesni_inc_init) + +@@ -2579,6 +2598,7 @@ _aesni_inc: + .Linc_low: + movaps CTR, IV + PSHUFB_XMM BSWAP_MASK IV ++ pax_force_retaddr + ret + ENDPROC(_aesni_inc) + +@@ -2640,6 +2660,7 @@ ENTRY(aesni_ctr_enc) + .Lctr_enc_ret: + movups IV, (IVP) + .Lctr_enc_just_ret: ++ pax_force_retaddr + ret + ENDPROC(aesni_ctr_enc) + +@@ -2766,6 +2787,7 @@ ENTRY(aesni_xts_crypt8) + pxor INC, STATE4 + movdqu STATE4, 0x70(OUTP) + ++ pax_force_retaddr + ret + ENDPROC(aesni_xts_crypt8) + +diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S +index 246c670..466e2d6 100644 +--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S ++++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S +@@ -21,6 +21,7 @@ + */ + + #include ++#include + + .file "blowfish-x86_64-asm.S" + .text +@@ -149,9 +150,11 @@ ENTRY(__blowfish_enc_blk) + jnz .L__enc_xor; + + write_block(); ++ pax_force_retaddr + ret; + .L__enc_xor: + xor_block(); ++ pax_force_retaddr + ret; + ENDPROC(__blowfish_enc_blk) + +@@ -183,6 +186,7 @@ ENTRY(blowfish_dec_blk) + + movq %r11, %rbp; + ++ pax_force_retaddr + ret; + ENDPROC(blowfish_dec_blk) + +@@ -334,6 +338,7 @@ ENTRY(__blowfish_enc_blk_4way) + + popq %rbx; + popq %rbp; ++ pax_force_retaddr + ret; + + .L__enc_xor4: +@@ -341,6 +346,7 @@ ENTRY(__blowfish_enc_blk_4way) + + popq %rbx; + popq %rbp; ++ pax_force_retaddr + ret; + ENDPROC(__blowfish_enc_blk_4way) + +@@ -375,5 +381,6 @@ ENTRY(blowfish_dec_blk_4way) + popq %rbx; + popq %rbp; + ++ pax_force_retaddr + ret; + ENDPROC(blowfish_dec_blk_4way) +diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +index ce71f92..1dce7ec 100644 +--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +@@ -16,6 +16,7 @@ + */ + + #include ++#include + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, + %rcx, (%r9)); ++ pax_force_retaddr + ret; + ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3, + %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11, + %rax, (%r9)); ++ pax_force_retaddr + ret; + ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -780,6 +783,7 @@ __camellia_enc_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr + ret; + + .align 8 +@@ -865,6 +869,7 @@ __camellia_dec_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr + ret; + + .align 8 +@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ecb_enc_16way) + +@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ecb_dec_16way) + +@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr + ret; + ENDPROC(camellia_cbc_dec_16way) + +@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ctr_16way) + +@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way: + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr + ret; + ENDPROC(camellia_xts_crypt_16way) + +diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +index 0e0b886..5a3123c 100644 +--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +@@ -11,6 +11,7 @@ + */ + + #include ++#include + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -230,6 +231,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7, + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, + %rcx, (%r9)); ++ pax_force_retaddr + ret; + ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -238,6 +240,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3, + %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11, + %rax, (%r9)); ++ pax_force_retaddr + ret; + ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -820,6 +823,7 @@ __camellia_enc_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr + ret; + + .align 8 +@@ -905,6 +909,7 @@ __camellia_dec_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr + ret; + + .align 8 +@@ -948,6 +953,7 @@ ENTRY(camellia_ecb_enc_32way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ecb_enc_32way) + +@@ -980,6 +986,7 @@ ENTRY(camellia_ecb_dec_32way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ecb_dec_32way) + +@@ -1046,6 +1053,7 @@ ENTRY(camellia_cbc_dec_32way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(camellia_cbc_dec_32way) + +@@ -1184,6 +1192,7 @@ ENTRY(camellia_ctr_32way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(camellia_ctr_32way) + +@@ -1349,6 +1358,7 @@ camellia_xts_crypt_32way: + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(camellia_xts_crypt_32way) + +diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S +index 310319c..db3d7b5 100644 +--- a/arch/x86/crypto/camellia-x86_64-asm_64.S ++++ b/arch/x86/crypto/camellia-x86_64-asm_64.S +@@ -21,6 +21,7 @@ + */ + + #include ++#include + + .file "camellia-x86_64-asm_64.S" + .text +@@ -228,12 +229,14 @@ ENTRY(__camellia_enc_blk) + enc_outunpack(mov, RT1); + + movq RRBP, %rbp; ++ pax_force_retaddr + ret; + + .L__enc_xor: + enc_outunpack(xor, RT1); + + movq RRBP, %rbp; ++ pax_force_retaddr + ret; + ENDPROC(__camellia_enc_blk) + +@@ -272,6 +275,7 @@ ENTRY(camellia_dec_blk) + dec_outunpack(); + + movq RRBP, %rbp; ++ pax_force_retaddr + ret; + ENDPROC(camellia_dec_blk) + +@@ -463,6 +467,7 @@ ENTRY(__camellia_enc_blk_2way) + + movq RRBP, %rbp; + popq %rbx; ++ pax_force_retaddr + ret; + + .L__enc2_xor: +@@ -470,6 +475,7 @@ ENTRY(__camellia_enc_blk_2way) + + movq RRBP, %rbp; + popq %rbx; ++ pax_force_retaddr + ret; + ENDPROC(__camellia_enc_blk_2way) + +@@ -510,5 +516,6 @@ ENTRY(camellia_dec_blk_2way) + + movq RRBP, %rbp; + movq RXOR, %rbx; ++ pax_force_retaddr + ret; + ENDPROC(camellia_dec_blk_2way) +diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S +index c35fd5d..2d8c7db 100644 +--- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S +@@ -24,6 +24,7 @@ + */ + + #include ++#include + + .file "cast5-avx-x86_64-asm_64.S" + +@@ -281,6 +282,7 @@ __cast5_enc_blk16: + outunpack_blocks(RR3, RL3, RTMP, RX, RKM); + outunpack_blocks(RR4, RL4, RTMP, RX, RKM); + ++ pax_force_retaddr + ret; + ENDPROC(__cast5_enc_blk16) + +@@ -352,6 +354,7 @@ __cast5_dec_blk16: + outunpack_blocks(RR3, RL3, RTMP, RX, RKM); + outunpack_blocks(RR4, RL4, RTMP, RX, RKM); + ++ pax_force_retaddr + ret; + + .L__skip_dec: +@@ -388,6 +391,7 @@ ENTRY(cast5_ecb_enc_16way) + vmovdqu RR4, (6*4*4)(%r11); + vmovdqu RL4, (7*4*4)(%r11); + ++ pax_force_retaddr + ret; + ENDPROC(cast5_ecb_enc_16way) + +@@ -420,6 +424,7 @@ ENTRY(cast5_ecb_dec_16way) + vmovdqu RR4, (6*4*4)(%r11); + vmovdqu RL4, (7*4*4)(%r11); + ++ pax_force_retaddr + ret; + ENDPROC(cast5_ecb_dec_16way) + +@@ -430,10 +435,10 @@ ENTRY(cast5_cbc_dec_16way) + * %rdx: src + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + vmovdqu (0*16)(%rdx), RL1; + vmovdqu (1*16)(%rdx), RR1; +@@ -447,16 +452,16 @@ ENTRY(cast5_cbc_dec_16way) + call __cast5_dec_blk16; + + /* xor with src */ +- vmovq (%r12), RX; ++ vmovq (%r14), RX; + vpshufd $0x4f, RX, RX; + vpxor RX, RR1, RR1; +- vpxor 0*16+8(%r12), RL1, RL1; +- vpxor 1*16+8(%r12), RR2, RR2; +- vpxor 2*16+8(%r12), RL2, RL2; +- vpxor 3*16+8(%r12), RR3, RR3; +- vpxor 4*16+8(%r12), RL3, RL3; +- vpxor 5*16+8(%r12), RR4, RR4; +- vpxor 6*16+8(%r12), RL4, RL4; ++ vpxor 0*16+8(%r14), RL1, RL1; ++ vpxor 1*16+8(%r14), RR2, RR2; ++ vpxor 2*16+8(%r14), RL2, RL2; ++ vpxor 3*16+8(%r14), RR3, RR3; ++ vpxor 4*16+8(%r14), RL3, RL3; ++ vpxor 5*16+8(%r14), RR4, RR4; ++ vpxor 6*16+8(%r14), RL4, RL4; + + vmovdqu RR1, (0*16)(%r11); + vmovdqu RL1, (1*16)(%r11); +@@ -467,8 +472,9 @@ ENTRY(cast5_cbc_dec_16way) + vmovdqu RR4, (6*16)(%r11); + vmovdqu RL4, (7*16)(%r11); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(cast5_cbc_dec_16way) + +@@ -480,10 +486,10 @@ ENTRY(cast5_ctr_16way) + * %rcx: iv (big endian, 64bit) + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + vpcmpeqd RTMP, RTMP, RTMP; + vpsrldq $8, RTMP, RTMP; /* low: -1, high: 0 */ +@@ -523,14 +529,14 @@ ENTRY(cast5_ctr_16way) + call __cast5_enc_blk16; + + /* dst = src ^ iv */ +- vpxor (0*16)(%r12), RR1, RR1; +- vpxor (1*16)(%r12), RL1, RL1; +- vpxor (2*16)(%r12), RR2, RR2; +- vpxor (3*16)(%r12), RL2, RL2; +- vpxor (4*16)(%r12), RR3, RR3; +- vpxor (5*16)(%r12), RL3, RL3; +- vpxor (6*16)(%r12), RR4, RR4; +- vpxor (7*16)(%r12), RL4, RL4; ++ vpxor (0*16)(%r14), RR1, RR1; ++ vpxor (1*16)(%r14), RL1, RL1; ++ vpxor (2*16)(%r14), RR2, RR2; ++ vpxor (3*16)(%r14), RL2, RL2; ++ vpxor (4*16)(%r14), RR3, RR3; ++ vpxor (5*16)(%r14), RL3, RL3; ++ vpxor (6*16)(%r14), RR4, RR4; ++ vpxor (7*16)(%r14), RL4, RL4; + vmovdqu RR1, (0*16)(%r11); + vmovdqu RL1, (1*16)(%r11); + vmovdqu RR2, (2*16)(%r11); +@@ -540,7 +546,8 @@ ENTRY(cast5_ctr_16way) + vmovdqu RR4, (6*16)(%r11); + vmovdqu RL4, (7*16)(%r11); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(cast5_ctr_16way) +diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S +index e3531f8..e123f35 100644 +--- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S +@@ -24,6 +24,7 @@ + */ + + #include ++#include + #include "glue_helper-asm-avx.S" + + .file "cast6-avx-x86_64-asm_64.S" +@@ -295,6 +296,7 @@ __cast6_enc_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); + outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); + ++ pax_force_retaddr + ret; + ENDPROC(__cast6_enc_blk8) + +@@ -340,6 +342,7 @@ __cast6_dec_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM); + outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM); + ++ pax_force_retaddr + ret; + ENDPROC(__cast6_dec_blk8) + +@@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way) + + store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_ecb_enc_8way) + +@@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way) + + store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_ecb_dec_8way) + +@@ -386,19 +391,20 @@ ENTRY(cast6_cbc_dec_8way) + * %rdx: src + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_8way(%rdx, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + + call __cast6_dec_blk8; + +- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(cast6_cbc_dec_8way) + +@@ -410,20 +416,21 @@ ENTRY(cast6_ctr_8way) + * %rcx: iv (little endian, 128bit) + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2, + RD2, RX, RKR, RKM); + + call __cast6_enc_blk8; + +- store_ctr_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_ctr_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(cast6_ctr_8way) + +@@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_xts_enc_8way) + +@@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(cast6_xts_dec_8way) +diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +index dbc4339..de6e120 100644 +--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S ++++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +@@ -45,6 +45,7 @@ + + #include + #include ++#include + + ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction + +@@ -312,6 +313,7 @@ do_return: + popq %rsi + popq %rdi + popq %rbx ++ pax_force_retaddr + ret + + ################################################################ +diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S +index 185fad4..ff4cd36 100644 +--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S ++++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S +@@ -18,6 +18,7 @@ + + #include + #include ++#include + + .data + +@@ -89,6 +90,7 @@ __clmul_gf128mul_ble: + psrlq $1, T2 + pxor T2, T1 + pxor T1, DATA ++ pax_force_retaddr + ret + ENDPROC(__clmul_gf128mul_ble) + +@@ -101,6 +103,7 @@ ENTRY(clmul_ghash_mul) + call __clmul_gf128mul_ble + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_mul) + +@@ -128,5 +131,6 @@ ENTRY(clmul_ghash_update) + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) + .Lupdate_just_ret: ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_update) +diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S +index 9279e0b..c4b3d2c 100644 +--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S ++++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S +@@ -1,4 +1,5 @@ + #include ++#include + + # enter salsa20_encrypt_bytes + ENTRY(salsa20_encrypt_bytes) +@@ -789,6 +790,7 @@ ENTRY(salsa20_encrypt_bytes) + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret + # bytesatleast65: + ._bytesatleast65: +@@ -889,6 +891,7 @@ ENTRY(salsa20_keysetup) + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret + ENDPROC(salsa20_keysetup) + +@@ -914,5 +917,6 @@ ENTRY(salsa20_ivsetup) + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx ++ pax_force_retaddr + ret + ENDPROC(salsa20_ivsetup) +diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S +index 2f202f4..d9164d6 100644 +--- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S +@@ -24,6 +24,7 @@ + */ + + #include ++#include + #include "glue_helper-asm-avx.S" + + .file "serpent-avx-x86_64-asm_64.S" +@@ -618,6 +619,7 @@ __serpent_enc_blk8_avx: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_enc_blk8_avx) + +@@ -672,6 +674,7 @@ __serpent_dec_blk8_avx: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_dec_blk8_avx) + +@@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx) + + store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_enc_8way_avx) + +@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx) + + store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_dec_8way_avx) + +@@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx) + + store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_cbc_dec_8way_avx) + +@@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx) + + store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ctr_8way_avx) + +@@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_enc_8way_avx) + +@@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_dec_8way_avx) +diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S +index b222085..abd483c 100644 +--- a/arch/x86/crypto/serpent-avx2-asm_64.S ++++ b/arch/x86/crypto/serpent-avx2-asm_64.S +@@ -15,6 +15,7 @@ + */ + + #include ++#include + #include "glue_helper-asm-avx2.S" + + .file "serpent-avx2-asm_64.S" +@@ -610,6 +611,7 @@ __serpent_enc_blk16: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_enc_blk16) + +@@ -664,6 +666,7 @@ __serpent_dec_blk16: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_dec_blk16) + +@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_enc_16way) + +@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_dec_16way) + +@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_cbc_dec_16way) + +@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ctr_16way) + +@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_enc_16way) + +@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_dec_16way) +diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S +index acc066c..1559cc4 100644 +--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S ++++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S +@@ -25,6 +25,7 @@ + */ + + #include ++#include + + .file "serpent-sse2-x86_64-asm_64.S" + .text +@@ -690,12 +691,14 @@ ENTRY(__serpent_enc_blk_8way) + write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + + .L__enc_xor8: + xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2); + xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_enc_blk_8way) + +@@ -750,5 +753,6 @@ ENTRY(serpent_dec_blk_8way) + write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(serpent_dec_blk_8way) +diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S +index a410950..9dfe7ad 100644 +--- a/arch/x86/crypto/sha1_ssse3_asm.S ++++ b/arch/x86/crypto/sha1_ssse3_asm.S +@@ -29,6 +29,7 @@ + */ + + #include ++#include + + #define CTX %rdi // arg1 + #define BUF %rsi // arg2 +@@ -75,9 +76,9 @@ + + push %rbx + push %rbp +- push %r12 ++ push %r14 + +- mov %rsp, %r12 ++ mov %rsp, %r14 + sub $64, %rsp # allocate workspace + and $~15, %rsp # align stack + +@@ -99,11 +100,12 @@ + xor %rax, %rax + rep stosq + +- mov %r12, %rsp # deallocate workspace ++ mov %r14, %rsp # deallocate workspace + +- pop %r12 ++ pop %r14 + pop %rbp + pop %rbx ++ pax_force_retaddr + ret + + ENDPROC(\name) +diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S +index 642f156..51a513c 100644 +--- a/arch/x86/crypto/sha256-avx-asm.S ++++ b/arch/x86/crypto/sha256-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include ++#include + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -460,6 +461,7 @@ done_hash: + popq %r13 + popq %rbp + popq %rbx ++ pax_force_retaddr + ret + ENDPROC(sha256_transform_avx) + +diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S +index 9e86944..3795e6a 100644 +--- a/arch/x86/crypto/sha256-avx2-asm.S ++++ b/arch/x86/crypto/sha256-avx2-asm.S +@@ -50,6 +50,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include ++#include + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -720,6 +721,7 @@ done_hash: + popq %r12 + popq %rbp + popq %rbx ++ pax_force_retaddr + ret + ENDPROC(sha256_transform_rorx) + +diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S +index f833b74..8c62a9e 100644 +--- a/arch/x86/crypto/sha256-ssse3-asm.S ++++ b/arch/x86/crypto/sha256-ssse3-asm.S +@@ -47,6 +47,7 @@ + ######################################################################## + + #include ++#include + + ## assume buffers not aligned + #define MOVDQ movdqu +@@ -471,6 +472,7 @@ done_hash: + popq %rbp + popq %rbx + ++ pax_force_retaddr + ret + ENDPROC(sha256_transform_ssse3) + +diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S +index 974dde9..a823ff9 100644 +--- a/arch/x86/crypto/sha512-avx-asm.S ++++ b/arch/x86/crypto/sha512-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include ++#include + + .text + +@@ -364,6 +365,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr + ret + ENDPROC(sha512_transform_avx) + +diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S +index 568b961..ed20c37 100644 +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -51,6 +51,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include ++#include + + .text + +@@ -678,6 +679,7 @@ done_hash: + + # Restore Stack Pointer + mov frame_RSPSAVE(%rsp), %rsp ++ pax_force_retaddr + ret + ENDPROC(sha512_transform_rorx) + +diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S +index fb56855..6edd768 100644 +--- a/arch/x86/crypto/sha512-ssse3-asm.S ++++ b/arch/x86/crypto/sha512-ssse3-asm.S +@@ -48,6 +48,7 @@ + ######################################################################## + + #include ++#include + + .text + +@@ -363,6 +364,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr + ret + ENDPROC(sha512_transform_ssse3) + +diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +index 0505813..b067311 100644 +--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S ++++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S +@@ -24,6 +24,7 @@ + */ + + #include ++#include + #include "glue_helper-asm-avx.S" + + .file "twofish-avx-x86_64-asm_64.S" +@@ -284,6 +285,7 @@ __twofish_enc_blk8: + outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2); + outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__twofish_enc_blk8) + +@@ -324,6 +326,7 @@ __twofish_dec_blk8: + outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2); + outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__twofish_dec_blk8) + +@@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way) + + store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + ++ pax_force_retaddr + ret; + ENDPROC(twofish_ecb_enc_8way) + +@@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way) + + store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(twofish_ecb_dec_8way) + +@@ -370,19 +375,20 @@ ENTRY(twofish_cbc_dec_8way) + * %rdx: src + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_8way(%rdx, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + + call __twofish_dec_blk8; + +- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); ++ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(twofish_cbc_dec_8way) + +@@ -394,20 +400,21 @@ ENTRY(twofish_ctr_8way) + * %rcx: iv (little endian, 128bit) + */ + +- pushq %r12; ++ pushq %r14; + + movq %rsi, %r11; +- movq %rdx, %r12; ++ movq %rdx, %r14; + + load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2, + RD2, RX0, RX1, RY0); + + call __twofish_enc_blk8; + +- store_ctr_8way(%r12, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); ++ store_ctr_8way(%r14, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + +- popq %r12; ++ popq %r14; + ++ pax_force_retaddr + ret; + ENDPROC(twofish_ctr_8way) + +@@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2); + ++ pax_force_retaddr + ret; + ENDPROC(twofish_xts_enc_8way) + +@@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way) + /* dst <= regs xor IVs(in dst) */ + store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2); + ++ pax_force_retaddr + ret; + ENDPROC(twofish_xts_dec_8way) +diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +index 1c3b7ce..02f578d 100644 +--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S ++++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S +@@ -21,6 +21,7 @@ + */ + + #include ++#include + + .file "twofish-x86_64-asm-3way.S" + .text +@@ -258,6 +259,7 @@ ENTRY(__twofish_enc_blk_3way) + popq %r13; + popq %r14; + popq %r15; ++ pax_force_retaddr + ret; + + .L__enc_xor3: +@@ -269,6 +271,7 @@ ENTRY(__twofish_enc_blk_3way) + popq %r13; + popq %r14; + popq %r15; ++ pax_force_retaddr + ret; + ENDPROC(__twofish_enc_blk_3way) + +@@ -308,5 +311,6 @@ ENTRY(twofish_dec_blk_3way) + popq %r13; + popq %r14; + popq %r15; ++ pax_force_retaddr + ret; + ENDPROC(twofish_dec_blk_3way) +diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S +index a039d21..524b8b2 100644 +--- a/arch/x86/crypto/twofish-x86_64-asm_64.S ++++ b/arch/x86/crypto/twofish-x86_64-asm_64.S +@@ -22,6 +22,7 @@ + + #include + #include ++#include + + #define a_offset 0 + #define b_offset 4 +@@ -265,6 +266,7 @@ ENTRY(twofish_enc_blk) + + popq R1 + movq $1,%rax ++ pax_force_retaddr + ret + ENDPROC(twofish_enc_blk) + +@@ -317,5 +319,6 @@ ENTRY(twofish_dec_blk) + + popq R1 + movq $1,%rax ++ pax_force_retaddr + ret + ENDPROC(twofish_dec_blk) +diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c +index d21ff89..6da8e6e 100644 +--- a/arch/x86/ia32/ia32_aout.c ++++ b/arch/x86/ia32/ia32_aout.c +@@ -153,6 +153,8 @@ static int aout_core_dump(struct coredump_params *cprm) + unsigned long dump_start, dump_size; + struct user32 dump; + ++ memset(&dump, 0, sizeof(dump)); ++ + fs = get_fs(); + set_fs(KERNEL_DS); + has_dumped = 1; +diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c +index 2206757..85cbcfa 100644 +--- a/arch/x86/ia32/ia32_signal.c ++++ b/arch/x86/ia32/ia32_signal.c +@@ -218,7 +218,7 @@ asmlinkage long sys32_sigreturn(void) + if (__get_user(set.sig[0], &frame->sc.oldmask) + || (_COMPAT_NSIG_WORDS > 1 + && __copy_from_user((((char *) &set.sig) + 4), +- &frame->extramask, ++ frame->extramask, + sizeof(frame->extramask)))) + goto badframe; + +@@ -338,7 +338,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, + sp -= frame_size; + /* Align the stack pointer according to the i386 ABI, + * i.e. so that on function entry ((sp + 4) & 15) == 0. */ +- sp = ((sp + 4) & -16ul) - 4; ++ sp = ((sp - 12) & -16ul) - 4; + return (void __user *) sp; + } + +@@ -386,7 +386,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig, + restorer = VDSO32_SYMBOL(current->mm->context.vdso, + sigreturn); + else +- restorer = &frame->retcode; ++ restorer = frame->retcode; + } + + put_user_try { +@@ -396,7 +396,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig, + * These are actually not used anymore, but left because some + * gdb versions depend on them as a marker. + */ +- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); + } put_user_catch(err); + + if (err) +@@ -438,7 +438,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, + 0xb8, + __NR_ia32_rt_sigreturn, + 0x80cd, +- 0, ++ 0 + }; + + frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); +@@ -461,16 +461,18 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, + + if (ksig->ka.sa.sa_flags & SA_RESTORER) + restorer = ksig->ka.sa.sa_restorer; ++ else if (current->mm->context.vdso) ++ /* Return stub is in 32bit vsyscall page */ ++ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + else +- restorer = VDSO32_SYMBOL(current->mm->context.vdso, +- rt_sigreturn); ++ restorer = frame->retcode; + put_user_ex(ptr_to_compat(restorer), &frame->pretcode); + + /* + * Not actually used anymore, but left because some gdb + * versions need it. + */ +- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode); ++ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode); + } put_user_catch(err); + + err |= copy_siginfo_to_user32(&frame->info, &ksig->info); +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 4299eb0..c0687a7 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -15,8 +15,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + + /* Avoid __ASSEMBLER__'ifying just for this. */ + #include +@@ -62,12 +64,12 @@ + */ + .macro LOAD_ARGS32 offset, _r9=0 + .if \_r9 +- movl \offset+16(%rsp),%r9d ++ movl \offset+R9(%rsp),%r9d + .endif +- movl \offset+40(%rsp),%ecx +- movl \offset+48(%rsp),%edx +- movl \offset+56(%rsp),%esi +- movl \offset+64(%rsp),%edi ++ movl \offset+RCX(%rsp),%ecx ++ movl \offset+RDX(%rsp),%edx ++ movl \offset+RSI(%rsp),%esi ++ movl \offset+RDI(%rsp),%edi + movl %eax,%eax /* zero extension */ + .endm + +@@ -96,6 +98,32 @@ ENTRY(native_irq_enable_sysexit) + ENDPROC(native_irq_enable_sysexit) + #endif + ++ .macro pax_enter_kernel_user ++ pax_set_fptr_mask ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ call pax_enter_kernel_user ++#endif ++ .endm ++ ++ .macro pax_exit_kernel_user ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ call pax_exit_kernel_user ++#endif ++#ifdef CONFIG_PAX_RANDKSTACK ++ pushq %rax ++ pushq %r11 ++ call pax_randomize_kstack ++ popq %r11 ++ popq %rax ++#endif ++ .endm ++ ++ .macro pax_erase_kstack ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++ call pax_erase_kstack ++#endif ++ .endm ++ + /* + * 32bit SYSENTER instruction entry. + * +@@ -122,12 +150,6 @@ ENTRY(ia32_sysenter_target) + CFI_REGISTER rsp,rbp + SWAPGS_UNSAFE_STACK + movq PER_CPU_VAR(kernel_stack), %rsp +- addq $(KERNEL_STACK_OFFSET),%rsp +- /* +- * No need to follow this irqs on/off section: the syscall +- * disabled irqs, here we enable it straight after entry: +- */ +- ENABLE_INTERRUPTS(CLBR_NONE) + movl %ebp,%ebp /* zero extension */ + pushq_cfi $__USER32_DS + /*CFI_REL_OFFSET ss,0*/ +@@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target) + CFI_REL_OFFSET rsp,0 + pushfq_cfi + /*CFI_REL_OFFSET rflags,0*/ +- movl TI_sysenter_return+THREAD_INFO(%rsp,3*8-KERNEL_STACK_OFFSET),%r10d +- CFI_REGISTER rip,r10 ++ orl $X86_EFLAGS_IF,(%rsp) ++ GET_THREAD_INFO(%r11) ++ movl TI_sysenter_return(%r11), %r11d ++ CFI_REGISTER rip,r11 + pushq_cfi $__USER32_CS + /*CFI_REL_OFFSET cs,0*/ + movl %eax, %eax +- pushq_cfi %r10 ++ pushq_cfi %r11 + CFI_REL_OFFSET rip,0 + pushq_cfi %rax + cld + SAVE_ARGS 0,1,0 ++ pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ ++ /* ++ * No need to follow this irqs on/off section: the syscall ++ * disabled irqs, here we enable it straight after entry: ++ */ ++ ENABLE_INTERRUPTS(CLBR_NONE) + /* no need to do an access_ok check here because rbp has been + 32bit zero extended */ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ addq pax_user_shadow_base,%rbp ++ ASM_PAX_OPEN_USERLAND ++#endif ++ + ASM_STAC + 1: movl (%rbp),%ebp + _ASM_EXTABLE(1b,ia32_badarg) + ASM_CLAC +- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) +- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ ++ GET_THREAD_INFO(%r11) ++ orl $TS_COMPAT,TI_status(%r11) ++ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) + CFI_REMEMBER_STATE + jnz sysenter_tracesys + cmpq $(IA32_NR_syscalls-1),%rax +@@ -162,15 +209,18 @@ sysenter_do_call: + sysenter_dispatch: + call *ia32_sys_call_table(,%rax,8) + movq %rax,RAX-ARGOFFSET(%rsp) ++ GET_THREAD_INFO(%r11) + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF +- testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $_TIF_ALLWORK_MASK,TI_flags(%r11) + jnz sysexit_audit + sysexit_from_sys_call: +- andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ pax_exit_kernel_user ++ pax_erase_kstack ++ andl $~TS_COMPAT,TI_status(%r11) + /* clear IF, that popfq doesn't enable interrupts early */ +- andl $~0x200,EFLAGS-R11(%rsp) +- movl RIP-R11(%rsp),%edx /* User %eip */ ++ andl $~X86_EFLAGS_IF,EFLAGS(%rsp) ++ movl RIP(%rsp),%edx /* User %eip */ + CFI_REGISTER rip,rdx + RESTORE_ARGS 0,24,0,0,0,0 + xorq %r8,%r8 +@@ -193,6 +243,9 @@ sysexit_from_sys_call: + movl %eax,%esi /* 2nd arg: syscall number */ + movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ + call __audit_syscall_entry ++ ++ pax_erase_kstack ++ + movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ + cmpq $(IA32_NR_syscalls-1),%rax + ja ia32_badsys +@@ -204,7 +257,7 @@ sysexit_from_sys_call: + .endm + + .macro auditsys_exit exit +- testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11) + jnz ia32_ret_from_sys_call + TRACE_IRQS_ON + ENABLE_INTERRUPTS(CLBR_NONE) +@@ -215,11 +268,12 @@ sysexit_from_sys_call: + 1: setbe %al /* 1 if error, 0 if not */ + movzbl %al,%edi /* zero-extend that into %edi */ + call __audit_syscall_exit ++ GET_THREAD_INFO(%r11) + movq RAX-ARGOFFSET(%rsp),%rax /* reload syscall return value */ + movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF +- testl %edi,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl %edi,TI_flags(%r11) + jz \exit + CLEAR_RREGS -ARGOFFSET + jmp int_with_check +@@ -237,7 +291,7 @@ sysexit_audit: + + sysenter_tracesys: + #ifdef CONFIG_AUDITSYSCALL +- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11) + jz sysenter_auditsys + #endif + SAVE_REST +@@ -249,6 +303,9 @@ sysenter_tracesys: + RESTORE_REST + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ ++ ++ pax_erase_kstack ++ + jmp sysenter_do_call + CFI_ENDPROC + ENDPROC(ia32_sysenter_target) +@@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target) + ENTRY(ia32_cstar_target) + CFI_STARTPROC32 simple + CFI_SIGNAL_FRAME +- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET ++ CFI_DEF_CFA rsp,0 + CFI_REGISTER rip,rcx + /*CFI_REGISTER rflags,r11*/ + SWAPGS_UNSAFE_STACK + movl %esp,%r8d + CFI_REGISTER rsp,r8 + movq PER_CPU_VAR(kernel_stack),%rsp ++ SAVE_ARGS 8*6,0,0 ++ pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + /* + * No need to follow this irqs on/off section: the syscall + * disabled irqs and here we enable it straight after entry: + */ + ENABLE_INTERRUPTS(CLBR_NONE) +- SAVE_ARGS 8,0,0 + movl %eax,%eax /* zero extension */ + movq %rax,ORIG_RAX-ARGOFFSET(%rsp) + movq %rcx,RIP-ARGOFFSET(%rsp) +@@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target) + /* no need to do an access_ok check here because r8 has been + 32bit zero extended */ + /* hardware stack frame is complete now */ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_OPEN_USERLAND ++ movq pax_user_shadow_base,%r8 ++ addq RSP-ARGOFFSET(%rsp),%r8 ++#endif ++ + ASM_STAC + 1: movl (%r8),%r9d + _ASM_EXTABLE(1b,ia32_badarg) + ASM_CLAC +- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) +- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ ++ GET_THREAD_INFO(%r11) ++ orl $TS_COMPAT,TI_status(%r11) ++ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) + CFI_REMEMBER_STATE + jnz cstar_tracesys + cmpq $IA32_NR_syscalls-1,%rax +@@ -319,13 +395,16 @@ cstar_do_call: + cstar_dispatch: + call *ia32_sys_call_table(,%rax,8) + movq %rax,RAX-ARGOFFSET(%rsp) ++ GET_THREAD_INFO(%r11) + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF +- testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $_TIF_ALLWORK_MASK,TI_flags(%r11) + jnz sysretl_audit + sysretl_from_sys_call: +- andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) +- RESTORE_ARGS 0,-ARG_SKIP,0,0,0 ++ pax_exit_kernel_user ++ pax_erase_kstack ++ andl $~TS_COMPAT,TI_status(%r11) ++ RESTORE_ARGS 0,-ORIG_RAX,0,0,0 + movl RIP-ARGOFFSET(%rsp),%ecx + CFI_REGISTER rip,rcx + movl EFLAGS-ARGOFFSET(%rsp),%r11d +@@ -352,7 +431,7 @@ sysretl_audit: + + cstar_tracesys: + #ifdef CONFIG_AUDITSYSCALL +- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11) + jz cstar_auditsys + #endif + xchgl %r9d,%ebp +@@ -366,11 +445,19 @@ cstar_tracesys: + xchgl %ebp,%r9d + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ ++ ++ pax_erase_kstack ++ + jmp cstar_do_call + END(ia32_cstar_target) + + ia32_badarg: + ASM_CLAC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + movq $-EFAULT,%rax + jmp ia32_sysret + CFI_ENDPROC +@@ -407,19 +494,26 @@ ENTRY(ia32_syscall) + CFI_REL_OFFSET rip,RIP-RIP + PARAVIRT_ADJUST_EXCEPTION_FRAME + SWAPGS +- /* +- * No need to follow this irqs on/off section: the syscall +- * disabled irqs and here we enable it straight after entry: +- */ +- ENABLE_INTERRUPTS(CLBR_NONE) + movl %eax,%eax + pushq_cfi %rax + cld + /* note the registers are not zero extended to the sf. + this could be a problem. */ + SAVE_ARGS 0,1,0 +- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) +- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ ++ /* ++ * No need to follow this irqs on/off section: the syscall ++ * disabled irqs and here we enable it straight after entry: ++ */ ++ ENABLE_INTERRUPTS(CLBR_NONE) ++ GET_THREAD_INFO(%r11) ++ orl $TS_COMPAT,TI_status(%r11) ++ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) + jnz ia32_tracesys + cmpq $(IA32_NR_syscalls-1),%rax + ja ia32_badsys +@@ -442,6 +536,9 @@ ia32_tracesys: + RESTORE_REST + cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ ++ ++ pax_erase_kstack ++ + jmp ia32_do_call + END(ia32_syscall) + +diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c +index 8e0ceec..af13504 100644 +--- a/arch/x86/ia32/sys_ia32.c ++++ b/arch/x86/ia32/sys_ia32.c +@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low, + */ + static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat) + { +- typeof(ubuf->st_uid) uid = 0; +- typeof(ubuf->st_gid) gid = 0; ++ typeof(((struct stat64 *)0)->st_uid) uid = 0; ++ typeof(((struct stat64 *)0)->st_gid) gid = 0; + SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid)); + if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || +diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h +index 372231c..51b537d 100644 +--- a/arch/x86/include/asm/alternative-asm.h ++++ b/arch/x86/include/asm/alternative-asm.h +@@ -18,6 +18,45 @@ + .endm + #endif + ++#ifdef KERNEXEC_PLUGIN ++ .macro pax_force_retaddr_bts rip=0 ++ btsq $63,\rip(%rsp) ++ .endm ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ .macro pax_force_retaddr rip=0, reload=0 ++ btsq $63,\rip(%rsp) ++ .endm ++ .macro pax_force_fptr ptr ++ btsq $63,\ptr ++ .endm ++ .macro pax_set_fptr_mask ++ .endm ++#endif ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ .macro pax_force_retaddr rip=0, reload=0 ++ .if \reload ++ pax_set_fptr_mask ++ .endif ++ orq %r12,\rip(%rsp) ++ .endm ++ .macro pax_force_fptr ptr ++ orq %r12,\ptr ++ .endm ++ .macro pax_set_fptr_mask ++ movabs $0x8000000000000000,%r12 ++ .endm ++#endif ++#else ++ .macro pax_force_retaddr rip=0, reload=0 ++ .endm ++ .macro pax_force_fptr ptr ++ .endm ++ .macro pax_force_retaddr_bts rip=0 ++ .endm ++ .macro pax_set_fptr_mask ++ .endm ++#endif ++ + .macro altinstruction_entry orig alt feature orig_len alt_len + .long \orig - . + .long \alt - . +diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h +index 0a3f9c9..c9d081d 100644 +--- a/arch/x86/include/asm/alternative.h ++++ b/arch/x86/include/asm/alternative.h +@@ -106,7 +106,7 @@ static inline int alternatives_text_reserved(void *start, void *end) + ".pushsection .discard,\"aw\",@progbits\n" \ + DISCARD_ENTRY(1) \ + ".popsection\n" \ +- ".pushsection .altinstr_replacement, \"ax\"\n" \ ++ ".pushsection .altinstr_replacement, \"a\"\n" \ + ALTINSTR_REPLACEMENT(newinstr, feature, 1) \ + ".popsection" + +@@ -120,7 +120,7 @@ static inline int alternatives_text_reserved(void *start, void *end) + DISCARD_ENTRY(1) \ + DISCARD_ENTRY(2) \ + ".popsection\n" \ +- ".pushsection .altinstr_replacement, \"ax\"\n" \ ++ ".pushsection .altinstr_replacement, \"a\"\n" \ + ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \ + ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \ + ".popsection" +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index 1d2091a..f5074c1 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -45,7 +45,7 @@ static inline void generic_apic_probe(void) + + #ifdef CONFIG_X86_LOCAL_APIC + +-extern unsigned int apic_verbosity; ++extern int apic_verbosity; + extern int local_apic_timer_c2_ok; + + extern int disable_apic; +diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h +index 20370c6..a2eb9b0 100644 +--- a/arch/x86/include/asm/apm.h ++++ b/arch/x86/include/asm/apm.h +@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +- "lcall *%%cs:apm_bios_entry\n\t" ++ "lcall *%%ss:apm_bios_entry\n\t" + "setc %%al\n\t" + "popl %%ebp\n\t" + "popl %%edi\n\t" +@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in, + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +- "lcall *%%cs:apm_bios_entry\n\t" ++ "lcall *%%ss:apm_bios_entry\n\t" + "setc %%bl\n\t" + "popl %%ebp\n\t" + "popl %%edi\n\t" +diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h +index b17f4f4..9620151 100644 +--- a/arch/x86/include/asm/atomic.h ++++ b/arch/x86/include/asm/atomic.h +@@ -23,7 +23,18 @@ + */ + static inline int atomic_read(const atomic_t *v) + { +- return (*(volatile int *)&(v)->counter); ++ return (*(volatile const int *)&(v)->counter); ++} ++ ++/** ++ * atomic_read_unchecked - read atomic variable ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically reads the value of @v. ++ */ ++static inline int __intentional_overflow(-1) atomic_read_unchecked(const atomic_unchecked_t *v) ++{ ++ return (*(volatile const int *)&(v)->counter); + } + + /** +@@ -39,6 +50,18 @@ static inline void atomic_set(atomic_t *v, int i) + } + + /** ++ * atomic_set_unchecked - set atomic variable ++ * @v: pointer of type atomic_unchecked_t ++ * @i: required value ++ * ++ * Atomically sets the value of @v to @i. ++ */ ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) ++{ ++ v->counter = i; ++} ++ ++/** + * atomic_add - add integer to atomic variable + * @i: integer value to add + * @v: pointer of type atomic_t +@@ -47,7 +70,29 @@ static inline void atomic_set(atomic_t *v, int i) + */ + static inline void atomic_add(int i, atomic_t *v) + { +- asm volatile(LOCK_PREFIX "addl %1,%0" ++ asm volatile(LOCK_PREFIX "addl %1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "subl %1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (v->counter) ++ : "ir" (i)); ++} ++ ++/** ++ * atomic_add_unchecked - add integer to atomic variable ++ * @i: integer value to add ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically adds @i to @v. ++ */ ++static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "addl %1,%0\n" + : "+m" (v->counter) + : "ir" (i)); + } +@@ -61,7 +106,29 @@ static inline void atomic_add(int i, atomic_t *v) + */ + static inline void atomic_sub(int i, atomic_t *v) + { +- asm volatile(LOCK_PREFIX "subl %1,%0" ++ asm volatile(LOCK_PREFIX "subl %1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "addl %1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (v->counter) ++ : "ir" (i)); ++} ++ ++/** ++ * atomic_sub_unchecked - subtract integer from atomic variable ++ * @i: integer value to subtract ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically subtracts @i from @v. ++ */ ++static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "subl %1,%0\n" + : "+m" (v->counter) + : "ir" (i)); + } +@@ -77,7 +144,7 @@ static inline void atomic_sub(int i, atomic_t *v) + */ + static inline int atomic_sub_and_test(int i, atomic_t *v) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "subl", v->counter, "er", i, "%0", "e"); ++ GEN_BINARY_RMWcc(LOCK_PREFIX "subl", LOCK_PREFIX "addl", v->counter, "er", i, "%0", "e"); + } + + /** +@@ -88,7 +155,27 @@ static inline int atomic_sub_and_test(int i, atomic_t *v) + */ + static inline void atomic_inc(atomic_t *v) + { +- asm volatile(LOCK_PREFIX "incl %0" ++ asm volatile(LOCK_PREFIX "incl %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "decl %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (v->counter)); ++} ++ ++/** ++ * atomic_inc_unchecked - increment atomic variable ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically increments @v by 1. ++ */ ++static inline void atomic_inc_unchecked(atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "incl %0\n" + : "+m" (v->counter)); + } + +@@ -100,7 +187,27 @@ static inline void atomic_inc(atomic_t *v) + */ + static inline void atomic_dec(atomic_t *v) + { +- asm volatile(LOCK_PREFIX "decl %0" ++ asm volatile(LOCK_PREFIX "decl %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "incl %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (v->counter)); ++} ++ ++/** ++ * atomic_dec_unchecked - decrement atomic variable ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically decrements @v by 1. ++ */ ++static inline void atomic_dec_unchecked(atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "decl %0\n" + : "+m" (v->counter)); + } + +@@ -114,7 +221,7 @@ static inline void atomic_dec(atomic_t *v) + */ + static inline int atomic_dec_and_test(atomic_t *v) + { +- GEN_UNARY_RMWcc(LOCK_PREFIX "decl", v->counter, "%0", "e"); ++ GEN_UNARY_RMWcc(LOCK_PREFIX "decl", LOCK_PREFIX "incl", v->counter, "%0", "e"); + } + + /** +@@ -127,7 +234,20 @@ static inline int atomic_dec_and_test(atomic_t *v) + */ + static inline int atomic_inc_and_test(atomic_t *v) + { +- GEN_UNARY_RMWcc(LOCK_PREFIX "incl", v->counter, "%0", "e"); ++ GEN_UNARY_RMWcc(LOCK_PREFIX "incl", LOCK_PREFIX "decl", v->counter, "%0", "e"); ++} ++ ++/** ++ * atomic_inc_and_test_unchecked - increment and test ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically increments @v by 1 ++ * and returns true if the result is zero, or false for all ++ * other cases. ++ */ ++static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) ++{ ++ GEN_UNARY_RMWcc_unchecked(LOCK_PREFIX "incl", v->counter, "%0", "e"); + } + + /** +@@ -141,7 +261,7 @@ static inline int atomic_inc_and_test(atomic_t *v) + */ + static inline int atomic_add_negative(int i, atomic_t *v) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "addl", v->counter, "er", i, "%0", "s"); ++ GEN_BINARY_RMWcc(LOCK_PREFIX "addl", LOCK_PREFIX "subl", v->counter, "er", i, "%0", "s"); + } + + /** +@@ -153,6 +273,18 @@ static inline int atomic_add_negative(int i, atomic_t *v) + */ + static inline int atomic_add_return(int i, atomic_t *v) + { ++ return i + xadd_check_overflow(&v->counter, i); ++} ++ ++/** ++ * atomic_add_return_unchecked - add integer and return ++ * @i: integer value to add ++ * @v: pointer of type atomic_unchecked_t ++ * ++ * Atomically adds @i to @v and returns @i + @v ++ */ ++static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) ++{ + return i + xadd(&v->counter, i); + } + +@@ -169,9 +301,18 @@ static inline int atomic_sub_return(int i, atomic_t *v) + } + + #define atomic_inc_return(v) (atomic_add_return(1, v)) ++static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v); ++} + #define atomic_dec_return(v) (atomic_sub_return(1, v)) + +-static inline int atomic_cmpxchg(atomic_t *v, int old, int new) ++static inline int __intentional_overflow(-1) atomic_cmpxchg(atomic_t *v, int old, int new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new) + { + return cmpxchg(&v->counter, old, new); + } +@@ -181,6 +322,11 @@ static inline int atomic_xchg(atomic_t *v, int new) + return xchg(&v->counter, new); + } + ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} ++ + /** + * __atomic_add_unless - add unless the number is already a given value + * @v: pointer of type atomic_t +@@ -190,14 +336,27 @@ static inline int atomic_xchg(atomic_t *v, int new) + * Atomically adds @a to @v, so long as @v was not already @u. + * Returns the old value of @v. + */ +-static inline int __atomic_add_unless(atomic_t *v, int a, int u) ++static inline int __intentional_overflow(-1) __atomic_add_unless(atomic_t *v, int a, int u) + { +- int c, old; ++ int c, old, new; + c = atomic_read(v); + for (;;) { +- if (unlikely(c == (u))) ++ if (unlikely(c == u)) + break; +- old = atomic_cmpxchg((v), c, c + (a)); ++ ++ asm volatile("addl %2,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "subl %2,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=r" (new) ++ : "0" (c), "ir" (a)); ++ ++ old = atomic_cmpxchg(v, c, new); + if (likely(old == c)) + break; + c = old; +@@ -206,6 +365,49 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) + } + + /** ++ * atomic_inc_not_zero_hint - increment if not null ++ * @v: pointer of type atomic_t ++ * @hint: probable value of the atomic before the increment ++ * ++ * This version of atomic_inc_not_zero() gives a hint of probable ++ * value of the atomic. This helps processor to not read the memory ++ * before doing the atomic read/modify/write cycle, lowering ++ * number of bus transactions on some arches. ++ * ++ * Returns: 0 if increment was not done, 1 otherwise. ++ */ ++#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint ++static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint) ++{ ++ int val, c = hint, new; ++ ++ /* sanity test, should be removed by compiler if hint is a constant */ ++ if (!hint) ++ return __atomic_add_unless(v, 1, 0); ++ ++ do { ++ asm volatile("incl %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "decl %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=r" (new) ++ : "0" (c)); ++ ++ val = atomic_cmpxchg(v, c, new); ++ if (val == c) ++ return 1; ++ c = val; ++ } while (c); ++ ++ return 0; ++} ++ ++/** + * atomic_inc_short - increment of a short integer + * @v: pointer to type int + * +@@ -234,14 +436,37 @@ static inline void atomic_or_long(unsigned long *v1, unsigned long v2) + #endif + + /* These are x86-specific, used by some header files */ +-#define atomic_clear_mask(mask, addr) \ +- asm volatile(LOCK_PREFIX "andl %0,%1" \ +- : : "r" (~(mask)), "m" (*(addr)) : "memory") ++static inline void atomic_clear_mask(unsigned int mask, atomic_t *v) ++{ ++ asm volatile(LOCK_PREFIX "andl %1,%0" ++ : "+m" (v->counter) ++ : "r" (~(mask)) ++ : "memory"); ++} + +-#define atomic_set_mask(mask, addr) \ +- asm volatile(LOCK_PREFIX "orl %0,%1" \ +- : : "r" ((unsigned)(mask)), "m" (*(addr)) \ +- : "memory") ++static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "andl %1,%0" ++ : "+m" (v->counter) ++ : "r" (~(mask)) ++ : "memory"); ++} ++ ++static inline void atomic_set_mask(unsigned int mask, atomic_t *v) ++{ ++ asm volatile(LOCK_PREFIX "orl %1,%0" ++ : "+m" (v->counter) ++ : "r" (mask) ++ : "memory"); ++} ++ ++static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "orl %1,%0" ++ : "+m" (v->counter) ++ : "r" (mask) ++ : "memory"); ++} + + /* Atomic operations are already serializing on x86 */ + #define smp_mb__before_atomic_dec() barrier() +diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h +index b154de7..bf18a5a 100644 +--- a/arch/x86/include/asm/atomic64_32.h ++++ b/arch/x86/include/asm/atomic64_32.h +@@ -12,6 +12,14 @@ typedef struct { + u64 __aligned(8) counter; + } atomic64_t; + ++#ifdef CONFIG_PAX_REFCOUNT ++typedef struct { ++ u64 __aligned(8) counter; ++} atomic64_unchecked_t; ++#else ++typedef atomic64_t atomic64_unchecked_t; ++#endif ++ + #define ATOMIC64_INIT(val) { (val) } + + #define __ATOMIC64_DECL(sym) void atomic64_##sym(atomic64_t *, ...) +@@ -37,21 +45,31 @@ typedef struct { + ATOMIC64_DECL_ONE(sym##_386) + + ATOMIC64_DECL_ONE(add_386); ++ATOMIC64_DECL_ONE(add_unchecked_386); + ATOMIC64_DECL_ONE(sub_386); ++ATOMIC64_DECL_ONE(sub_unchecked_386); + ATOMIC64_DECL_ONE(inc_386); ++ATOMIC64_DECL_ONE(inc_unchecked_386); + ATOMIC64_DECL_ONE(dec_386); ++ATOMIC64_DECL_ONE(dec_unchecked_386); + #endif + + #define alternative_atomic64(f, out, in...) \ + __alternative_atomic64(f, f, ASM_OUTPUT2(out), ## in) + + ATOMIC64_DECL(read); ++ATOMIC64_DECL(read_unchecked); + ATOMIC64_DECL(set); ++ATOMIC64_DECL(set_unchecked); + ATOMIC64_DECL(xchg); + ATOMIC64_DECL(add_return); ++ATOMIC64_DECL(add_return_unchecked); + ATOMIC64_DECL(sub_return); ++ATOMIC64_DECL(sub_return_unchecked); + ATOMIC64_DECL(inc_return); ++ATOMIC64_DECL(inc_return_unchecked); + ATOMIC64_DECL(dec_return); ++ATOMIC64_DECL(dec_return_unchecked); + ATOMIC64_DECL(dec_if_positive); + ATOMIC64_DECL(inc_not_zero); + ATOMIC64_DECL(add_unless); +@@ -77,6 +95,21 @@ static inline long long atomic64_cmpxchg(atomic64_t *v, long long o, long long n + } + + /** ++ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable ++ * @p: pointer to type atomic64_unchecked_t ++ * @o: expected value ++ * @n: new value ++ * ++ * Atomically sets @v to @n if it was equal to @o and returns ++ * the old value. ++ */ ++ ++static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n) ++{ ++ return cmpxchg64(&v->counter, o, n); ++} ++ ++/** + * atomic64_xchg - xchg atomic64 variable + * @v: pointer to type atomic64_t + * @n: value to assign +@@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i) + } + + /** ++ * atomic64_set_unchecked - set atomic64 variable ++ * @v: pointer to type atomic64_unchecked_t ++ * @n: value to assign ++ * ++ * Atomically sets the value of @v to @n. ++ */ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i) ++{ ++ unsigned high = (unsigned)(i >> 32); ++ unsigned low = (unsigned)i; ++ alternative_atomic64(set, /* no output */, ++ "S" (v), "b" (low), "c" (high) ++ : "eax", "edx", "memory"); ++} ++ ++/** + * atomic64_read - read atomic64 variable + * @v: pointer to type atomic64_t + * +@@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v) + } + + /** ++ * atomic64_read_unchecked - read atomic64 variable ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically reads the value of @v and returns it. ++ */ ++static inline long long __intentional_overflow(-1) atomic64_read_unchecked(atomic64_unchecked_t *v) ++{ ++ long long r; ++ alternative_atomic64(read, "=&A" (r), "c" (v) : "memory"); ++ return r; ++ } ++ ++/** + * atomic64_add_return - add and return + * @i: integer value to add + * @v: pointer to type atomic64_t +@@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v) + return i; + } + ++/** ++ * atomic64_add_return_unchecked - add and return ++ * @i: integer value to add ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically adds @i to @v and returns @i + *@v ++ */ ++static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v) ++{ ++ alternative_atomic64(add_return_unchecked, ++ ASM_OUTPUT2("+A" (i), "+c" (v)), ++ ASM_NO_INPUT_CLOBBER("memory")); ++ return i; ++} ++ + /* + * Other variants with different arithmetic operators: + */ +@@ -158,6 +235,14 @@ static inline long long atomic64_inc_return(atomic64_t *v) + return a; + } + ++static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) ++{ ++ long long a; ++ alternative_atomic64(inc_return_unchecked, "=&A" (a), ++ "S" (v) : "memory", "ecx"); ++ return a; ++} ++ + static inline long long atomic64_dec_return(atomic64_t *v) + { + long long a; +@@ -182,6 +267,21 @@ static inline long long atomic64_add(long long i, atomic64_t *v) + } + + /** ++ * atomic64_add_unchecked - add integer to atomic64 variable ++ * @i: integer value to add ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically adds @i to @v. ++ */ ++static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v) ++{ ++ __alternative_atomic64(add_unchecked, add_return_unchecked, ++ ASM_OUTPUT2("+A" (i), "+c" (v)), ++ ASM_NO_INPUT_CLOBBER("memory")); ++ return i; ++} ++ ++/** + * atomic64_sub - subtract the atomic64 variable + * @i: integer value to subtract + * @v: pointer to type atomic64_t +diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h +index 46e9052..ae45136 100644 +--- a/arch/x86/include/asm/atomic64_64.h ++++ b/arch/x86/include/asm/atomic64_64.h +@@ -18,7 +18,19 @@ + */ + static inline long atomic64_read(const atomic64_t *v) + { +- return (*(volatile long *)&(v)->counter); ++ return (*(volatile const long *)&(v)->counter); ++} ++ ++/** ++ * atomic64_read_unchecked - read atomic64 variable ++ * @v: pointer of type atomic64_unchecked_t ++ * ++ * Atomically reads the value of @v. ++ * Doesn't imply a read memory barrier. ++ */ ++static inline long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ return (*(volatile const long *)&(v)->counter); + } + + /** +@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64_t *v, long i) + } + + /** ++ * atomic64_set_unchecked - set atomic64 variable ++ * @v: pointer to type atomic64_unchecked_t ++ * @i: required value ++ * ++ * Atomically sets the value of @v to @i. ++ */ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) ++{ ++ v->counter = i; ++} ++ ++/** + * atomic64_add - add integer to atomic64 variable + * @i: integer value to add + * @v: pointer to type atomic64_t +@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64_t *v, long i) + */ + static inline void atomic64_add(long i, atomic64_t *v) + { ++ asm volatile(LOCK_PREFIX "addq %1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "subq %1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=m" (v->counter) ++ : "er" (i), "m" (v->counter)); ++} ++ ++/** ++ * atomic64_add_unchecked - add integer to atomic64 variable ++ * @i: integer value to add ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically adds @i to @v. ++ */ ++static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v) ++{ + asm volatile(LOCK_PREFIX "addq %1,%0" + : "=m" (v->counter) + : "er" (i), "m" (v->counter)); +@@ -56,7 +102,29 @@ static inline void atomic64_add(long i, atomic64_t *v) + */ + static inline void atomic64_sub(long i, atomic64_t *v) + { +- asm volatile(LOCK_PREFIX "subq %1,%0" ++ asm volatile(LOCK_PREFIX "subq %1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "addq %1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=m" (v->counter) ++ : "er" (i), "m" (v->counter)); ++} ++ ++/** ++ * atomic64_sub_unchecked - subtract the atomic64 variable ++ * @i: integer value to subtract ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically subtracts @i from @v. ++ */ ++static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "subq %1,%0\n" + : "=m" (v->counter) + : "er" (i), "m" (v->counter)); + } +@@ -72,7 +140,7 @@ static inline void atomic64_sub(long i, atomic64_t *v) + */ + static inline int atomic64_sub_and_test(long i, atomic64_t *v) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "subq", v->counter, "er", i, "%0", "e"); ++ GEN_BINARY_RMWcc(LOCK_PREFIX "subq", LOCK_PREFIX "addq", v->counter, "er", i, "%0", "e"); + } + + /** +@@ -83,6 +151,27 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v) + */ + static inline void atomic64_inc(atomic64_t *v) + { ++ asm volatile(LOCK_PREFIX "incq %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "decq %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=m" (v->counter) ++ : "m" (v->counter)); ++} ++ ++/** ++ * atomic64_inc_unchecked - increment atomic64 variable ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically increments @v by 1. ++ */ ++static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v) ++{ + asm volatile(LOCK_PREFIX "incq %0" + : "=m" (v->counter) + : "m" (v->counter)); +@@ -96,7 +185,28 @@ static inline void atomic64_inc(atomic64_t *v) + */ + static inline void atomic64_dec(atomic64_t *v) + { +- asm volatile(LOCK_PREFIX "decq %0" ++ asm volatile(LOCK_PREFIX "decq %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX "incq %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=m" (v->counter) ++ : "m" (v->counter)); ++} ++ ++/** ++ * atomic64_dec_unchecked - decrement atomic64 variable ++ * @v: pointer to type atomic64_t ++ * ++ * Atomically decrements @v by 1. ++ */ ++static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "decq %0\n" + : "=m" (v->counter) + : "m" (v->counter)); + } +@@ -111,7 +221,7 @@ static inline void atomic64_dec(atomic64_t *v) + */ + static inline int atomic64_dec_and_test(atomic64_t *v) + { +- GEN_UNARY_RMWcc(LOCK_PREFIX "decq", v->counter, "%0", "e"); ++ GEN_UNARY_RMWcc(LOCK_PREFIX "decq", LOCK_PREFIX "incq", v->counter, "%0", "e"); + } + + /** +@@ -124,7 +234,7 @@ static inline int atomic64_dec_and_test(atomic64_t *v) + */ + static inline int atomic64_inc_and_test(atomic64_t *v) + { +- GEN_UNARY_RMWcc(LOCK_PREFIX "incq", v->counter, "%0", "e"); ++ GEN_UNARY_RMWcc(LOCK_PREFIX "incq", LOCK_PREFIX "decq", v->counter, "%0", "e"); + } + + /** +@@ -138,7 +248,7 @@ static inline int atomic64_inc_and_test(atomic64_t *v) + */ + static inline int atomic64_add_negative(long i, atomic64_t *v) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "addq", v->counter, "er", i, "%0", "s"); ++ GEN_BINARY_RMWcc(LOCK_PREFIX "addq", LOCK_PREFIX "subq", v->counter, "er", i, "%0", "s"); + } + + /** +@@ -150,6 +260,18 @@ static inline int atomic64_add_negative(long i, atomic64_t *v) + */ + static inline long atomic64_add_return(long i, atomic64_t *v) + { ++ return i + xadd_check_overflow(&v->counter, i); ++} ++ ++/** ++ * atomic64_add_return_unchecked - add and return ++ * @i: integer value to add ++ * @v: pointer to type atomic64_unchecked_t ++ * ++ * Atomically adds @i to @v and returns @i + @v ++ */ ++static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v) ++{ + return i + xadd(&v->counter, i); + } + +@@ -159,6 +281,10 @@ static inline long atomic64_sub_return(long i, atomic64_t *v) + } + + #define atomic64_inc_return(v) (atomic64_add_return(1, (v))) ++static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v) ++{ ++ return atomic64_add_return_unchecked(1, v); ++} + #define atomic64_dec_return(v) (atomic64_sub_return(1, (v))) + + static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) +@@ -166,6 +292,11 @@ static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) + return cmpxchg(&v->counter, old, new); + } + ++static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ + static inline long atomic64_xchg(atomic64_t *v, long new) + { + return xchg(&v->counter, new); +@@ -182,17 +313,30 @@ static inline long atomic64_xchg(atomic64_t *v, long new) + */ + static inline int atomic64_add_unless(atomic64_t *v, long a, long u) + { +- long c, old; ++ long c, old, new; + c = atomic64_read(v); + for (;;) { +- if (unlikely(c == (u))) ++ if (unlikely(c == u)) + break; +- old = atomic64_cmpxchg((v), c, c + (a)); ++ ++ asm volatile("add %2,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "sub %2,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "=r" (new) ++ : "0" (c), "ir" (a)); ++ ++ old = atomic64_cmpxchg(v, c, new); + if (likely(old == c)) + break; + c = old; + } +- return c != (u); ++ return c != u; + } + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) +diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h +index 9fc1af7..fc71228 100644 +--- a/arch/x86/include/asm/bitops.h ++++ b/arch/x86/include/asm/bitops.h +@@ -49,7 +49,7 @@ + * a mask operation on a byte. + */ + #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr)) +-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3)) ++#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3)) + #define CONST_MASK(nr) (1 << ((nr) & 7)) + + /** +@@ -205,7 +205,7 @@ static inline void change_bit(long nr, volatile unsigned long *addr) + */ + static inline int test_and_set_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c"); ++ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c"); + } + + /** +@@ -251,7 +251,7 @@ static inline int __test_and_set_bit(long nr, volatile unsigned long *addr) + */ + static inline int test_and_clear_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c"); ++ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c"); + } + + /** +@@ -304,7 +304,7 @@ static inline int __test_and_change_bit(long nr, volatile unsigned long *addr) + */ + static inline int test_and_change_bit(long nr, volatile unsigned long *addr) + { +- GEN_BINARY_RMWcc(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c"); ++ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c"); + } + + static __always_inline int constant_test_bit(long nr, const volatile unsigned long *addr) +@@ -345,7 +345,7 @@ static int test_bit(int nr, const volatile unsigned long *addr); + * + * Undefined if no bit exists, so code should check against 0 first. + */ +-static inline unsigned long __ffs(unsigned long word) ++static inline unsigned long __intentional_overflow(-1) __ffs(unsigned long word) + { + asm("rep; bsf %1,%0" + : "=r" (word) +@@ -359,7 +359,7 @@ static inline unsigned long __ffs(unsigned long word) + * + * Undefined if no zero exists, so code should check against ~0UL first. + */ +-static inline unsigned long ffz(unsigned long word) ++static inline unsigned long __intentional_overflow(-1) ffz(unsigned long word) + { + asm("rep; bsf %1,%0" + : "=r" (word) +@@ -373,7 +373,7 @@ static inline unsigned long ffz(unsigned long word) + * + * Undefined if no set bit exists, so code should check against 0 first. + */ +-static inline unsigned long __fls(unsigned long word) ++static inline unsigned long __intentional_overflow(-1) __fls(unsigned long word) + { + asm("bsr %1,%0" + : "=r" (word) +@@ -436,7 +436,7 @@ static inline int ffs(int x) + * set bit if value is nonzero. The last (most significant) bit is + * at position 32. + */ +-static inline int fls(int x) ++static inline int __intentional_overflow(-1) fls(int x) + { + int r; + +@@ -478,7 +478,7 @@ static inline int fls(int x) + * at position 64. + */ + #ifdef CONFIG_X86_64 +-static __always_inline int fls64(__u64 x) ++static __always_inline long fls64(__u64 x) + { + int bitpos = -1; + /* +diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h +index 4fa687a..60f2d39 100644 +--- a/arch/x86/include/asm/boot.h ++++ b/arch/x86/include/asm/boot.h +@@ -6,10 +6,15 @@ + #include + + /* Physical address where kernel should be loaded. */ +-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \ ++#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \ + + (CONFIG_PHYSICAL_ALIGN - 1)) \ + & ~(CONFIG_PHYSICAL_ALIGN - 1)) + ++#ifndef __ASSEMBLY__ ++extern unsigned char __LOAD_PHYSICAL_ADDR[]; ++#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR) ++#endif ++ + /* Minimum kernel alignment, as a power of two */ + #ifdef CONFIG_X86_64 + #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT +diff --git a/arch/x86/include/asm/cache.h b/arch/x86/include/asm/cache.h +index 48f99f1..d78ebf9 100644 +--- a/arch/x86/include/asm/cache.h ++++ b/arch/x86/include/asm/cache.h +@@ -5,12 +5,13 @@ + + /* L1 cache line size */ + #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT) +-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT) ++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) + + #define __read_mostly __attribute__((__section__(".data..read_mostly"))) ++#define __read_only __attribute__((__section__(".data..read_only"))) + + #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT +-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT) ++#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT) + + #ifdef CONFIG_X86_VSMP + #ifdef CONFIG_SMP +diff --git a/arch/x86/include/asm/cacheflush.h b/arch/x86/include/asm/cacheflush.h +index 9863ee3..4a1f8e1 100644 +--- a/arch/x86/include/asm/cacheflush.h ++++ b/arch/x86/include/asm/cacheflush.h +@@ -27,7 +27,7 @@ static inline unsigned long get_page_memtype(struct page *pg) + unsigned long pg_flags = pg->flags & _PGMT_MASK; + + if (pg_flags == _PGMT_DEFAULT) +- return -1; ++ return ~0UL; + else if (pg_flags == _PGMT_WC) + return _PAGE_CACHE_WC; + else if (pg_flags == _PGMT_UC_MINUS) +diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h +index cb4c73b..c473c29 100644 +--- a/arch/x86/include/asm/calling.h ++++ b/arch/x86/include/asm/calling.h +@@ -82,103 +82,113 @@ For 32-bit we have the following conventions - kernel is built with + #define RSP 152 + #define SS 160 + +-#define ARGOFFSET R11 +-#define SWFRAME ORIG_RAX ++#define ARGOFFSET R15 + + .macro SAVE_ARGS addskip=0, save_rcx=1, save_r891011=1 +- subq $9*8+\addskip, %rsp +- CFI_ADJUST_CFA_OFFSET 9*8+\addskip +- movq_cfi rdi, 8*8 +- movq_cfi rsi, 7*8 +- movq_cfi rdx, 6*8 ++ subq $ORIG_RAX-ARGOFFSET+\addskip, %rsp ++ CFI_ADJUST_CFA_OFFSET ORIG_RAX-ARGOFFSET+\addskip ++ movq_cfi rdi, RDI ++ movq_cfi rsi, RSI ++ movq_cfi rdx, RDX + + .if \save_rcx +- movq_cfi rcx, 5*8 ++ movq_cfi rcx, RCX + .endif + +- movq_cfi rax, 4*8 ++ movq_cfi rax, RAX + + .if \save_r891011 +- movq_cfi r8, 3*8 +- movq_cfi r9, 2*8 +- movq_cfi r10, 1*8 +- movq_cfi r11, 0*8 ++ movq_cfi r8, R8 ++ movq_cfi r9, R9 ++ movq_cfi r10, R10 ++ movq_cfi r11, R11 + .endif + ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi r12, R12 ++#endif ++ + .endm + +-#define ARG_SKIP (9*8) ++#define ARG_SKIP ORIG_RAX + + .macro RESTORE_ARGS rstor_rax=1, addskip=0, rstor_rcx=1, rstor_r11=1, \ + rstor_r8910=1, rstor_rdx=1 ++ ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi_restore R12, r12 ++#endif ++ + .if \rstor_r11 +- movq_cfi_restore 0*8, r11 ++ movq_cfi_restore R11, r11 + .endif + + .if \rstor_r8910 +- movq_cfi_restore 1*8, r10 +- movq_cfi_restore 2*8, r9 +- movq_cfi_restore 3*8, r8 ++ movq_cfi_restore R10, r10 ++ movq_cfi_restore R9, r9 ++ movq_cfi_restore R8, r8 + .endif + + .if \rstor_rax +- movq_cfi_restore 4*8, rax ++ movq_cfi_restore RAX, rax + .endif + + .if \rstor_rcx +- movq_cfi_restore 5*8, rcx ++ movq_cfi_restore RCX, rcx + .endif + + .if \rstor_rdx +- movq_cfi_restore 6*8, rdx ++ movq_cfi_restore RDX, rdx + .endif + +- movq_cfi_restore 7*8, rsi +- movq_cfi_restore 8*8, rdi ++ movq_cfi_restore RSI, rsi ++ movq_cfi_restore RDI, rdi + +- .if ARG_SKIP+\addskip > 0 +- addq $ARG_SKIP+\addskip, %rsp +- CFI_ADJUST_CFA_OFFSET -(ARG_SKIP+\addskip) ++ .if ORIG_RAX+\addskip > 0 ++ addq $ORIG_RAX+\addskip, %rsp ++ CFI_ADJUST_CFA_OFFSET -(ORIG_RAX+\addskip) + .endif + .endm + +- .macro LOAD_ARGS offset, skiprax=0 +- movq \offset(%rsp), %r11 +- movq \offset+8(%rsp), %r10 +- movq \offset+16(%rsp), %r9 +- movq \offset+24(%rsp), %r8 +- movq \offset+40(%rsp), %rcx +- movq \offset+48(%rsp), %rdx +- movq \offset+56(%rsp), %rsi +- movq \offset+64(%rsp), %rdi ++ .macro LOAD_ARGS skiprax=0 ++ movq R11(%rsp), %r11 ++ movq R10(%rsp), %r10 ++ movq R9(%rsp), %r9 ++ movq R8(%rsp), %r8 ++ movq RCX(%rsp), %rcx ++ movq RDX(%rsp), %rdx ++ movq RSI(%rsp), %rsi ++ movq RDI(%rsp), %rdi + .if \skiprax + .else +- movq \offset+72(%rsp), %rax ++ movq RAX(%rsp), %rax + .endif + .endm + +-#define REST_SKIP (6*8) +- + .macro SAVE_REST +- subq $REST_SKIP, %rsp +- CFI_ADJUST_CFA_OFFSET REST_SKIP +- movq_cfi rbx, 5*8 +- movq_cfi rbp, 4*8 +- movq_cfi r12, 3*8 +- movq_cfi r13, 2*8 +- movq_cfi r14, 1*8 +- movq_cfi r15, 0*8 ++ movq_cfi rbx, RBX ++ movq_cfi rbp, RBP ++ ++#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi r12, R12 ++#endif ++ ++ movq_cfi r13, R13 ++ movq_cfi r14, R14 ++ movq_cfi r15, R15 + .endm + + .macro RESTORE_REST +- movq_cfi_restore 0*8, r15 +- movq_cfi_restore 1*8, r14 +- movq_cfi_restore 2*8, r13 +- movq_cfi_restore 3*8, r12 +- movq_cfi_restore 4*8, rbp +- movq_cfi_restore 5*8, rbx +- addq $REST_SKIP, %rsp +- CFI_ADJUST_CFA_OFFSET -(REST_SKIP) ++ movq_cfi_restore R15, r15 ++ movq_cfi_restore R14, r14 ++ movq_cfi_restore R13, r13 ++ ++#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR ++ movq_cfi_restore R12, r12 ++#endif ++ ++ movq_cfi_restore RBP, rbp ++ movq_cfi_restore RBX, rbx + .endm + + .macro SAVE_ALL +diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h +index f50de69..2b0a458 100644 +--- a/arch/x86/include/asm/checksum_32.h ++++ b/arch/x86/include/asm/checksum_32.h +@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst, + int len, __wsum sum, + int *src_err_ptr, int *dst_err_ptr); + ++asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst, ++ int len, __wsum sum, ++ int *src_err_ptr, int *dst_err_ptr); ++ ++asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst, ++ int len, __wsum sum, ++ int *src_err_ptr, int *dst_err_ptr); ++ + /* + * Note: when you get a NULL pointer exception here this means someone + * passed in an incorrect kernel address to one of these functions. +@@ -53,7 +61,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src, + + might_sleep(); + stac(); +- ret = csum_partial_copy_generic((__force void *)src, dst, ++ ret = csum_partial_copy_generic_from_user((__force void *)src, dst, + len, sum, err_ptr, NULL); + clac(); + +@@ -187,7 +195,7 @@ static inline __wsum csum_and_copy_to_user(const void *src, + might_sleep(); + if (access_ok(VERIFY_WRITE, dst, len)) { + stac(); +- ret = csum_partial_copy_generic(src, (__force void *)dst, ++ ret = csum_partial_copy_generic_to_user(src, (__force void *)dst, + len, sum, NULL, err_ptr); + clac(); + return ret; +diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h +index d47786a..ce1b05d 100644 +--- a/arch/x86/include/asm/cmpxchg.h ++++ b/arch/x86/include/asm/cmpxchg.h +@@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void) + __compiletime_error("Bad argument size for cmpxchg"); + extern void __xadd_wrong_size(void) + __compiletime_error("Bad argument size for xadd"); ++extern void __xadd_check_overflow_wrong_size(void) ++ __compiletime_error("Bad argument size for xadd_check_overflow"); + extern void __add_wrong_size(void) + __compiletime_error("Bad argument size for add"); ++extern void __add_check_overflow_wrong_size(void) ++ __compiletime_error("Bad argument size for add_check_overflow"); + + /* + * Constants for operation sizes. On 32-bit, the 64-bit size it set to +@@ -67,6 +71,34 @@ extern void __add_wrong_size(void) + __ret; \ + }) + ++#define __xchg_op_check_overflow(ptr, arg, op, lock) \ ++ ({ \ ++ __typeof__ (*(ptr)) __ret = (arg); \ ++ switch (sizeof(*(ptr))) { \ ++ case __X86_CASE_L: \ ++ asm volatile (lock #op "l %0, %1\n" \ ++ "jno 0f\n" \ ++ "mov %0,%1\n" \ ++ "int $4\n0:\n" \ ++ _ASM_EXTABLE(0b, 0b) \ ++ : "+r" (__ret), "+m" (*(ptr)) \ ++ : : "memory", "cc"); \ ++ break; \ ++ case __X86_CASE_Q: \ ++ asm volatile (lock #op "q %q0, %1\n" \ ++ "jno 0f\n" \ ++ "mov %0,%1\n" \ ++ "int $4\n0:\n" \ ++ _ASM_EXTABLE(0b, 0b) \ ++ : "+r" (__ret), "+m" (*(ptr)) \ ++ : : "memory", "cc"); \ ++ break; \ ++ default: \ ++ __ ## op ## _check_overflow_wrong_size(); \ ++ } \ ++ __ret; \ ++ }) ++ + /* + * Note: no "lock" prefix even on SMP: xchg always implies lock anyway. + * Since this is generally used to protect other memory information, we +@@ -167,6 +199,9 @@ extern void __add_wrong_size(void) + #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ") + #define xadd_local(ptr, inc) __xadd((ptr), (inc), "") + ++#define __xadd_check_overflow(ptr, inc, lock) __xchg_op_check_overflow((ptr), (inc), xadd, lock) ++#define xadd_check_overflow(ptr, inc) __xadd_check_overflow((ptr), (inc), LOCK_PREFIX) ++ + #define __add(ptr, inc, lock) \ + ({ \ + __typeof__ (*(ptr)) __ret = (inc); \ +diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h +index 59c6c40..5e0b22c 100644 +--- a/arch/x86/include/asm/compat.h ++++ b/arch/x86/include/asm/compat.h +@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64; + typedef u32 compat_uint_t; + typedef u32 compat_ulong_t; + typedef u64 __attribute__((aligned(4))) compat_u64; +-typedef u32 compat_uptr_t; ++typedef u32 __user compat_uptr_t; + + struct compat_timespec { + compat_time_t tv_sec; +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index e099f95..5aa0fb2 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -203,7 +203,7 @@ + #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */ + #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */ + #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */ +- ++#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ + #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ +@@ -211,7 +211,7 @@ + #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */ + #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */ + #define X86_FEATURE_AVX2 (9*32+ 5) /* AVX2 instructions */ +-#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Protection */ ++#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Prevention */ + #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ + #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ + #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ +@@ -354,6 +354,7 @@ extern const char * const x86_power_flags[32]; + #undef cpu_has_centaur_mcr + #define cpu_has_centaur_mcr 0 + ++#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID) + #endif /* CONFIG_X86_64 */ + + #if __GNUC__ >= 4 +@@ -406,7 +407,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) + + #ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS + t_warn: +- warn_pre_alternatives(); ++ if (bit != X86_FEATURE_PCID && bit != X86_FEATURE_INVPCID) ++ warn_pre_alternatives(); + return false; + #endif + +@@ -426,7 +428,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) + ".section .discard,\"aw\",@progbits\n" + " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ + ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" ++ ".section .altinstr_replacement,\"a\"\n" + "3: movb $1,%0\n" + "4:\n" + ".previous\n" +@@ -463,7 +465,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + " .byte 2b - 1b\n" /* src len */ + " .byte 4f - 3f\n" /* repl len */ + ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" ++ ".section .altinstr_replacement,\"a\"\n" + "3: .byte 0xe9\n .long %l[t_no] - 2b\n" + "4:\n" + ".previous\n" +@@ -496,7 +498,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + ".section .discard,\"aw\",@progbits\n" + " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ + ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" ++ ".section .altinstr_replacement,\"a\"\n" + "3: movb $0,%0\n" + "4:\n" + ".previous\n" +@@ -510,7 +512,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + ".section .discard,\"aw\",@progbits\n" + " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */ + ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" ++ ".section .altinstr_replacement,\"a\"\n" + "5: movb $1,%0\n" + "6:\n" + ".previous\n" +diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h +index 50d033a..37deb26 100644 +--- a/arch/x86/include/asm/desc.h ++++ b/arch/x86/include/asm/desc.h +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -17,6 +18,7 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in + + desc->type = (info->read_exec_only ^ 1) << 1; + desc->type |= info->contents << 2; ++ desc->type |= info->seg_not_present ^ 1; + + desc->s = 1; + desc->dpl = 0x3; +@@ -35,19 +37,14 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in + } + + extern struct desc_ptr idt_descr; +-extern gate_desc idt_table[]; +-extern struct desc_ptr debug_idt_descr; +-extern gate_desc debug_idt_table[]; +- +-struct gdt_page { +- struct desc_struct gdt[GDT_ENTRIES]; +-} __attribute__((aligned(PAGE_SIZE))); +- +-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page); ++extern gate_desc idt_table[IDT_ENTRIES]; ++extern const struct desc_ptr debug_idt_descr; ++extern gate_desc debug_idt_table[IDT_ENTRIES]; + ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)]; + static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu) + { +- return per_cpu(gdt_page, cpu).gdt; ++ return cpu_gdt_table[cpu]; + } + + #ifdef CONFIG_X86_64 +@@ -72,8 +69,14 @@ static inline void pack_gate(gate_desc *gate, unsigned char type, + unsigned long base, unsigned dpl, unsigned flags, + unsigned short seg) + { +- gate->a = (seg << 16) | (base & 0xffff); +- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8); ++ gate->gate.offset_low = base; ++ gate->gate.seg = seg; ++ gate->gate.reserved = 0; ++ gate->gate.type = type; ++ gate->gate.s = 0; ++ gate->gate.dpl = dpl; ++ gate->gate.p = 1; ++ gate->gate.offset_high = base >> 16; + } + + #endif +@@ -118,12 +121,16 @@ static inline void paravirt_free_ldt(struct desc_struct *ldt, unsigned entries) + + static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate) + { ++ pax_open_kernel(); + memcpy(&idt[entry], gate, sizeof(*gate)); ++ pax_close_kernel(); + } + + static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc) + { ++ pax_open_kernel(); + memcpy(&ldt[entry], desc, 8); ++ pax_close_kernel(); + } + + static inline void +@@ -137,7 +144,9 @@ native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int + default: size = sizeof(*gdt); break; + } + ++ pax_open_kernel(); + memcpy(&gdt[entry], desc, size); ++ pax_close_kernel(); + } + + static inline void pack_descriptor(struct desc_struct *desc, unsigned long base, +@@ -210,7 +219,9 @@ static inline void native_set_ldt(const void *addr, unsigned int entries) + + static inline void native_load_tr_desc(void) + { ++ pax_open_kernel(); + asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8)); ++ pax_close_kernel(); + } + + static inline void native_load_gdt(const struct desc_ptr *dtr) +@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) + struct desc_struct *gdt = get_cpu_gdt_table(cpu); + unsigned int i; + ++ pax_open_kernel(); + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++) + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i]; ++ pax_close_kernel(); + } + + #define _LDT_empty(info) \ +@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) + preempt_enable(); + } + +-static inline unsigned long get_desc_base(const struct desc_struct *desc) ++static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc) + { + return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); + } +@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) + } + + #ifdef CONFIG_X86_64 +-static inline void set_nmi_gate(int gate, void *addr) ++static inline void set_nmi_gate(int gate, const void *addr) + { + gate_desc s; + +@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr) + #endif + + #ifdef CONFIG_TRACING +-extern struct desc_ptr trace_idt_descr; +-extern gate_desc trace_idt_table[]; ++extern const struct desc_ptr trace_idt_descr; ++extern gate_desc trace_idt_table[IDT_ENTRIES]; + static inline void write_trace_idt_entry(int entry, const gate_desc *gate) + { + write_idt_entry(trace_idt_table, entry, gate); + } + +-static inline void _trace_set_gate(int gate, unsigned type, void *addr, ++static inline void _trace_set_gate(int gate, unsigned type, const void *addr, + unsigned dpl, unsigned ist, unsigned seg) + { + gate_desc s; +@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) + #define _trace_set_gate(gate, type, addr, dpl, ist, seg) + #endif + +-static inline void _set_gate(int gate, unsigned type, void *addr, ++static inline void _set_gate(int gate, unsigned type, const void *addr, + unsigned dpl, unsigned ist, unsigned seg) + { + gate_desc s; +@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, + #define set_intr_gate(n, addr) \ + do { \ + BUG_ON((unsigned)n > 0xFF); \ +- _set_gate(n, GATE_INTERRUPT, (void *)addr, 0, 0, \ ++ _set_gate(n, GATE_INTERRUPT, (const void *)addr, 0, 0, \ + __KERNEL_CS); \ +- _trace_set_gate(n, GATE_INTERRUPT, (void *)trace_##addr,\ ++ _trace_set_gate(n, GATE_INTERRUPT, (const void *)trace_##addr,\ + 0, 0, __KERNEL_CS); \ + } while (0) + +@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector) + /* + * This routine sets up an interrupt gate at directory privilege level 3. + */ +-static inline void set_system_intr_gate(unsigned int n, void *addr) ++static inline void set_system_intr_gate(unsigned int n, const void *addr) + { + BUG_ON((unsigned)n > 0xFF); + _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS); + } + +-static inline void set_system_trap_gate(unsigned int n, void *addr) ++static inline void set_system_trap_gate(unsigned int n, const void *addr) + { + BUG_ON((unsigned)n > 0xFF); + _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS); + } + +-static inline void set_trap_gate(unsigned int n, void *addr) ++static inline void set_trap_gate(unsigned int n, const void *addr) + { + BUG_ON((unsigned)n > 0xFF); + _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); +@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) + static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) + { + BUG_ON((unsigned)n > 0xFF); +- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3)); ++ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3)); + } + +-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist) ++static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist) + { + BUG_ON((unsigned)n > 0xFF); + _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS); + } + +-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist) ++static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist) + { + BUG_ON((unsigned)n > 0xFF); + _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); +@@ -503,4 +516,17 @@ static inline void load_current_idt(void) + else + load_idt((const struct desc_ptr *)&idt_descr); + } ++ ++#ifdef CONFIG_X86_32 ++static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu) ++{ ++ struct desc_struct d; ++ ++ if (likely(limit)) ++ limit = (limit - 1UL) >> PAGE_SHIFT; ++ pack_descriptor(&d, base, limit, 0xFB, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S); ++} ++#endif ++ + #endif /* _ASM_X86_DESC_H */ +diff --git a/arch/x86/include/asm/desc_defs.h b/arch/x86/include/asm/desc_defs.h +index 278441f..b95a174 100644 +--- a/arch/x86/include/asm/desc_defs.h ++++ b/arch/x86/include/asm/desc_defs.h +@@ -31,6 +31,12 @@ struct desc_struct { + unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1; + unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8; + }; ++ struct { ++ u16 offset_low; ++ u16 seg; ++ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1; ++ unsigned offset_high: 16; ++ } gate; + }; + } __attribute__((packed)); + +diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h +index ced283a..ffe04cc 100644 +--- a/arch/x86/include/asm/div64.h ++++ b/arch/x86/include/asm/div64.h +@@ -39,7 +39,7 @@ + __mod; \ + }) + +-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) ++static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder) + { + union { + u64 v64; +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 9c999c1..3860cb8 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -243,7 +243,25 @@ extern int force_personality32; + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + ++#ifdef CONFIG_PAX_SEGMEXEC ++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2) ++#else + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++#endif ++ ++#ifdef CONFIG_PAX_ASLR ++#ifdef CONFIG_X86_32 ++#define PAX_ELF_ET_DYN_BASE 0x10000000UL ++ ++#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16) ++#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16) ++#else ++#define PAX_ELF_ET_DYN_BASE 0x400000UL ++ ++#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3) ++#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3) ++#endif ++#endif + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +@@ -296,16 +314,12 @@ do { \ + + #define ARCH_DLINFO \ + do { \ +- if (vdso_enabled) \ +- NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +- (unsigned long)current->mm->context.vdso); \ ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \ + } while (0) + + #define ARCH_DLINFO_X32 \ + do { \ +- if (vdso_enabled) \ +- NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +- (unsigned long)current->mm->context.vdso); \ ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \ + } while (0) + + #define AT_SYSINFO 32 +@@ -320,7 +334,7 @@ else \ + + #endif /* !CONFIG_X86_32 */ + +-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso) ++#define VDSO_CURRENT_BASE (current->mm->context.vdso) + + #define VDSO_ENTRY \ + ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall)) +@@ -336,9 +350,6 @@ extern int x32_setup_additional_pages(struct linux_binprm *bprm, + extern int syscall32_setup_pages(struct linux_binprm *, int exstack); + #define compat_arch_setup_additional_pages syscall32_setup_pages + +-extern unsigned long arch_randomize_brk(struct mm_struct *mm); +-#define arch_randomize_brk arch_randomize_brk +- + /* + * True on X86_32 or when emulating IA32 on X86_64 + */ +diff --git a/arch/x86/include/asm/emergency-restart.h b/arch/x86/include/asm/emergency-restart.h +index 77a99ac..39ff7f5 100644 +--- a/arch/x86/include/asm/emergency-restart.h ++++ b/arch/x86/include/asm/emergency-restart.h +@@ -1,6 +1,6 @@ + #ifndef _ASM_X86_EMERGENCY_RESTART_H + #define _ASM_X86_EMERGENCY_RESTART_H + +-extern void machine_emergency_restart(void); ++extern void machine_emergency_restart(void) __noreturn; + + #endif /* _ASM_X86_EMERGENCY_RESTART_H */ +diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h +index d3d7469..677ef72 100644 +--- a/arch/x86/include/asm/floppy.h ++++ b/arch/x86/include/asm/floppy.h +@@ -229,18 +229,18 @@ static struct fd_routine_l { + int (*_dma_setup)(char *addr, unsigned long size, int mode, int io); + } fd_routine[] = { + { +- request_dma, +- free_dma, +- get_dma_residue, +- dma_mem_alloc, +- hard_dma_setup ++ ._request_dma = request_dma, ++ ._free_dma = free_dma, ++ ._get_dma_residue = get_dma_residue, ++ ._dma_mem_alloc = dma_mem_alloc, ++ ._dma_setup = hard_dma_setup + }, + { +- vdma_request_dma, +- vdma_nop, +- vdma_get_dma_residue, +- vdma_mem_alloc, +- vdma_dma_setup ++ ._request_dma = vdma_request_dma, ++ ._free_dma = vdma_nop, ++ ._get_dma_residue = vdma_get_dma_residue, ++ ._dma_mem_alloc = vdma_mem_alloc, ++ ._dma_setup = vdma_dma_setup + } + }; + +diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h +index cea1c76..6c0d79b 100644 +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -124,8 +124,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + #define user_insn(insn, output, input...) \ + ({ \ + int err; \ ++ pax_open_userland(); \ + asm volatile(ASM_STAC "\n" \ +- "1:" #insn "\n\t" \ ++ "1:" \ ++ __copyuser_seg \ ++ #insn "\n\t" \ + "2: " ASM_CLAC "\n" \ + ".section .fixup,\"ax\"\n" \ + "3: movl $-1,%[err]\n" \ +@@ -134,6 +137,7 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + _ASM_EXTABLE(1b, 3b) \ + : [err] "=r" (err), output \ + : "0"(0), input); \ ++ pax_close_userland(); \ + err; \ + }) + +@@ -298,7 +302,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) + "fnclex\n\t" + "emms\n\t" + "fildl %P[addr]" /* set F?P to defined value */ +- : : [addr] "m" (tsk->thread.fpu.has_fpu)); ++ : : [addr] "m" (init_tss[raw_smp_processor_id()].x86_tss.sp0)); + } + + return fpu_restore_checking(&tsk->thread.fpu); +diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h +index b4c1f54..e290c08 100644 +--- a/arch/x86/include/asm/futex.h ++++ b/arch/x86/include/asm/futex.h +@@ -12,6 +12,7 @@ + #include + + #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \ ++ typecheck(u32 __user *, uaddr); \ + asm volatile("\t" ASM_STAC "\n" \ + "1:\t" insn "\n" \ + "2:\t" ASM_CLAC "\n" \ +@@ -20,15 +21,16 @@ + "\tjmp\t2b\n" \ + "\t.previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \ ++ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr)) \ + : "i" (-EFAULT), "0" (oparg), "1" (0)) + + #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \ ++ typecheck(u32 __user *, uaddr); \ + asm volatile("\t" ASM_STAC "\n" \ + "1:\tmovl %2, %0\n" \ + "\tmovl\t%0, %3\n" \ + "\t" insn "\n" \ +- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \ ++ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \ + "\tjnz\t1b\n" \ + "3:\t" ASM_CLAC "\n" \ + "\t.section .fixup,\"ax\"\n" \ +@@ -38,7 +40,7 @@ + _ASM_EXTABLE(1b, 4b) \ + _ASM_EXTABLE(2b, 4b) \ + : "=&a" (oldval), "=&r" (ret), \ +- "+m" (*uaddr), "=&r" (tem) \ ++ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \ + : "r" (oparg), "i" (-EFAULT), "1" (0)) + + static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) +@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_disable(); + ++ pax_open_userland(); + switch (op) { + case FUTEX_OP_SET: +- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); ++ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval, ++ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval, + uaddr, oparg); + break; + case FUTEX_OP_OR: +@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + default: + ret = -ENOSYS; + } ++ pax_close_userland(); + + pagefault_enable(); + +diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h +index 67d69b8..50e4b77 100644 +--- a/arch/x86/include/asm/hw_irq.h ++++ b/arch/x86/include/asm/hw_irq.h +@@ -165,8 +165,8 @@ extern void setup_ioapic_dest(void); + extern void enable_IO_APIC(void); + + /* Statistics */ +-extern atomic_t irq_err_count; +-extern atomic_t irq_mis_count; ++extern atomic_unchecked_t irq_err_count; ++extern atomic_unchecked_t irq_mis_count; + + /* EISA */ + extern void eisa_set_level_irq(unsigned int irq); +diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h +index a203659..9889f1c 100644 +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -62,7 +62,7 @@ struct legacy_pic { + void (*init)(int auto_eoi); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); +-}; ++} __do_const; + + extern struct legacy_pic *legacy_pic; + extern struct legacy_pic null_legacy_pic; +diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h +index 91d9c69..dfae7d0 100644 +--- a/arch/x86/include/asm/io.h ++++ b/arch/x86/include/asm/io.h +@@ -51,12 +51,12 @@ static inline void name(type val, volatile void __iomem *addr) \ + "m" (*(volatile type __force *)addr) barrier); } + + build_mmio_read(readb, "b", unsigned char, "=q", :"memory") +-build_mmio_read(readw, "w", unsigned short, "=r", :"memory") +-build_mmio_read(readl, "l", unsigned int, "=r", :"memory") ++build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory") ++build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory") + + build_mmio_read(__readb, "b", unsigned char, "=q", ) +-build_mmio_read(__readw, "w", unsigned short, "=r", ) +-build_mmio_read(__readl, "l", unsigned int, "=r", ) ++build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", ) ++build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", ) + + build_mmio_write(writeb, "b", unsigned char, "q", :"memory") + build_mmio_write(writew, "w", unsigned short, "r", :"memory") +@@ -184,7 +184,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size) + return ioremap_nocache(offset, size); + } + +-extern void iounmap(volatile void __iomem *addr); ++extern void iounmap(const volatile void __iomem *addr); + + extern void set_iounmap_nonlazy(void); + +@@ -194,6 +194,17 @@ extern void set_iounmap_nonlazy(void); + + #include + ++#define ARCH_HAS_VALID_PHYS_ADDR_RANGE ++static inline int valid_phys_addr_range(unsigned long addr, size_t count) ++{ ++ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0; ++} ++ ++static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count) ++{ ++ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0; ++} ++ + /* + * Convert a virtual cached pointer to an uncached pointer + */ +diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h +index bba3cf8..06bc8da 100644 +--- a/arch/x86/include/asm/irqflags.h ++++ b/arch/x86/include/asm/irqflags.h +@@ -141,6 +141,11 @@ static inline notrace unsigned long arch_local_irq_save(void) + sti; \ + sysexit + ++#define GET_CR0_INTO_RDI mov %cr0, %rdi ++#define SET_RDI_INTO_CR0 mov %rdi, %cr0 ++#define GET_CR3_INTO_RDI mov %cr3, %rdi ++#define SET_RDI_INTO_CR3 mov %rdi, %cr3 ++ + #else + #define INTERRUPT_RETURN iret + #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit +diff --git a/arch/x86/include/asm/kprobes.h b/arch/x86/include/asm/kprobes.h +index 9454c16..e4100e3 100644 +--- a/arch/x86/include/asm/kprobes.h ++++ b/arch/x86/include/asm/kprobes.h +@@ -38,13 +38,8 @@ typedef u8 kprobe_opcode_t; + #define RELATIVEJUMP_SIZE 5 + #define RELATIVECALL_OPCODE 0xe8 + #define RELATIVE_ADDR_SIZE 4 +-#define MAX_STACK_SIZE 64 +-#define MIN_STACK_SIZE(ADDR) \ +- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \ +- THREAD_SIZE - (unsigned long)(ADDR))) \ +- ? (MAX_STACK_SIZE) \ +- : (((unsigned long)current_thread_info()) + \ +- THREAD_SIZE - (unsigned long)(ADDR))) ++#define MAX_STACK_SIZE 64UL ++#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR)) + + #define flush_insn_slot(p) do { } while (0) + +diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h +index 4ad6560..75c7bdd 100644 +--- a/arch/x86/include/asm/local.h ++++ b/arch/x86/include/asm/local.h +@@ -10,33 +10,97 @@ typedef struct { + atomic_long_t a; + } local_t; + ++typedef struct { ++ atomic_long_unchecked_t a; ++} local_unchecked_t; ++ + #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) } + + #define local_read(l) atomic_long_read(&(l)->a) ++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a) + #define local_set(l, i) atomic_long_set(&(l)->a, (i)) ++#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i)) + + static inline void local_inc(local_t *l) + { +- asm volatile(_ASM_INC "%0" ++ asm volatile(_ASM_INC "%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ _ASM_DEC "%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (l->a.counter)); ++} ++ ++static inline void local_inc_unchecked(local_unchecked_t *l) ++{ ++ asm volatile(_ASM_INC "%0\n" + : "+m" (l->a.counter)); + } + + static inline void local_dec(local_t *l) + { +- asm volatile(_ASM_DEC "%0" ++ asm volatile(_ASM_DEC "%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ _ASM_INC "%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (l->a.counter)); ++} ++ ++static inline void local_dec_unchecked(local_unchecked_t *l) ++{ ++ asm volatile(_ASM_DEC "%0\n" + : "+m" (l->a.counter)); + } + + static inline void local_add(long i, local_t *l) + { +- asm volatile(_ASM_ADD "%1,%0" ++ asm volatile(_ASM_ADD "%1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ _ASM_SUB "%1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (l->a.counter) ++ : "ir" (i)); ++} ++ ++static inline void local_add_unchecked(long i, local_unchecked_t *l) ++{ ++ asm volatile(_ASM_ADD "%1,%0\n" + : "+m" (l->a.counter) + : "ir" (i)); + } + + static inline void local_sub(long i, local_t *l) + { +- asm volatile(_ASM_SUB "%1,%0" ++ asm volatile(_ASM_SUB "%1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ _ASM_ADD "%1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+m" (l->a.counter) ++ : "ir" (i)); ++} ++ ++static inline void local_sub_unchecked(long i, local_unchecked_t *l) ++{ ++ asm volatile(_ASM_SUB "%1,%0\n" + : "+m" (l->a.counter) + : "ir" (i)); + } +@@ -52,7 +116,7 @@ static inline void local_sub(long i, local_t *l) + */ + static inline int local_sub_and_test(long i, local_t *l) + { +- GEN_BINARY_RMWcc(_ASM_SUB, l->a.counter, "er", i, "%0", "e"); ++ GEN_BINARY_RMWcc(_ASM_SUB, _ASM_ADD, l->a.counter, "er", i, "%0", "e"); + } + + /** +@@ -65,7 +129,7 @@ static inline int local_sub_and_test(long i, local_t *l) + */ + static inline int local_dec_and_test(local_t *l) + { +- GEN_UNARY_RMWcc(_ASM_DEC, l->a.counter, "%0", "e"); ++ GEN_UNARY_RMWcc(_ASM_DEC, _ASM_INC, l->a.counter, "%0", "e"); + } + + /** +@@ -78,7 +142,7 @@ static inline int local_dec_and_test(local_t *l) + */ + static inline int local_inc_and_test(local_t *l) + { +- GEN_UNARY_RMWcc(_ASM_INC, l->a.counter, "%0", "e"); ++ GEN_UNARY_RMWcc(_ASM_INC, _ASM_DEC, l->a.counter, "%0", "e"); + } + + /** +@@ -92,7 +156,7 @@ static inline int local_inc_and_test(local_t *l) + */ + static inline int local_add_negative(long i, local_t *l) + { +- GEN_BINARY_RMWcc(_ASM_ADD, l->a.counter, "er", i, "%0", "s"); ++ GEN_BINARY_RMWcc(_ASM_ADD, _ASM_SUB, l->a.counter, "er", i, "%0", "s"); + } + + /** +@@ -105,6 +169,30 @@ static inline int local_add_negative(long i, local_t *l) + static inline long local_add_return(long i, local_t *l) + { + long __i = i; ++ asm volatile(_ASM_XADD "%0, %1\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ _ASM_MOV "%0,%1\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++ : "+r" (i), "+m" (l->a.counter) ++ : : "memory"); ++ return i + __i; ++} ++ ++/** ++ * local_add_return_unchecked - add and return ++ * @i: integer value to add ++ * @l: pointer to type local_unchecked_t ++ * ++ * Atomically adds @i to @l and returns @i + @l ++ */ ++static inline long local_add_return_unchecked(long i, local_unchecked_t *l) ++{ ++ long __i = i; + asm volatile(_ASM_XADD "%0, %1;" + : "+r" (i), "+m" (l->a.counter) + : : "memory"); +@@ -121,6 +209,8 @@ static inline long local_sub_return(long i, local_t *l) + + #define local_cmpxchg(l, o, n) \ + (cmpxchg_local(&((l)->a.counter), (o), (n))) ++#define local_cmpxchg_unchecked(l, o, n) \ ++ (cmpxchg_local(&((l)->a.counter), (o), (n))) + /* Always has a lock prefix */ + #define local_xchg(l, n) (xchg(&((l)->a.counter), (n))) + +diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h +new file mode 100644 +index 0000000..2bfd3ba +--- /dev/null ++++ b/arch/x86/include/asm/mman.h +@@ -0,0 +1,15 @@ ++#ifndef _X86_MMAN_H ++#define _X86_MMAN_H ++ ++#include ++ ++#ifdef __KERNEL__ ++#ifndef __ASSEMBLY__ ++#ifdef CONFIG_X86_32 ++#define arch_mmap_check i386_mmap_check ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags); ++#endif ++#endif ++#endif ++ ++#endif /* X86_MMAN_H */ +diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h +index 5f55e69..e20bfb1 100644 +--- a/arch/x86/include/asm/mmu.h ++++ b/arch/x86/include/asm/mmu.h +@@ -9,7 +9,7 @@ + * we put the segment information here. + */ + typedef struct { +- void *ldt; ++ struct desc_struct *ldt; + int size; + + #ifdef CONFIG_X86_64 +@@ -18,7 +18,19 @@ typedef struct { + #endif + + struct mutex lock; +- void *vdso; ++ unsigned long vdso; ++ ++#ifdef CONFIG_X86_32 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++ unsigned long user_cs_base; ++ unsigned long user_cs_limit; ++ ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) ++ cpumask_t cpu_user_cs_mask; ++#endif ++ ++#endif ++#endif + } mm_context_t; + + #ifdef CONFIG_SMP +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index be12c53..4d24039 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm); + + static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) + { ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (!(static_cpu_has(X86_FEATURE_PCID))) { ++ unsigned int i; ++ pgd_t *pgd; ++ ++ pax_open_kernel(); ++ pgd = get_cpu_pgd(smp_processor_id(), kernel); ++ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) ++ set_pgd_batched(pgd+i, native_make_pgd(0)); ++ pax_close_kernel(); ++ } ++#endif ++ + #ifdef CONFIG_SMP + if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) + this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); +@@ -34,16 +48,59 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + struct task_struct *tsk) + { + unsigned cpu = smp_processor_id(); ++#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) ++ int tlbstate = TLBSTATE_OK; ++#endif + + if (likely(prev != next)) { + #ifdef CONFIG_SMP ++#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) ++ tlbstate = this_cpu_read(cpu_tlbstate.state); ++#endif + this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); + this_cpu_write(cpu_tlbstate.active_mm, next); + #endif + cpumask_set_cpu(cpu, mm_cpumask(next)); + + /* Re-load page tables */ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ pax_open_kernel(); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); ++ pax_close_kernel(); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ u64 descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) { ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); ++#else + load_cr3(next->pgd); ++#endif + + /* Stop flush ipis for the previous mm */ + cpumask_clear_cpu(cpu, mm_cpumask(prev)); +@@ -51,9 +108,67 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + /* Load the LDT, if the LDT is different: */ + if (unlikely(prev->context.ldt != next->context.ldt)) + load_LDT_nolock(&next->context); ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) ++ if (!(__supported_pte_mask & _PAGE_NX)) { ++ smp_mb__before_clear_bit(); ++ cpu_clear(cpu, prev->context.cpu_user_cs_mask); ++ smp_mb__after_clear_bit(); ++ cpu_set(cpu, next->context.cpu_user_cs_mask); ++ } ++#endif ++ ++#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) ++ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base || ++ prev->context.user_cs_limit != next->context.user_cs_limit)) ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); ++#ifdef CONFIG_SMP ++ else if (unlikely(tlbstate != TLBSTATE_OK)) ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); ++#endif ++#endif ++ + } ++ else { ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ pax_open_kernel(); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); ++ pax_close_kernel(); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ u64 descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) { ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); ++#endif ++ + #ifdef CONFIG_SMP +- else { + this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); + BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); + +@@ -70,11 +185,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. + */ ++ ++#ifndef CONFIG_PAX_PER_CPU_PGD + load_cr3(next->pgd); ++#endif ++ + load_LDT_nolock(&next->context); ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) ++ if (!(__supported_pte_mask & _PAGE_NX)) ++ cpu_set(cpu, next->context.cpu_user_cs_mask); ++#endif ++ ++#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX))) ++#endif ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu); ++#endif ++ + } ++#endif + } +-#endif + } + + #define activate_mm(prev, next) \ +diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h +index e3b7819..b257c64 100644 +--- a/arch/x86/include/asm/module.h ++++ b/arch/x86/include/asm/module.h +@@ -5,6 +5,7 @@ + + #ifdef CONFIG_X86_64 + /* X86_64 does not define MODULE_PROC_FAMILY */ ++#define MODULE_PROC_FAMILY "" + #elif defined CONFIG_M486 + #define MODULE_PROC_FAMILY "486 " + #elif defined CONFIG_M586 +@@ -57,8 +58,20 @@ + #error unknown processor family + #endif + +-#ifdef CONFIG_X86_32 +-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY ++#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS ++#define MODULE_PAX_KERNEXEC "KERNEXEC_BTS " ++#elif defined(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR) ++#define MODULE_PAX_KERNEXEC "KERNEXEC_OR " ++#else ++#define MODULE_PAX_KERNEXEC "" + #endif + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++#define MODULE_PAX_UDEREF "UDEREF " ++#else ++#define MODULE_PAX_UDEREF "" ++#endif ++ ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF ++ + #endif /* _ASM_X86_MODULE_H */ +diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h +index 86f9301..b365cda 100644 +--- a/arch/x86/include/asm/nmi.h ++++ b/arch/x86/include/asm/nmi.h +@@ -40,11 +40,11 @@ struct nmiaction { + nmi_handler_t handler; + unsigned long flags; + const char *name; +-}; ++} __do_const; + + #define register_nmi_handler(t, fn, fg, n, init...) \ + ({ \ +- static struct nmiaction init fn##_na = { \ ++ static const struct nmiaction init fn##_na = { \ + .handler = (fn), \ + .name = (n), \ + .flags = (fg), \ +@@ -52,7 +52,7 @@ struct nmiaction { + __register_nmi_handler((t), &fn##_na); \ + }) + +-int __register_nmi_handler(unsigned int, struct nmiaction *); ++int __register_nmi_handler(unsigned int, const struct nmiaction *); + + void unregister_nmi_handler(unsigned int, const char *); + +diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h +index 775873d..de5f0304 100644 +--- a/arch/x86/include/asm/page.h ++++ b/arch/x86/include/asm/page.h +@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr, + __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x))) + + #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET)) ++#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base)) + + #define __boot_va(x) __va(x) + #define __boot_pa(x) __pa(x) +diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h +index 0f1ddee..e2fc3d1 100644 +--- a/arch/x86/include/asm/page_64.h ++++ b/arch/x86/include/asm/page_64.h +@@ -7,9 +7,9 @@ + + /* duplicated to the one in bootmem.h */ + extern unsigned long max_pfn; +-extern unsigned long phys_base; ++extern const unsigned long phys_base; + +-static inline unsigned long __phys_addr_nodebug(unsigned long x) ++static inline unsigned long __intentional_overflow(-1) __phys_addr_nodebug(unsigned long x) + { + unsigned long y = x - __START_KERNEL_map; + +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h +index cd6e1610..70f4418 100644 +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val) + return (pmd_t) { ret }; + } + +-static inline pmdval_t pmd_val(pmd_t pmd) ++static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd) + { + pmdval_t ret; + +@@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd) + val); + } + ++static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd) ++{ ++ pgdval_t val = native_pgd_val(pgd); ++ ++ if (sizeof(pgdval_t) > sizeof(long)) ++ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp, ++ val, (u64)val >> 32); ++ else ++ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp, ++ val); ++} ++ + static inline void pgd_clear(pgd_t *pgdp) + { + set_pgd(pgdp, __pgd(0)); +@@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx, + pv_mmu_ops.set_fixmap(idx, phys, flags); + } + ++#ifdef CONFIG_PAX_KERNEXEC ++static inline unsigned long pax_open_kernel(void) ++{ ++ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel); ++} ++ ++static inline unsigned long pax_close_kernel(void) ++{ ++ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel); ++} ++#else ++static inline unsigned long pax_open_kernel(void) { return 0; } ++static inline unsigned long pax_close_kernel(void) { return 0; } ++#endif ++ + #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS) + + static __always_inline void __ticket_lock_spinning(struct arch_spinlock *lock, +@@ -906,7 +933,7 @@ extern void default_banner(void); + + #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4) + #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4) +-#define PARA_INDIRECT(addr) *%cs:addr ++#define PARA_INDIRECT(addr) *%ss:addr + #endif + + #define INTERRUPT_RETURN \ +@@ -981,6 +1008,21 @@ extern void default_banner(void); + PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \ + CLBR_NONE, \ + jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit)) ++ ++#define GET_CR0_INTO_RDI \ ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \ ++ mov %rax,%rdi ++ ++#define SET_RDI_INTO_CR0 \ ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0) ++ ++#define GET_CR3_INTO_RDI \ ++ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \ ++ mov %rax,%rdi ++ ++#define SET_RDI_INTO_CR3 \ ++ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3) ++ + #endif /* CONFIG_X86_32 */ + + #endif /* __ASSEMBLY__ */ +diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h +index 7549b8b..f0edfda 100644 +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -84,7 +84,7 @@ struct pv_init_ops { + */ + unsigned (*patch)(u8 type, u16 clobber, void *insnbuf, + unsigned long addr, unsigned len); +-}; ++} __no_const __no_randomize_layout; + + + struct pv_lazy_ops { +@@ -92,13 +92,13 @@ struct pv_lazy_ops { + void (*enter)(void); + void (*leave)(void); + void (*flush)(void); +-}; ++} __no_randomize_layout; + + struct pv_time_ops { + unsigned long long (*sched_clock)(void); + unsigned long long (*steal_clock)(int cpu); + unsigned long (*get_tsc_khz)(void); +-}; ++} __no_const __no_randomize_layout; + + struct pv_cpu_ops { + /* hooks for various privileged instructions */ +@@ -192,7 +192,7 @@ struct pv_cpu_ops { + + void (*start_context_switch)(struct task_struct *prev); + void (*end_context_switch)(struct task_struct *next); +-}; ++} __no_const __no_randomize_layout; + + struct pv_irq_ops { + /* +@@ -215,7 +215,7 @@ struct pv_irq_ops { + #ifdef CONFIG_X86_64 + void (*adjust_exception_frame)(void); + #endif +-}; ++} __no_randomize_layout; + + struct pv_apic_ops { + #ifdef CONFIG_X86_LOCAL_APIC +@@ -223,7 +223,7 @@ struct pv_apic_ops { + unsigned long start_eip, + unsigned long start_esp); + #endif +-}; ++} __no_const __no_randomize_layout; + + struct pv_mmu_ops { + unsigned long (*read_cr2)(void); +@@ -313,6 +313,7 @@ struct pv_mmu_ops { + struct paravirt_callee_save make_pud; + + void (*set_pgd)(pgd_t *pudp, pgd_t pgdval); ++ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval); + #endif /* PAGETABLE_LEVELS == 4 */ + #endif /* PAGETABLE_LEVELS >= 3 */ + +@@ -324,7 +325,13 @@ struct pv_mmu_ops { + an mfn. We can tell which is which from the index. */ + void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx, + phys_addr_t phys, pgprot_t flags); +-}; ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ unsigned long (*pax_open_kernel)(void); ++ unsigned long (*pax_close_kernel)(void); ++#endif ++ ++} __no_randomize_layout; + + struct arch_spinlock; + #ifdef CONFIG_SMP +@@ -336,11 +343,14 @@ typedef u16 __ticket_t; + struct pv_lock_ops { + struct paravirt_callee_save lock_spinning; + void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket); +-}; ++} __no_randomize_layout; + + /* This contains all the paravirt structures: we get a convenient + * number for each function using the offset which we use to indicate +- * what to patch. */ ++ * what to patch. ++ * shouldn't be randomized due to the "NEAT TRICK" in paravirt.c ++ */ ++ + struct paravirt_patch_template { + struct pv_init_ops pv_init_ops; + struct pv_time_ops pv_time_ops; +@@ -349,7 +359,7 @@ struct paravirt_patch_template { + struct pv_apic_ops pv_apic_ops; + struct pv_mmu_ops pv_mmu_ops; + struct pv_lock_ops pv_lock_ops; +-}; ++} __no_randomize_layout; + + extern struct pv_info pv_info; + extern struct pv_init_ops pv_init_ops; +diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h +index c4412e9..90e88c5 100644 +--- a/arch/x86/include/asm/pgalloc.h ++++ b/arch/x86/include/asm/pgalloc.h +@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(struct mm_struct *mm, + pmd_t *pmd, pte_t *pte) + { + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT); ++ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE)); ++} ++ ++static inline void pmd_populate_user(struct mm_struct *mm, ++ pmd_t *pmd, pte_t *pte) ++{ ++ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT); + set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE)); + } + +@@ -108,12 +115,22 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmd, + + #ifdef CONFIG_X86_PAE + extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd); ++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) ++{ ++ pud_populate(mm, pudp, pmd); ++} + #else /* !CONFIG_X86_PAE */ + static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + { + paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT); + set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd))); + } ++ ++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) ++{ ++ paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT); ++ set_pud(pud, __pud(_KERNPG_TABLE | __pa(pmd))); ++} + #endif /* CONFIG_X86_PAE */ + + #if PAGETABLE_LEVELS > 3 +@@ -123,6 +140,12 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud) + set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pud))); + } + ++static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud) ++{ ++ paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT); ++ set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(pud))); ++} ++ + static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) + { + return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT); +diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h +index 0d193e2..bf59aeb 100644 +--- a/arch/x86/include/asm/pgtable-2level.h ++++ b/arch/x86/include/asm/pgtable-2level.h +@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t *ptep , pte_t pte) + + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) + { ++ pax_open_kernel(); + *pmdp = pmd; ++ pax_close_kernel(); + } + + static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) +diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h +index 81bb91b..9392125 100644 +--- a/arch/x86/include/asm/pgtable-3level.h ++++ b/arch/x86/include/asm/pgtable-3level.h +@@ -92,12 +92,16 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) + + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) + { ++ pax_open_kernel(); + set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd)); ++ pax_close_kernel(); + } + + static inline void native_set_pud(pud_t *pudp, pud_t pud) + { ++ pax_open_kernel(); + set_64bit((unsigned long long *)(pudp), native_pud_val(pud)); ++ pax_close_kernel(); + } + + /* +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index bbc8b12..f228861 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -45,6 +45,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); + + #ifndef __PAGETABLE_PUD_FOLDED + #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd) ++#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd) + #define pgd_clear(pgd) native_pgd_clear(pgd) + #endif + +@@ -82,12 +83,51 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); + + #define arch_end_context_switch(prev) do {} while(0) + ++#define pax_open_kernel() native_pax_open_kernel() ++#define pax_close_kernel() native_pax_close_kernel() + #endif /* CONFIG_PARAVIRT */ + ++#define __HAVE_ARCH_PAX_OPEN_KERNEL ++#define __HAVE_ARCH_PAX_CLOSE_KERNEL ++ ++#ifdef CONFIG_PAX_KERNEXEC ++static inline unsigned long native_pax_open_kernel(void) ++{ ++ unsigned long cr0; ++ ++ preempt_disable(); ++ barrier(); ++ cr0 = read_cr0() ^ X86_CR0_WP; ++ BUG_ON(cr0 & X86_CR0_WP); ++ write_cr0(cr0); ++ return cr0 ^ X86_CR0_WP; ++} ++ ++static inline unsigned long native_pax_close_kernel(void) ++{ ++ unsigned long cr0; ++ ++ cr0 = read_cr0() ^ X86_CR0_WP; ++ BUG_ON(!(cr0 & X86_CR0_WP)); ++ write_cr0(cr0); ++ barrier(); ++ preempt_enable_no_resched(); ++ return cr0 ^ X86_CR0_WP; ++} ++#else ++static inline unsigned long native_pax_open_kernel(void) { return 0; } ++static inline unsigned long native_pax_close_kernel(void) { return 0; } ++#endif ++ + /* + * The following only work if pte_present() is true. + * Undefined behaviour if not.. + */ ++static inline int pte_user(pte_t pte) ++{ ++ return pte_val(pte) & _PAGE_USER; ++} ++ + static inline int pte_dirty(pte_t pte) + { + return pte_flags(pte) & _PAGE_DIRTY; +@@ -148,6 +188,11 @@ static inline unsigned long pud_pfn(pud_t pud) + return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; + } + ++static inline unsigned long pgd_pfn(pgd_t pgd) ++{ ++ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT; ++} ++ + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) + + static inline int pmd_large(pmd_t pte) +@@ -201,9 +246,29 @@ static inline pte_t pte_wrprotect(pte_t pte) + return pte_clear_flags(pte, _PAGE_RW); + } + ++static inline pte_t pte_mkread(pte_t pte) ++{ ++ return __pte(pte_val(pte) | _PAGE_USER); ++} ++ + static inline pte_t pte_mkexec(pte_t pte) + { +- return pte_clear_flags(pte, _PAGE_NX); ++#ifdef CONFIG_X86_PAE ++ if (__supported_pte_mask & _PAGE_NX) ++ return pte_clear_flags(pte, _PAGE_NX); ++ else ++#endif ++ return pte_set_flags(pte, _PAGE_USER); ++} ++ ++static inline pte_t pte_exprotect(pte_t pte) ++{ ++#ifdef CONFIG_X86_PAE ++ if (__supported_pte_mask & _PAGE_NX) ++ return pte_set_flags(pte, _PAGE_NX); ++ else ++#endif ++ return pte_clear_flags(pte, _PAGE_USER); + } + + static inline pte_t pte_mkdirty(pte_t pte) +@@ -430,6 +495,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); + #endif + + #ifndef __ASSEMBLY__ ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD]; ++enum cpu_pgd_type {kernel = 0, user = 1}; ++static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type) ++{ ++ return cpu_pgd[cpu][type]; ++} ++#endif ++ + #include + #include + #include +@@ -570,7 +645,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT) ++#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT) + + /* Find an entry in the second-level page table.. */ + static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) +@@ -610,7 +685,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT) ++#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT) + + /* to find an entry in a page-table-directory. */ + static inline unsigned long pud_index(unsigned long address) +@@ -625,7 +700,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) + + static inline int pgd_bad(pgd_t pgd) + { +- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE; ++ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE; + } + + static inline int pgd_none(pgd_t pgd) +@@ -648,7 +723,12 @@ static inline int pgd_none(pgd_t pgd) + * pgd_offset() returns a (pgd_t *) + * pgd_index() is used get the offset into the pgd page's array of pgd_t's; + */ +-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address))) ++#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address)) ++#endif ++ + /* + * a shortcut which implies the use of the kernel's pgd, instead + * of a process's +@@ -659,6 +739,23 @@ static inline int pgd_none(pgd_t pgd) + #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) + #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) + ++#ifdef CONFIG_X86_32 ++#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY ++#else ++#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT ++#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT)) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++#ifdef __ASSEMBLY__ ++#define pax_user_shadow_base pax_user_shadow_base(%rip) ++#else ++extern unsigned long pax_user_shadow_base; ++extern pgdval_t clone_pgd_mask; ++#endif ++#endif ++ ++#endif ++ + #ifndef __ASSEMBLY__ + + extern int direct_gbpages; +@@ -825,11 +922,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, + * dst and src can be on the same page, but the range must not overlap, + * and must not cross a page boundary. + */ +-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count) ++static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count) + { +- memcpy(dst, src, count * sizeof(pgd_t)); ++ pax_open_kernel(); ++ while (count--) ++ *dst++ = *src++; ++ pax_close_kernel(); + } + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src); ++#endif ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src); ++#else ++static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {} ++#endif ++ + #define PTE_SHIFT ilog2(PTRS_PER_PTE) + static inline int page_level_shift(enum pg_level level) + { +diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h +index 9ee3221..b979c6b 100644 +--- a/arch/x86/include/asm/pgtable_32.h ++++ b/arch/x86/include/asm/pgtable_32.h +@@ -25,9 +25,6 @@ + struct mm_struct; + struct vm_area_struct; + +-extern pgd_t swapper_pg_dir[1024]; +-extern pgd_t initial_page_table[1024]; +- + static inline void pgtable_cache_init(void) { } + static inline void check_pgt_cache(void) { } + void paging_init(void); +@@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, unsigned long, pgprot_t); + # include + #endif + ++extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; ++extern pgd_t initial_page_table[PTRS_PER_PGD]; ++#ifdef CONFIG_X86_PAE ++extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD]; ++#endif ++ + #if defined(CONFIG_HIGHPTE) + #define pte_offset_map(dir, address) \ + ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \ +@@ -62,12 +65,17 @@ extern void set_pmd_pfn(unsigned long, unsigned long, pgprot_t); + /* Clear a kernel PTE and flush it from the TLB */ + #define kpte_clear_flush(ptep, vaddr) \ + do { \ ++ pax_open_kernel(); \ + pte_clear(&init_mm, (vaddr), (ptep)); \ ++ pax_close_kernel(); \ + __flush_tlb_one((vaddr)); \ + } while (0) + + #endif /* !__ASSEMBLY__ */ + ++#define HAVE_ARCH_UNMAPPED_AREA ++#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN ++ + /* + * kern_addr_valid() is (1) for FLATMEM and (0) for + * SPARSEMEM and DISCONTIGMEM +diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h +index ed5903b..c7fe163 100644 +--- a/arch/x86/include/asm/pgtable_32_types.h ++++ b/arch/x86/include/asm/pgtable_32_types.h +@@ -8,7 +8,7 @@ + */ + #ifdef CONFIG_X86_PAE + # include +-# define PMD_SIZE (1UL << PMD_SHIFT) ++# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT) + # define PMD_MASK (~(PMD_SIZE - 1)) + #else + # include +@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */ + # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE) + #endif + ++#ifdef CONFIG_PAX_KERNEXEC ++#ifndef __ASSEMBLY__ ++extern unsigned char MODULES_EXEC_VADDR[]; ++extern unsigned char MODULES_EXEC_END[]; ++#endif ++#include ++#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET) ++#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET) ++#else ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) ++#endif ++ + #define MODULES_VADDR VMALLOC_START + #define MODULES_END VMALLOC_END + #define MODULES_LEN (MODULES_VADDR - MODULES_END) +diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h +index e22c1db..23a625a 100644 +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -16,10 +16,14 @@ + + extern pud_t level3_kernel_pgt[512]; + extern pud_t level3_ident_pgt[512]; ++extern pud_t level3_vmalloc_start_pgt[512]; ++extern pud_t level3_vmalloc_end_pgt[512]; ++extern pud_t level3_vmemmap_pgt[512]; ++extern pud_t level2_vmemmap_pgt[512]; + extern pmd_t level2_kernel_pgt[512]; + extern pmd_t level2_fixmap_pgt[512]; +-extern pmd_t level2_ident_pgt[512]; +-extern pgd_t init_level4_pgt[]; ++extern pmd_t level2_ident_pgt[512*2]; ++extern pgd_t init_level4_pgt[512]; + + #define swapper_pg_dir init_level4_pgt + +@@ -61,7 +65,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) + + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) + { ++ pax_open_kernel(); + *pmdp = pmd; ++ pax_close_kernel(); + } + + static inline void native_pmd_clear(pmd_t *pmd) +@@ -97,7 +103,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp) + + static inline void native_set_pud(pud_t *pudp, pud_t pud) + { ++ pax_open_kernel(); + *pudp = pud; ++ pax_close_kernel(); + } + + static inline void native_pud_clear(pud_t *pud) +@@ -107,6 +115,13 @@ static inline void native_pud_clear(pud_t *pud) + + static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) + { ++ pax_open_kernel(); ++ *pgdp = pgd; ++ pax_close_kernel(); ++} ++ ++static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd) ++{ + *pgdp = pgd; + } + +diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h +index c883bf7..19970b3 100644 +--- a/arch/x86/include/asm/pgtable_64_types.h ++++ b/arch/x86/include/asm/pgtable_64_types.h +@@ -61,6 +61,11 @@ typedef struct { pteval_t pte; } pte_t; + #define MODULES_VADDR (__START_KERNEL_map + KERNEL_IMAGE_SIZE) + #define MODULES_END _AC(0xffffffffff000000, UL) + #define MODULES_LEN (MODULES_END - MODULES_VADDR) ++#define MODULES_EXEC_VADDR MODULES_VADDR ++#define MODULES_EXEC_END MODULES_END ++ ++#define ktla_ktva(addr) (addr) ++#define ktva_ktla(addr) (addr) + + #define EARLY_DYNAMIC_PAGE_TABLES 64 + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 94e40f1..ebd03e4 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -16,13 +16,12 @@ + #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */ + #define _PAGE_BIT_PAT 7 /* on 4KB pages */ + #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */ +-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */ ++#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */ + #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */ + #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */ + #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */ +-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1 +-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1 +-#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */ ++#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL ++#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */ + #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */ + + /* If _PAGE_BIT_PRESENT is clear, we use these: */ +@@ -40,7 +39,6 @@ + #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY) + #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE) + #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL) +-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1) + #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP) + #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT) + #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE) +@@ -87,8 +85,10 @@ + + #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) + #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX) +-#else ++#elif defined(CONFIG_KMEMCHECK) || defined(CONFIG_MEM_SOFT_DIRTY) + #define _PAGE_NX (_AT(pteval_t, 0)) ++#else ++#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN) + #endif + + #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE) +@@ -147,6 +147,9 @@ + #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \ + _PAGE_ACCESSED) + ++#define PAGE_READONLY_NOEXEC PAGE_READONLY ++#define PAGE_SHARED_NOEXEC PAGE_SHARED ++ + #define __PAGE_KERNEL_EXEC \ + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL) + #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX) +@@ -157,7 +160,7 @@ + #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC) + #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT) + #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD) +-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER) ++#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER) + #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER) + #define __PAGE_KERNEL_VVAR_NOCACHE (__PAGE_KERNEL_VVAR | _PAGE_PCD | _PAGE_PWT) + #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE) +@@ -219,8 +222,8 @@ + * bits are combined, this will alow user to access the high address mapped + * VDSO in the presence of CONFIG_COMPAT_VDSO + */ +-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */ +-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */ ++#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */ ++#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */ + #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */ + #endif + +@@ -258,7 +261,17 @@ static inline pgdval_t pgd_flags(pgd_t pgd) + { + return native_pgd_val(pgd) & PTE_FLAGS_MASK; + } ++#endif + ++#if PAGETABLE_LEVELS == 3 ++#include ++#endif ++ ++#if PAGETABLE_LEVELS == 2 ++#include ++#endif ++ ++#ifndef __ASSEMBLY__ + #if PAGETABLE_LEVELS > 3 + typedef struct { pudval_t pud; } pud_t; + +@@ -272,8 +285,6 @@ static inline pudval_t native_pud_val(pud_t pud) + return pud.pud; + } + #else +-#include +- + static inline pudval_t native_pud_val(pud_t pud) + { + return native_pgd_val(pud.pgd); +@@ -293,8 +304,6 @@ static inline pmdval_t native_pmd_val(pmd_t pmd) + return pmd.pmd; + } + #else +-#include +- + static inline pmdval_t native_pmd_val(pmd_t pmd) + { + return native_pgd_val(pmd.pud.pgd); +@@ -334,7 +343,6 @@ typedef struct page *pgtable_t; + + extern pteval_t __supported_pte_mask; + extern void set_nx(void); +-extern int nx_enabled; + + #define pgprot_writecombine pgprot_writecombine + extern pgprot_t pgprot_writecombine(pgprot_t prot); +diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h +index c8b0519..fd29e73 100644 +--- a/arch/x86/include/asm/preempt.h ++++ b/arch/x86/include/asm/preempt.h +@@ -87,7 +87,7 @@ static __always_inline void __preempt_count_sub(int val) + */ + static __always_inline bool __preempt_count_dec_and_test(void) + { +- GEN_UNARY_RMWcc("decl", __preempt_count, __percpu_arg(0), "e"); ++ GEN_UNARY_RMWcc("decl", "incl", __preempt_count, __percpu_arg(0), "e"); + } + + /* +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index fdedd38..95c02c2 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -128,7 +128,7 @@ struct cpuinfo_x86 { + /* Index into per_cpu list: */ + u16 cpu_index; + u32 microcode; +-} __attribute__((__aligned__(SMP_CACHE_BYTES))); ++} __attribute__((__aligned__(SMP_CACHE_BYTES))) __randomize_layout; + + #define X86_VENDOR_INTEL 0 + #define X86_VENDOR_CYRIX 1 +@@ -199,9 +199,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, + : "memory"); + } + ++/* invpcid (%rdx),%rax */ ++#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02" ++ ++#define INVPCID_SINGLE_ADDRESS 0UL ++#define INVPCID_SINGLE_CONTEXT 1UL ++#define INVPCID_ALL_GLOBAL 2UL ++#define INVPCID_ALL_MONGLOBAL 3UL ++ ++#define PCID_KERNEL 0UL ++#define PCID_USER 1UL ++#define PCID_NOFLUSH (1UL << 63) ++ + static inline void load_cr3(pgd_t *pgdir) + { +- write_cr3(__pa(pgdir)); ++ write_cr3(__pa(pgdir) | PCID_KERNEL); + } + + #ifdef CONFIG_X86_32 +@@ -283,7 +295,7 @@ struct tss_struct { + + } ____cacheline_aligned; + +-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss); ++extern struct tss_struct init_tss[NR_CPUS]; + + /* + * Save the original ist values for checking stack pointers during debugging +@@ -470,6 +482,7 @@ struct thread_struct { + unsigned short ds; + unsigned short fsindex; + unsigned short gsindex; ++ unsigned short ss; + #endif + #ifdef CONFIG_X86_32 + unsigned long ip; +@@ -579,29 +592,8 @@ static inline void load_sp0(struct tss_struct *tss, + extern unsigned long mmu_cr4_features; + extern u32 *trampoline_cr4_features; + +-static inline void set_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features |= mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 |= mask; +- write_cr4(cr4); +-} +- +-static inline void clear_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features &= ~mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 &= ~mask; +- write_cr4(cr4); +-} ++extern void set_in_cr4(unsigned long mask); ++extern void clear_in_cr4(unsigned long mask); + + typedef struct { + unsigned long seg; +@@ -827,11 +819,18 @@ static inline void spin_lock_prefetch(const void *x) + */ + #define TASK_SIZE PAGE_OFFSET + #define TASK_SIZE_MAX TASK_SIZE ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2) ++#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE) ++#else + #define STACK_TOP TASK_SIZE +-#define STACK_TOP_MAX STACK_TOP ++#endif ++ ++#define STACK_TOP_MAX TASK_SIZE + + #define INIT_THREAD { \ +- .sp0 = sizeof(init_stack) + (long)&init_stack, \ ++ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \ + .vm86_info = NULL, \ + .sysenter_cs = __KERNEL_CS, \ + .io_bitmap_ptr = NULL, \ +@@ -845,7 +844,7 @@ static inline void spin_lock_prefetch(const void *x) + */ + #define INIT_TSS { \ + .x86_tss = { \ +- .sp0 = sizeof(init_stack) + (long)&init_stack, \ ++ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \ + .ss0 = __KERNEL_DS, \ + .ss1 = __KERNEL_CS, \ + .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ +@@ -856,11 +855,7 @@ static inline void spin_lock_prefetch(const void *x) + extern unsigned long thread_saved_pc(struct task_struct *tsk); + + #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) +-#define KSTK_TOP(info) \ +-({ \ +- unsigned long *__ptr = (unsigned long *)(info); \ +- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \ +-}) ++#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0) + + /* + * The below -8 is to reserve 8 bytes on top of the ring0 stack. +@@ -875,7 +870,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); + #define task_pt_regs(task) \ + ({ \ + struct pt_regs *__regs__; \ +- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \ ++ __regs__ = (struct pt_regs *)((task)->thread.sp0); \ + __regs__ - 1; \ + }) + +@@ -885,13 +880,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); + /* + * User space process size. 47bits minus one guard page. + */ +-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE) ++#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE) + + /* This decides where the kernel will search for a free chunk of vm + * space during mmap's. + */ + #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \ +- 0xc0000000 : 0xFFFFe000) ++ 0xc0000000 : 0xFFFFf000) + + #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ + IA32_PAGE_OFFSET : TASK_SIZE_MAX) +@@ -902,11 +897,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); + #define STACK_TOP_MAX TASK_SIZE_MAX + + #define INIT_THREAD { \ +- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \ ++ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \ + } + + #define INIT_TSS { \ +- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \ ++ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \ + } + + /* +@@ -934,6 +929,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, + */ + #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) + ++#ifdef CONFIG_PAX_SEGMEXEC ++#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3)) ++#endif ++ + #define KSTK_EIP(task) (task_pt_regs(task)->ip) + + /* Get/set a process' ability to use the timestamp counter instruction */ +@@ -960,7 +959,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) + return 0; + } + +-extern unsigned long arch_align_stack(unsigned long sp); ++#define arch_align_stack(x) ((x) & ~0xfUL) + extern void free_init_pages(char *what, unsigned long begin, unsigned long end); + + void default_idle(void); +@@ -970,6 +969,6 @@ bool xen_set_default_idle(void); + #define xen_set_default_idle 0 + #endif + +-void stop_this_cpu(void *dummy); ++void stop_this_cpu(void *dummy) __noreturn; + void df_debug(struct pt_regs *regs, long error_code); + #endif /* _ASM_X86_PROCESSOR_H */ +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h +index 14fd6fd..6740420 100644 +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) + } + + /* +- * user_mode_vm(regs) determines whether a register set came from user mode. ++ * user_mode(regs) determines whether a register set came from user mode. + * This is true if V8086 mode was enabled OR if the register set was from + * protected mode with RPL-3 CS value. This tricky test checks that with + * one comparison. Many places in the kernel can bypass this full check +- * if they have already ruled out V8086 mode, so user_mode(regs) can be used. ++ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can ++ * be used. + */ +-static inline int user_mode(struct pt_regs *regs) ++static inline int user_mode_novm(struct pt_regs *regs) + { + #ifdef CONFIG_X86_32 + return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL; + #else +- return !!(regs->cs & 3); ++ return !!(regs->cs & SEGMENT_RPL_MASK); + #endif + } + +-static inline int user_mode_vm(struct pt_regs *regs) ++static inline int user_mode(struct pt_regs *regs) + { + #ifdef CONFIG_X86_32 + return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >= + USER_RPL; + #else +- return user_mode(regs); ++ return user_mode_novm(regs); + #endif + } + +@@ -121,15 +122,16 @@ static inline int v8086_mode(struct pt_regs *regs) + #ifdef CONFIG_X86_64 + static inline bool user_64bit_mode(struct pt_regs *regs) + { ++ unsigned long cs = regs->cs & 0xffff; + #ifndef CONFIG_PARAVIRT + /* + * On non-paravirt systems, this is the only long mode CPL 3 + * selector. We do not allow long mode selectors in the LDT. + */ +- return regs->cs == __USER_CS; ++ return cs == __USER_CS; + #else + /* Headers are too twisted for this to go in paravirt.h. */ +- return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs; ++ return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs; + #endif + } + +@@ -180,9 +182,11 @@ static inline unsigned long regs_get_register(struct pt_regs *regs, + * Traps from the kernel do not save sp and ss. + * Use the helper function to retrieve sp. + */ +- if (offset == offsetof(struct pt_regs, sp) && +- regs->cs == __KERNEL_CS) +- return kernel_stack_pointer(regs); ++ if (offset == offsetof(struct pt_regs, sp)) { ++ unsigned long cs = regs->cs & 0xffff; ++ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) ++ return kernel_stack_pointer(regs); ++ } + #endif + return *(unsigned long *)((unsigned long)regs + offset); + } +diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h +index 9c6b890..5305f53 100644 +--- a/arch/x86/include/asm/realmode.h ++++ b/arch/x86/include/asm/realmode.h +@@ -22,16 +22,14 @@ struct real_mode_header { + #endif + /* APM/BIOS reboot */ + u32 machine_real_restart_asm; +-#ifdef CONFIG_X86_64 + u32 machine_real_restart_seg; +-#endif + }; + + /* This must match data at trampoline_32/64.S */ + struct trampoline_header { + #ifdef CONFIG_X86_32 + u32 start; +- u16 gdt_pad; ++ u16 boot_cs; + u16 gdt_limit; + u32 gdt_base; + #else +diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h +index a82c4f1..ac45053 100644 +--- a/arch/x86/include/asm/reboot.h ++++ b/arch/x86/include/asm/reboot.h +@@ -6,13 +6,13 @@ + struct pt_regs; + + struct machine_ops { +- void (*restart)(char *cmd); +- void (*halt)(void); +- void (*power_off)(void); ++ void (* __noreturn restart)(char *cmd); ++ void (* __noreturn halt)(void); ++ void (* __noreturn power_off)(void); + void (*shutdown)(void); + void (*crash_shutdown)(struct pt_regs *); +- void (*emergency_restart)(void); +-}; ++ void (* __noreturn emergency_restart)(void); ++} __no_const; + + extern struct machine_ops machine_ops; + +diff --git a/arch/x86/include/asm/rmwcc.h b/arch/x86/include/asm/rmwcc.h +index 8f7866a..e442f20 100644 +--- a/arch/x86/include/asm/rmwcc.h ++++ b/arch/x86/include/asm/rmwcc.h +@@ -3,7 +3,34 @@ + + #ifdef CC_HAVE_ASM_GOTO + +-#define __GEN_RMWcc(fullop, var, cc, ...) \ ++#ifdef CONFIG_PAX_REFCOUNT ++#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \ ++do { \ ++ asm_volatile_goto (fullop \ ++ ";jno 0f\n" \ ++ fullantiop \ ++ ";int $4\n0:\n" \ ++ _ASM_EXTABLE(0b, 0b) \ ++ ";j" cc " %l[cc_label]" \ ++ : : "m" (var), ## __VA_ARGS__ \ ++ : "memory" : cc_label); \ ++ return 0; \ ++cc_label: \ ++ return 1; \ ++} while (0) ++#else ++#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \ ++do { \ ++ asm_volatile_goto (fullop ";j" cc " %l[cc_label]" \ ++ : : "m" (var), ## __VA_ARGS__ \ ++ : "memory" : cc_label); \ ++ return 0; \ ++cc_label: \ ++ return 1; \ ++} while (0) ++#endif ++ ++#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \ + do { \ + asm_volatile_goto (fullop "; j" cc " %l[cc_label]" \ + : : "m" (var), ## __VA_ARGS__ \ +@@ -13,15 +40,46 @@ cc_label: \ + return 1; \ + } while (0) + +-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \ +- __GEN_RMWcc(op " " arg0, var, cc) ++#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \ ++ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc) + +-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \ +- __GEN_RMWcc(op " %1, " arg0, var, cc, vcon (val)) ++#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \ ++ __GEN_RMWcc_unchecked(op " " arg0, var, cc) ++ ++#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \ ++ __GEN_RMWcc(op " %1, " arg0, antiop " %1, " arg0, var, cc, vcon (val)) ++ ++#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \ ++ __GEN_RMWcc_unchecked(op " %1, " arg0, var, cc, vcon (val)) + + #else /* !CC_HAVE_ASM_GOTO */ + +-#define __GEN_RMWcc(fullop, var, cc, ...) \ ++#ifdef CONFIG_PAX_REFCOUNT ++#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \ ++do { \ ++ char c; \ ++ asm volatile (fullop \ ++ ";jno 0f\n" \ ++ fullantiop \ ++ ";int $4\n0:\n" \ ++ _ASM_EXTABLE(0b, 0b) \ ++ "; set" cc " %1" \ ++ : "+m" (var), "=qm" (c) \ ++ : __VA_ARGS__ : "memory"); \ ++ return c != 0; \ ++} while (0) ++#else ++#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \ ++do { \ ++ char c; \ ++ asm volatile (fullop "; set" cc " %1" \ ++ : "+m" (var), "=qm" (c) \ ++ : __VA_ARGS__ : "memory"); \ ++ return c != 0; \ ++} while (0) ++#endif ++ ++#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \ + do { \ + char c; \ + asm volatile (fullop "; set" cc " %1" \ +@@ -30,11 +88,17 @@ do { \ + return c != 0; \ + } while (0) + +-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \ +- __GEN_RMWcc(op " " arg0, var, cc) ++#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \ ++ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc) ++ ++#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \ ++ __GEN_RMWcc_unchecked(op " " arg0, var, cc) ++ ++#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \ ++ __GEN_RMWcc(op " %2, " arg0, antiop " %2, " arg0, var, cc, vcon (val)) + +-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \ +- __GEN_RMWcc(op " %2, " arg0, var, cc, vcon (val)) ++#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \ ++ __GEN_RMWcc_unchecked(op " %2, " arg0, var, cc, vcon (val)) + + #endif /* CC_HAVE_ASM_GOTO */ + +diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h +index cad82c9..2e5c5c1 100644 +--- a/arch/x86/include/asm/rwsem.h ++++ b/arch/x86/include/asm/rwsem.h +@@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem) + { + asm volatile("# beginning down_read\n\t" + LOCK_PREFIX _ASM_INC "(%1)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX _ASM_DEC "(%1)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + /* adds 0x00000001 */ + " jns 1f\n" + " call call_rwsem_down_read_failed\n" +@@ -85,6 +93,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem) + "1:\n\t" + " mov %1,%2\n\t" + " add %3,%2\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "sub %3,%2\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + " jle 2f\n\t" + LOCK_PREFIX " cmpxchg %2,%0\n\t" + " jnz 1b\n\t" +@@ -104,6 +120,14 @@ static inline void __down_write_nested(struct rw_semaphore *sem, int subclass) + long tmp; + asm volatile("# beginning down_write\n\t" + LOCK_PREFIX " xadd %1,(%2)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "mov %1,(%2)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + /* adds 0xffff0001, returns the old value */ + " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t" + /* was the active mask 0 before? */ +@@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem) + long tmp; + asm volatile("# beginning __up_read\n\t" + LOCK_PREFIX " xadd %1,(%2)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "mov %1,(%2)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + /* subtracts 1, returns the old value */ + " jns 1f\n\t" + " call call_rwsem_wake\n" /* expects old value in %edx */ +@@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem) + long tmp; + asm volatile("# beginning __up_write\n\t" + LOCK_PREFIX " xadd %1,(%2)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ "mov %1,(%2)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + /* subtracts 0xffff0001, returns the old value */ + " jns 1f\n\t" + " call call_rwsem_wake\n" /* expects old value in %edx */ +@@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem) + { + asm volatile("# beginning __downgrade_write\n\t" + LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX _ASM_SUB "%2,(%1)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + /* + * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386) + * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64) +@@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem) + */ + static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) + { +- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0" ++ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX _ASM_SUB "%1,%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + : "+m" (sem->count) + : "er" (delta)); + } +@@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem) + */ + static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem) + { +- return delta + xadd(&sem->count, delta); ++ return delta + xadd_check_overflow(&sem->count, delta); + } + + #endif /* __KERNEL__ */ +diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h +index 6f1c3a8..7744f19 100644 +--- a/arch/x86/include/asm/segment.h ++++ b/arch/x86/include/asm/segment.h +@@ -64,10 +64,15 @@ + * 26 - ESPFIX small SS + * 27 - per-cpu [ offset to per-cpu data area ] + * 28 - stack_canary-20 [ for stack protector ] +- * 29 - unused +- * 30 - unused ++ * 29 - PCI BIOS CS ++ * 30 - PCI BIOS DS + * 31 - TSS for double fault handler + */ ++#define GDT_ENTRY_KERNEXEC_EFI_CS (1) ++#define GDT_ENTRY_KERNEXEC_EFI_DS (2) ++#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8) ++#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8) ++ + #define GDT_ENTRY_TLS_MIN 6 + #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1) + +@@ -79,6 +84,8 @@ + + #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0) + ++#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4) ++ + #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1) + + #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4) +@@ -104,6 +111,12 @@ + #define __KERNEL_STACK_CANARY 0 + #endif + ++#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17) ++#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8) ++ ++#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18) ++#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8) ++ + #define GDT_ENTRY_DOUBLEFAULT_TSS 31 + + /* +@@ -141,7 +154,7 @@ + */ + + /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */ +-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8) ++#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16) + + + #else +@@ -165,6 +178,8 @@ + #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8+3) + #define __USER32_DS __USER_DS + ++#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7 ++ + #define GDT_ENTRY_TSS 8 /* needs two entries */ + #define GDT_ENTRY_LDT 10 /* needs two entries */ + #define GDT_ENTRY_TLS_MIN 12 +@@ -173,6 +188,8 @@ + #define GDT_ENTRY_PER_CPU 15 /* Abused to load per CPU data from limit */ + #define __PER_CPU_SEG (GDT_ENTRY_PER_CPU * 8 + 3) + ++#define GDT_ENTRY_UDEREF_KERNEL_DS 16 ++ + /* TLS indexes for 64bit - hardcoded in arch_prctl */ + #define FS_TLS 0 + #define GS_TLS 1 +@@ -180,12 +197,14 @@ + #define GS_TLS_SEL ((GDT_ENTRY_TLS_MIN+GS_TLS)*8 + 3) + #define FS_TLS_SEL ((GDT_ENTRY_TLS_MIN+FS_TLS)*8 + 3) + +-#define GDT_ENTRIES 16 ++#define GDT_ENTRIES 17 + + #endif + + #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) ++#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) + #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) ++#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8) + #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3) + #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3) + #ifndef CONFIG_PARAVIRT +@@ -268,7 +287,7 @@ static inline unsigned long get_limit(unsigned long segment) + { + unsigned long __limit; + asm("lsll %1,%0" : "=r" (__limit) : "r" (segment)); +- return __limit + 1; ++ return __limit; + } + + #endif /* !__ASSEMBLY__ */ +diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h +index 8d3120f..352b440 100644 +--- a/arch/x86/include/asm/smap.h ++++ b/arch/x86/include/asm/smap.h +@@ -25,11 +25,40 @@ + + #include + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define ASM_PAX_OPEN_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection ; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection ; \ ++ call __pax_open_userland; \ ++ popq %rax; \ ++ 663: ++ ++#define ASM_PAX_CLOSE_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection; \ ++ call __pax_close_userland; \ ++ popq %rax; \ ++ 663: ++#else ++#define ASM_PAX_OPEN_USERLAND ++#define ASM_PAX_CLOSE_USERLAND ++#endif ++ + #ifdef CONFIG_X86_SMAP + + #define ASM_CLAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_CLAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -38,7 +67,7 @@ + + #define ASM_STAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_STAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -56,6 +85,37 @@ + + #include + ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ ++extern void __pax_open_userland(void); ++static __always_inline unsigned long pax_open_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[open]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [open] "i" (__pax_open_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ ++extern void __pax_close_userland(void); ++static __always_inline unsigned long pax_close_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[close]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [close] "i" (__pax_close_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ + #ifdef CONFIG_X86_SMAP + + static __always_inline void clac(void) +diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h +index 8cd27e0..7f05ec8 100644 +--- a/arch/x86/include/asm/smp.h ++++ b/arch/x86/include/asm/smp.h +@@ -35,7 +35,7 @@ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map); + /* cpus sharing the last level cache: */ + DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map); + DECLARE_PER_CPU_READ_MOSTLY(u16, cpu_llc_id); +-DECLARE_PER_CPU_READ_MOSTLY(int, cpu_number); ++DECLARE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number); + + static inline struct cpumask *cpu_sibling_mask(int cpu) + { +@@ -78,7 +78,7 @@ struct smp_ops { + + void (*send_call_func_ipi)(const struct cpumask *mask); + void (*send_call_func_single_ipi)(int cpu); +-}; ++} __no_const; + + /* Globals due to paravirt */ + extern void set_cpu_sibling_map(int cpu); +@@ -190,14 +190,8 @@ extern unsigned disabled_cpus; + extern int safe_smp_processor_id(void); + + #elif defined(CONFIG_X86_64_SMP) +-#define raw_smp_processor_id() (this_cpu_read(cpu_number)) +- +-#define stack_smp_processor_id() \ +-({ \ +- struct thread_info *ti; \ +- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \ +- ti->cpu; \ +-}) ++#define raw_smp_processor_id() (this_cpu_read(cpu_number)) ++#define stack_smp_processor_id() raw_smp_processor_id() + #define safe_smp_processor_id() smp_processor_id() + + #endif +diff --git a/arch/x86/include/asm/spinlock.h b/arch/x86/include/asm/spinlock.h +index 0f62f54..cb5d0dd 100644 +--- a/arch/x86/include/asm/spinlock.h ++++ b/arch/x86/include/asm/spinlock.h +@@ -222,6 +222,14 @@ static inline int arch_write_can_lock(arch_rwlock_t *lock) + static inline void arch_read_lock(arch_rwlock_t *rw) + { + asm volatile(LOCK_PREFIX READ_LOCK_SIZE(dec) " (%0)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX READ_LOCK_SIZE(inc) " (%0)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + "jns 1f\n" + "call __read_lock_failed\n\t" + "1:\n" +@@ -231,6 +239,14 @@ static inline void arch_read_lock(arch_rwlock_t *rw) + static inline void arch_write_lock(arch_rwlock_t *rw) + { + asm volatile(LOCK_PREFIX WRITE_LOCK_SUB(%1) "(%0)\n\t" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX WRITE_LOCK_ADD(%1) "(%0)\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + "jz 1f\n" + "call __write_lock_failed\n\t" + "1:\n" +@@ -260,13 +276,29 @@ static inline int arch_write_trylock(arch_rwlock_t *lock) + + static inline void arch_read_unlock(arch_rwlock_t *rw) + { +- asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0" ++ asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX READ_LOCK_SIZE(dec) " %0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + :"+m" (rw->lock) : : "memory"); + } + + static inline void arch_write_unlock(arch_rwlock_t *rw) + { +- asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0" ++ asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0\n" ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ "jno 0f\n" ++ LOCK_PREFIX WRITE_LOCK_SUB(%1) "%0\n" ++ "int $4\n0:\n" ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ + : "+m" (rw->write) : "i" (RW_LOCK_BIAS) : "memory"); + } + +diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h +index 6a99859..03cb807 100644 +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -47,7 +47,7 @@ + * head_32 for boot CPU and setup_per_cpu_areas() for others. + */ + #define GDT_STACK_CANARY_INIT \ +- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18), ++ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17), + + /* + * Initialize the stackprotector canary value. +@@ -112,7 +112,7 @@ static inline void setup_stack_canary_segment(int cpu) + + static inline void load_stack_canary_segment(void) + { +-#ifdef CONFIG_X86_32 ++#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF) + asm volatile ("mov %0, %%gs" : : "r" (0)); + #endif + } +diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h +index 70bbe39..4ae2bd4 100644 +--- a/arch/x86/include/asm/stacktrace.h ++++ b/arch/x86/include/asm/stacktrace.h +@@ -11,28 +11,20 @@ + + extern int kstack_depth_to_print; + +-struct thread_info; ++struct task_struct; + struct stacktrace_ops; + +-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo, +- unsigned long *stack, +- unsigned long bp, +- const struct stacktrace_ops *ops, +- void *data, +- unsigned long *end, +- int *graph); ++typedef unsigned long walk_stack_t(struct task_struct *task, ++ void *stack_start, ++ unsigned long *stack, ++ unsigned long bp, ++ const struct stacktrace_ops *ops, ++ void *data, ++ unsigned long *end, ++ int *graph); + +-extern unsigned long +-print_context_stack(struct thread_info *tinfo, +- unsigned long *stack, unsigned long bp, +- const struct stacktrace_ops *ops, void *data, +- unsigned long *end, int *graph); +- +-extern unsigned long +-print_context_stack_bp(struct thread_info *tinfo, +- unsigned long *stack, unsigned long bp, +- const struct stacktrace_ops *ops, void *data, +- unsigned long *end, int *graph); ++extern walk_stack_t print_context_stack; ++extern walk_stack_t print_context_stack_bp; + + /* Generic stack tracer with callbacks */ + +@@ -40,7 +32,7 @@ struct stacktrace_ops { + void (*address)(void *data, unsigned long address, int reliable); + /* On negative return stop dumping */ + int (*stack)(void *data, char *name); +- walk_stack_t walk_stack; ++ walk_stack_t *walk_stack; + }; + + void dump_trace(struct task_struct *tsk, struct pt_regs *regs, +diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h +index d7f3b3b..3cc39f1 100644 +--- a/arch/x86/include/asm/switch_to.h ++++ b/arch/x86/include/asm/switch_to.h +@@ -108,7 +108,7 @@ do { \ + "call __switch_to\n\t" \ + "movq "__percpu_arg([current_task])",%%rsi\n\t" \ + __switch_canary \ +- "movq %P[thread_info](%%rsi),%%r8\n\t" \ ++ "movq "__percpu_arg([thread_info])",%%r8\n\t" \ + "movq %%rax,%%rdi\n\t" \ + "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \ + "jnz ret_from_fork\n\t" \ +@@ -119,7 +119,7 @@ do { \ + [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \ + [ti_flags] "i" (offsetof(struct thread_info, flags)), \ + [_tif_fork] "i" (_TIF_FORK), \ +- [thread_info] "i" (offsetof(struct task_struct, stack)), \ ++ [thread_info] "m" (current_tinfo), \ + [current_task] "m" (current_task) \ + __switch_canary_iparam \ + : "memory", "cc" __EXTRA_CLOBBER) +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h +index e1940c0..ac50dd8 100644 +--- a/arch/x86/include/asm/thread_info.h ++++ b/arch/x86/include/asm/thread_info.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + /* + * low level task data that entry.S needs immediate access to +@@ -23,7 +24,6 @@ struct exec_domain; + #include + + struct thread_info { +- struct task_struct *task; /* main task structure */ + struct exec_domain *exec_domain; /* execution domain */ + __u32 flags; /* low level flags */ + __u32 status; /* thread synchronous flags */ +@@ -32,19 +32,13 @@ struct thread_info { + mm_segment_t addr_limit; + struct restart_block restart_block; + void __user *sysenter_return; +-#ifdef CONFIG_X86_32 +- unsigned long previous_esp; /* ESP of the previous stack in +- case of nested (IRQ) stacks +- */ +- __u8 supervisor_stack[0]; +-#endif ++ unsigned long lowest_stack; + unsigned int sig_on_uaccess_error:1; + unsigned int uaccess_err:1; /* uaccess failed */ + }; + +-#define INIT_THREAD_INFO(tsk) \ ++#define INIT_THREAD_INFO \ + { \ +- .task = &tsk, \ + .exec_domain = &default_exec_domain, \ + .flags = 0, \ + .cpu = 0, \ +@@ -55,7 +49,7 @@ struct thread_info { + }, \ + } + +-#define init_thread_info (init_thread_union.thread_info) ++#define init_thread_info (init_thread_union.stack) + #define init_stack (init_thread_union.stack) + + #else /* !__ASSEMBLY__ */ +@@ -95,6 +89,7 @@ struct thread_info { + #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */ + #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */ + #define TIF_X32 30 /* 32-bit native x86-64 binary */ ++#define TIF_GRSEC_SETXID 31 /* update credentials on syscall entry/exit */ + + #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) + #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +@@ -118,17 +113,18 @@ struct thread_info { + #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) + #define _TIF_ADDR32 (1 << TIF_ADDR32) + #define _TIF_X32 (1 << TIF_X32) ++#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_enter() */ + #define _TIF_WORK_SYSCALL_ENTRY \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \ + _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | \ +- _TIF_NOHZ) ++ _TIF_NOHZ | _TIF_GRSEC_SETXID) + + /* work to do in syscall_trace_leave() */ + #define _TIF_WORK_SYSCALL_EXIT \ + (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \ +- _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ) ++ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID) + + /* work to do on interrupt/exception return */ + #define _TIF_WORK_MASK \ +@@ -139,7 +135,7 @@ struct thread_info { + /* work to do on any return to user space */ + #define _TIF_ALLWORK_MASK \ + ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \ +- _TIF_NOHZ) ++ _TIF_NOHZ | _TIF_GRSEC_SETXID) + + /* Only used for 64 bit */ + #define _TIF_DO_NOTIFY_MASK \ +@@ -153,6 +149,23 @@ struct thread_info { + #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) + #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) + ++#ifdef __ASSEMBLY__ ++/* how to get the thread information struct from ASM */ ++#define GET_THREAD_INFO(reg) \ ++ mov PER_CPU_VAR(current_tinfo), reg ++ ++/* use this one if reg already contains %esp */ ++#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg) ++#else ++/* how to get the thread information struct from C */ ++DECLARE_PER_CPU(struct thread_info *, current_tinfo); ++ ++static __always_inline struct thread_info *current_thread_info(void) ++{ ++ return this_cpu_read_stable(current_tinfo); ++} ++#endif ++ + #ifdef CONFIG_X86_32 + + #define STACK_WARN (THREAD_SIZE/8) +@@ -169,31 +182,10 @@ struct thread_info { + sp; \ + }) + +-/* how to get the thread information struct from C */ +-static inline struct thread_info *current_thread_info(void) +-{ +- return (struct thread_info *) +- (current_stack_pointer & ~(THREAD_SIZE - 1)); +-} +- +-#else /* !__ASSEMBLY__ */ +- +-/* how to get the thread information struct from ASM */ +-#define GET_THREAD_INFO(reg) \ +- movl $-THREAD_SIZE, reg; \ +- andl %esp, reg +- +-/* use this one if reg already contains %esp */ +-#define GET_THREAD_INFO_WITH_ESP(reg) \ +- andl $-THREAD_SIZE, reg +- + #endif + + #else /* X86_32 */ + +-#include +-#define KERNEL_STACK_OFFSET (5*8) +- + /* + * macros/functions for gaining access to the thread information structure + * preempt_count needs to be 1 initially, until the scheduler is functional. +@@ -201,27 +193,8 @@ static inline struct thread_info *current_thread_info(void) + #ifndef __ASSEMBLY__ + DECLARE_PER_CPU(unsigned long, kernel_stack); + +-static inline struct thread_info *current_thread_info(void) +-{ +- struct thread_info *ti; +- ti = (void *)(this_cpu_read_stable(kernel_stack) + +- KERNEL_STACK_OFFSET - THREAD_SIZE); +- return ti; +-} +- +-#else /* !__ASSEMBLY__ */ +- +-/* how to get the thread information struct from ASM */ +-#define GET_THREAD_INFO(reg) \ +- movq PER_CPU_VAR(kernel_stack),reg ; \ +- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg +- +-/* +- * Same if PER_CPU_VAR(kernel_stack) is, perhaps with some offset, already in +- * a certain register (to be used in assembler memory operands). +- */ +-#define THREAD_INFO(reg, off) KERNEL_STACK_OFFSET+(off)-THREAD_SIZE(reg) +- ++/* how to get the current stack pointer from C */ ++register unsigned long current_stack_pointer asm("rsp") __used; + #endif + + #endif /* !X86_32 */ +@@ -280,5 +253,12 @@ static inline bool is_ia32_task(void) + extern void arch_task_cache_init(void); + extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); + extern void arch_release_task_struct(struct task_struct *tsk); ++ ++#define __HAVE_THREAD_FUNCTIONS ++#define task_thread_info(task) (&(task)->tinfo) ++#define task_stack_page(task) ((task)->stack) ++#define setup_thread_stack(p, org) do {} while (0) ++#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1) ++ + #endif + #endif /* _ASM_X86_THREAD_INFO_H */ +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 04905bf..49203ca 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -17,18 +17,44 @@ + + static inline void __native_flush_tlb(void) + { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ u64 descriptor[2]; ++ ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory"); ++ return; ++ } ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ raw_put_cpu_no_resched(); ++ return; ++ } ++#endif ++ + native_write_cr3(native_read_cr3()); + } + + static inline void __native_flush_tlb_global_irq_disabled(void) + { +- unsigned long cr4; ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ u64 descriptor[2]; + +- cr4 = native_read_cr4(); +- /* clear PGE */ +- native_write_cr4(cr4 & ~X86_CR4_PGE); +- /* write old PGE again and flush TLBs */ +- native_write_cr4(cr4); ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory"); ++ } else { ++ unsigned long cr4; ++ ++ cr4 = native_read_cr4(); ++ /* clear PGE */ ++ native_write_cr4(cr4 & ~X86_CR4_PGE); ++ /* write old PGE again and flush TLBs */ ++ native_write_cr4(cr4); ++ } + } + + static inline void __native_flush_tlb_global(void) +@@ -49,6 +75,41 @@ static inline void __native_flush_tlb_global(void) + + static inline void __native_flush_tlb_single(unsigned long addr) + { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ u64 descriptor[2]; ++ ++ descriptor[0] = PCID_KERNEL; ++ descriptor[1] = addr; ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) { ++ if (addr < TASK_SIZE_MAX) ++ descriptor[1] += pax_user_shadow_base; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ } ++ ++ descriptor[0] = PCID_USER; ++ descriptor[1] = addr; ++#endif ++ ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ return; ++ } ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++ ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX) ++ addr += pax_user_shadow_base; ++ } ++#endif ++ + asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); + } + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 0d592e0..f58a222 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -29,7 +30,12 @@ + + #define get_ds() (KERNEL_DS) + #define get_fs() (current_thread_info()->addr_limit) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) ++void __set_fs(mm_segment_t x); ++void set_fs(mm_segment_t x); ++#else + #define set_fs(x) (current_thread_info()->addr_limit = (x)) ++#endif + + #define segment_eq(a, b) ((a).seg == (b).seg) + +@@ -85,8 +91,34 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un + * checks that the pointer is in the user space range - after calling + * this function, memory access functions may still return -EFAULT. + */ +-#define access_ok(type, addr, size) \ +- likely(!__range_not_ok(addr, size, user_addr_max())) ++extern int _cond_resched(void); ++#define access_ok_noprefault(type, addr, size) (likely(!__range_not_ok(addr, size, user_addr_max()))) ++#define access_ok(type, addr, size) \ ++({ \ ++ long __size = size; \ ++ unsigned long __addr = (unsigned long)addr; \ ++ unsigned long __addr_ao = __addr & PAGE_MASK; \ ++ unsigned long __end_ao = __addr + __size - 1; \ ++ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\ ++ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \ ++ while(__addr_ao <= __end_ao) { \ ++ char __c_ao; \ ++ __addr_ao += PAGE_SIZE; \ ++ if (__size > PAGE_SIZE) \ ++ _cond_resched(); \ ++ if (__get_user(__c_ao, (char __user *)__addr)) \ ++ break; \ ++ if (type != VERIFY_WRITE) { \ ++ __addr = __addr_ao; \ ++ continue; \ ++ } \ ++ if (__put_user(__c_ao, (char __user *)__addr)) \ ++ break; \ ++ __addr = __addr_ao; \ ++ } \ ++ } \ ++ __ret_ao; \ ++}) + + /* + * The exception table consists of pairs of addresses relative to the +@@ -176,10 +208,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \ + __chk_user_ptr(ptr); \ + might_fault(); \ ++ pax_open_userland(); \ + asm volatile("call __get_user_%P3" \ + : "=a" (__ret_gu), "=r" (__val_gu) \ + : "0" (ptr), "i" (sizeof(*(ptr)))); \ + (x) = (__typeof__(*(ptr))) __val_gu; \ ++ pax_close_userland(); \ + __ret_gu; \ + }) + +@@ -187,13 +221,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ + : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") + +- ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define __copyuser_seg "gs;" ++#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n" ++#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n" ++#else ++#define __copyuser_seg ++#define __COPYUSER_SET_ES ++#define __COPYUSER_RESTORE_ES ++#endif + + #ifdef CONFIG_X86_32 + #define __put_user_asm_u64(x, addr, err, errret) \ + asm volatile(ASM_STAC "\n" \ +- "1: movl %%eax,0(%2)\n" \ +- "2: movl %%edx,4(%2)\n" \ ++ "1: "__copyuser_seg"movl %%eax,0(%2)\n" \ ++ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \ + "3: " ASM_CLAC "\n" \ + ".section .fixup,\"ax\"\n" \ + "4: movl %3,%0\n" \ +@@ -206,8 +248,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + + #define __put_user_asm_ex_u64(x, addr) \ + asm volatile(ASM_STAC "\n" \ +- "1: movl %%eax,0(%1)\n" \ +- "2: movl %%edx,4(%1)\n" \ ++ "1: "__copyuser_seg"movl %%eax,0(%1)\n" \ ++ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \ + "3: " ASM_CLAC "\n" \ + _ASM_EXTABLE_EX(1b, 2b) \ + _ASM_EXTABLE_EX(2b, 3b) \ +@@ -257,7 +299,8 @@ extern void __put_user_8(void); + __typeof__(*(ptr)) __pu_val; \ + __chk_user_ptr(ptr); \ + might_fault(); \ +- __pu_val = x; \ ++ __pu_val = (x); \ ++ pax_open_userland(); \ + switch (sizeof(*(ptr))) { \ + case 1: \ + __put_user_x(1, __pu_val, ptr, __ret_pu); \ +@@ -275,6 +318,7 @@ extern void __put_user_8(void); + __put_user_x(X, __pu_val, ptr, __ret_pu); \ + break; \ + } \ ++ pax_close_userland(); \ + __ret_pu; \ + }) + +@@ -355,8 +399,10 @@ do { \ + } while (0) + + #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ + asm volatile(ASM_STAC "\n" \ +- "1: mov"itype" %2,%"rtype"1\n" \ ++ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\ + "2: " ASM_CLAC "\n" \ + ".section .fixup,\"ax\"\n" \ + "3: mov %3,%0\n" \ +@@ -364,8 +410,10 @@ do { \ + " jmp 2b\n" \ + ".previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "=r" (err), ltype(x) \ +- : "m" (__m(addr)), "i" (errret), "0" (err)) ++ : "=r" (err), ltype (x) \ ++ : "m" (__m(addr)), "i" (errret), "0" (err)); \ ++ pax_close_userland(); \ ++} while (0) + + #define __get_user_size_ex(x, ptr, size) \ + do { \ +@@ -389,7 +437,7 @@ do { \ + } while (0) + + #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ +- asm volatile("1: mov"itype" %1,%"rtype"0\n" \ ++ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\ + "2:\n" \ + _ASM_EXTABLE_EX(1b, 2b) \ + : ltype(x) : "m" (__m(addr))) +@@ -406,13 +454,24 @@ do { \ + int __gu_err; \ + unsigned long __gu_val; \ + __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ +- (x) = (__force __typeof__(*(ptr)))__gu_val; \ ++ (x) = (__typeof__(*(ptr)))__gu_val; \ + __gu_err; \ + }) + + /* FIXME: this hack is definitely wrong -AK */ + struct __large_struct { unsigned long buf[100]; }; +-#define __m(x) (*(struct __large_struct __user *)(x)) ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define ____m(x) \ ++({ \ ++ unsigned long ____x = (unsigned long)(x); \ ++ if (____x < pax_user_shadow_base) \ ++ ____x += pax_user_shadow_base; \ ++ (typeof(x))____x; \ ++}) ++#else ++#define ____m(x) (x) ++#endif ++#define __m(x) (*(struct __large_struct __user *)____m(x)) + + /* + * Tell gcc we read from memory instead of writing: this is because +@@ -420,8 +479,10 @@ struct __large_struct { unsigned long buf[100]; }; + * aliasing issues. + */ + #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ + asm volatile(ASM_STAC "\n" \ +- "1: mov"itype" %"rtype"1,%2\n" \ ++ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\ + "2: " ASM_CLAC "\n" \ + ".section .fixup,\"ax\"\n" \ + "3: mov %3,%0\n" \ +@@ -429,10 +490,12 @@ struct __large_struct { unsigned long buf[100]; }; + ".previous\n" \ + _ASM_EXTABLE(1b, 3b) \ + : "=r"(err) \ +- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err)) ++ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\ ++ pax_close_userland(); \ ++} while (0) + + #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \ +- asm volatile("1: mov"itype" %"rtype"0,%1\n" \ ++ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\ + "2:\n" \ + _ASM_EXTABLE_EX(1b, 2b) \ + : : ltype(x), "m" (__m(addr))) +@@ -442,11 +505,13 @@ struct __large_struct { unsigned long buf[100]; }; + */ + #define uaccess_try do { \ + current_thread_info()->uaccess_err = 0; \ ++ pax_open_userland(); \ + stac(); \ + barrier(); + + #define uaccess_catch(err) \ + clac(); \ ++ pax_close_userland(); \ + (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \ + } while (0) + +@@ -471,8 +536,12 @@ struct __large_struct { unsigned long buf[100]; }; + * On error, the variable @x is set to zero. + */ + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define __get_user(x, ptr) get_user((x), (ptr)) ++#else + #define __get_user(x, ptr) \ + __get_user_nocheck((x), (ptr), sizeof(*(ptr))) ++#endif + + /** + * __put_user: - Write a simple value into user space, with less checking. +@@ -494,8 +563,12 @@ struct __large_struct { unsigned long buf[100]; }; + * Returns zero on success, or -EFAULT on error. + */ + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define __put_user(x, ptr) put_user((x), (ptr)) ++#else + #define __put_user(x, ptr) \ + __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr))) ++#endif + + #define __get_user_unaligned __get_user + #define __put_user_unaligned __put_user +@@ -513,7 +586,7 @@ struct __large_struct { unsigned long buf[100]; }; + #define get_user_ex(x, ptr) do { \ + unsigned long __gue_val; \ + __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ +- (x) = (__force __typeof__(*(ptr)))__gue_val; \ ++ (x) = (__typeof__(*(ptr)))__gue_val; \ + } while (0) + + #define put_user_try uaccess_try +@@ -542,18 +615,19 @@ extern void __cmpxchg_wrong_size(void) + __typeof__(ptr) __uval = (uval); \ + __typeof__(*(ptr)) __old = (old); \ + __typeof__(*(ptr)) __new = (new); \ ++ pax_open_userland(); \ + switch (size) { \ + case 1: \ + { \ + asm volatile("\t" ASM_STAC "\n" \ +- "1:\t" LOCK_PREFIX "cmpxchgb %4, %2\n" \ ++ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgb %4, %2\n"\ + "2:\t" ASM_CLAC "\n" \ + "\t.section .fixup, \"ax\"\n" \ + "3:\tmov %3, %0\n" \ + "\tjmp 2b\n" \ + "\t.previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \ ++ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\ + : "i" (-EFAULT), "q" (__new), "1" (__old) \ + : "memory" \ + ); \ +@@ -562,14 +636,14 @@ extern void __cmpxchg_wrong_size(void) + case 2: \ + { \ + asm volatile("\t" ASM_STAC "\n" \ +- "1:\t" LOCK_PREFIX "cmpxchgw %4, %2\n" \ ++ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgw %4, %2\n"\ + "2:\t" ASM_CLAC "\n" \ + "\t.section .fixup, \"ax\"\n" \ + "3:\tmov %3, %0\n" \ + "\tjmp 2b\n" \ + "\t.previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \ ++ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\ + : "i" (-EFAULT), "r" (__new), "1" (__old) \ + : "memory" \ + ); \ +@@ -578,14 +652,14 @@ extern void __cmpxchg_wrong_size(void) + case 4: \ + { \ + asm volatile("\t" ASM_STAC "\n" \ +- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" \ ++ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"\ + "2:\t" ASM_CLAC "\n" \ + "\t.section .fixup, \"ax\"\n" \ + "3:\tmov %3, %0\n" \ + "\tjmp 2b\n" \ + "\t.previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \ ++ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\ + : "i" (-EFAULT), "r" (__new), "1" (__old) \ + : "memory" \ + ); \ +@@ -597,14 +671,14 @@ extern void __cmpxchg_wrong_size(void) + __cmpxchg_wrong_size(); \ + \ + asm volatile("\t" ASM_STAC "\n" \ +- "1:\t" LOCK_PREFIX "cmpxchgq %4, %2\n" \ ++ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgq %4, %2\n"\ + "2:\t" ASM_CLAC "\n" \ + "\t.section .fixup, \"ax\"\n" \ + "3:\tmov %3, %0\n" \ + "\tjmp 2b\n" \ + "\t.previous\n" \ + _ASM_EXTABLE(1b, 3b) \ +- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \ ++ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\ + : "i" (-EFAULT), "r" (__new), "1" (__old) \ + : "memory" \ + ); \ +@@ -613,6 +687,7 @@ extern void __cmpxchg_wrong_size(void) + default: \ + __cmpxchg_wrong_size(); \ + } \ ++ pax_close_userland(); \ + *__uval = __old; \ + __ret; \ + }) +@@ -636,17 +711,6 @@ extern struct movsl_mask { + + #define ARCH_HAS_NOCACHE_UACCESS 1 + +-#ifdef CONFIG_X86_32 +-# include +-#else +-# include +-#endif +- +-unsigned long __must_check _copy_from_user(void *to, const void __user *from, +- unsigned n); +-unsigned long __must_check _copy_to_user(void __user *to, const void *from, +- unsigned n); +- + #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS + # define copy_user_diag __compiletime_error + #else +@@ -656,7 +720,7 @@ unsigned long __must_check _copy_to_user(void __user *to, const void *from, + extern void copy_user_diag("copy_from_user() buffer size is too small") + copy_from_user_overflow(void); + extern void copy_user_diag("copy_to_user() buffer size is too small") +-copy_to_user_overflow(void) __asm__("copy_from_user_overflow"); ++copy_to_user_overflow(void); + + #undef copy_user_diag + +@@ -669,7 +733,7 @@ __copy_from_user_overflow(void) __asm__("copy_from_user_overflow"); + + extern void + __compiletime_warning("copy_to_user() buffer size is not provably correct") +-__copy_to_user_overflow(void) __asm__("copy_from_user_overflow"); ++__copy_to_user_overflow(void) __asm__("copy_to_user_overflow"); + #define __copy_to_user_overflow(size, count) __copy_to_user_overflow() + + #else +@@ -684,10 +748,16 @@ __copy_from_user_overflow(int size, unsigned long count) + + #endif + ++#ifdef CONFIG_X86_32 ++# include ++#else ++# include ++#endif ++ + static inline unsigned long __must_check + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- int sz = __compiletime_object_size(to); ++ size_t sz = __compiletime_object_size(to); + + might_fault(); + +@@ -709,12 +779,15 @@ copy_from_user(void *to, const void __user *from, unsigned long n) + * case, and do only runtime checking for non-constant sizes. + */ + +- if (likely(sz < 0 || sz >= n)) +- n = _copy_from_user(to, from, n); +- else if(__builtin_constant_p(n)) +- copy_from_user_overflow(); +- else +- __copy_from_user_overflow(sz, n); ++ if (likely(sz != (size_t)-1 && sz < n)) { ++ if(__builtin_constant_p(n)) ++ copy_from_user_overflow(); ++ else ++ __copy_from_user_overflow(sz, n); ++ } if (access_ok(VERIFY_READ, from, n)) ++ n = __copy_from_user(to, from, n); ++ else if ((long)n > 0) ++ memset(to, 0, n); + + return n; + } +@@ -722,17 +795,18 @@ copy_from_user(void *to, const void __user *from, unsigned long n) + static inline unsigned long __must_check + copy_to_user(void __user *to, const void *from, unsigned long n) + { +- int sz = __compiletime_object_size(from); ++ size_t sz = __compiletime_object_size(from); + + might_fault(); + + /* See the comment in copy_from_user() above. */ +- if (likely(sz < 0 || sz >= n)) +- n = _copy_to_user(to, from, n); +- else if(__builtin_constant_p(n)) +- copy_to_user_overflow(); +- else +- __copy_to_user_overflow(sz, n); ++ if (likely(sz != (size_t)-1 && sz < n)) { ++ if(__builtin_constant_p(n)) ++ copy_to_user_overflow(); ++ else ++ __copy_to_user_overflow(sz, n); ++ } else if (access_ok(VERIFY_WRITE, to, n)) ++ n = __copy_to_user(to, from, n); + + return n; + } +diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h +index 3c03a5d..1071638 100644 +--- a/arch/x86/include/asm/uaccess_32.h ++++ b/arch/x86/include/asm/uaccess_32.h +@@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero + static __always_inline unsigned long __must_check + __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ ++ check_object_size(from, n, true); ++ + if (__builtin_constant_p(n)) { + unsigned long ret; + +@@ -82,12 +87,16 @@ static __always_inline unsigned long __must_check + __copy_to_user(void __user *to, const void *from, unsigned long n) + { + might_fault(); ++ + return __copy_to_user_inatomic(to, from, n); + } + + static __always_inline unsigned long + __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) + { ++ if ((long)n < 0) ++ return n; ++ + /* Avoid zeroing the tail if the copy fails.. + * If 'n' is constant and 1, 2, or 4, we do still zero on a failure, + * but as the zeroing behaviour is only significant when n is not +@@ -137,6 +146,12 @@ static __always_inline unsigned long + __copy_from_user(void *to, const void __user *from, unsigned long n) + { + might_fault(); ++ ++ if ((long)n < 0) ++ return n; ++ ++ check_object_size(to, n, false); ++ + if (__builtin_constant_p(n)) { + unsigned long ret; + +@@ -159,6 +174,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to, + const void __user *from, unsigned long n) + { + might_fault(); ++ ++ if ((long)n < 0) ++ return n; ++ + if (__builtin_constant_p(n)) { + unsigned long ret; + +@@ -181,7 +200,10 @@ static __always_inline unsigned long + __copy_from_user_inatomic_nocache(void *to, const void __user *from, + unsigned long n) + { +- return __copy_from_user_ll_nocache_nozero(to, from, n); ++ if ((long)n < 0) ++ return n; ++ ++ return __copy_from_user_ll_nocache_nozero(to, from, n); + } + + #endif /* _ASM_X86_UACCESS_32_H */ +diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h +index 12a26b9..206c200 100644 +--- a/arch/x86/include/asm/uaccess_64.h ++++ b/arch/x86/include/asm/uaccess_64.h +@@ -10,6 +10,9 @@ + #include + #include + #include ++#include ++ ++#define set_fs(x) (current_thread_info()->addr_limit = (x)) + + /* + * Copy To/From Userspace +@@ -17,14 +20,14 @@ + + /* Handles exceptions in both to and from, but doesn't do access_ok */ + __must_check unsigned long +-copy_user_enhanced_fast_string(void *to, const void *from, unsigned len); ++copy_user_enhanced_fast_string(void *to, const void *from, unsigned len) __size_overflow(3); + __must_check unsigned long +-copy_user_generic_string(void *to, const void *from, unsigned len); ++copy_user_generic_string(void *to, const void *from, unsigned len) __size_overflow(3); + __must_check unsigned long +-copy_user_generic_unrolled(void *to, const void *from, unsigned len); ++copy_user_generic_unrolled(void *to, const void *from, unsigned len) __size_overflow(3); + + static __always_inline __must_check unsigned long +-copy_user_generic(void *to, const void *from, unsigned len) ++copy_user_generic(void *to, const void *from, unsigned long len) + { + unsigned ret; + +@@ -46,121 +49,170 @@ copy_user_generic(void *to, const void *from, unsigned len) + } + + __must_check unsigned long +-copy_in_user(void __user *to, const void __user *from, unsigned len); ++copy_in_user(void __user *to, const void __user *from, unsigned long len); + + static __always_inline __must_check +-int __copy_from_user_nocheck(void *dst, const void __user *src, unsigned size) ++unsigned long __copy_from_user_nocheck(void *dst, const void __user *src, unsigned long size) + { +- int ret = 0; ++ size_t sz = __compiletime_object_size(dst); ++ unsigned ret = 0; ++ ++ if (size > INT_MAX) ++ return size; ++ ++ check_object_size(dst, size, false); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (!access_ok_noprefault(VERIFY_READ, src, size)) ++ return size; ++#endif ++ ++ if (unlikely(sz != (size_t)-1 && sz < size)) { ++ if(__builtin_constant_p(size)) ++ copy_from_user_overflow(); ++ else ++ __copy_from_user_overflow(sz, size); ++ return size; ++ } + + if (!__builtin_constant_p(size)) +- return copy_user_generic(dst, (__force void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + switch (size) { +- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src, ++ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src, + ret, "b", "b", "=q", 1); + return ret; +- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src, ++ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src, + ret, "w", "w", "=r", 2); + return ret; +- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src, ++ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src, + ret, "l", "k", "=r", 4); + return ret; +- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src, ++ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src, + ret, "q", "", "=r", 8); + return ret; + case 10: +- __get_user_asm(*(u64 *)dst, (u64 __user *)src, ++ __get_user_asm(*(u64 *)dst, (const u64 __user *)src, + ret, "q", "", "=r", 10); + if (unlikely(ret)) + return ret; + __get_user_asm(*(u16 *)(8 + (char *)dst), +- (u16 __user *)(8 + (char __user *)src), ++ (const u16 __user *)(8 + (const char __user *)src), + ret, "w", "w", "=r", 2); + return ret; + case 16: +- __get_user_asm(*(u64 *)dst, (u64 __user *)src, ++ __get_user_asm(*(u64 *)dst, (const u64 __user *)src, + ret, "q", "", "=r", 16); + if (unlikely(ret)) + return ret; + __get_user_asm(*(u64 *)(8 + (char *)dst), +- (u64 __user *)(8 + (char __user *)src), ++ (const u64 __user *)(8 + (const char __user *)src), + ret, "q", "", "=r", 8); + return ret; + default: +- return copy_user_generic(dst, (__force void *)src, size); ++ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size); + } + } + + static __always_inline __must_check +-int __copy_from_user(void *dst, const void __user *src, unsigned size) ++unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size) + { + might_fault(); + return __copy_from_user_nocheck(dst, src, size); + } + + static __always_inline __must_check +-int __copy_to_user_nocheck(void __user *dst, const void *src, unsigned size) ++unsigned long __copy_to_user_nocheck(void __user *dst, const void *src, unsigned long size) + { +- int ret = 0; ++ size_t sz = __compiletime_object_size(src); ++ unsigned ret = 0; ++ ++ if (size > INT_MAX) ++ return size; ++ ++ check_object_size(src, size, true); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (!access_ok_noprefault(VERIFY_WRITE, dst, size)) ++ return size; ++#endif ++ ++ if (unlikely(sz != (size_t)-1 && sz < size)) { ++ if(__builtin_constant_p(size)) ++ copy_to_user_overflow(); ++ else ++ __copy_to_user_overflow(sz, size); ++ return size; ++ } + + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + switch (size) { +- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst, ++ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst, + ret, "b", "b", "iq", 1); + return ret; +- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst, ++ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst, + ret, "w", "w", "ir", 2); + return ret; +- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst, ++ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst, + ret, "l", "k", "ir", 4); + return ret; +- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst, ++ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst, + ret, "q", "", "er", 8); + return ret; + case 10: +- __put_user_asm(*(u64 *)src, (u64 __user *)dst, ++ __put_user_asm(*(const u64 *)src, (u64 __user *)dst, + ret, "q", "", "er", 10); + if (unlikely(ret)) + return ret; + asm("":::"memory"); +- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst, ++ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst, + ret, "w", "w", "ir", 2); + return ret; + case 16: +- __put_user_asm(*(u64 *)src, (u64 __user *)dst, ++ __put_user_asm(*(const u64 *)src, (u64 __user *)dst, + ret, "q", "", "er", 16); + if (unlikely(ret)) + return ret; + asm("":::"memory"); +- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst, ++ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst, + ret, "q", "", "er", 8); + return ret; + default: +- return copy_user_generic((__force void *)dst, src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), src, size); + } + } + + static __always_inline __must_check +-int __copy_to_user(void __user *dst, const void *src, unsigned size) ++unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size) + { + might_fault(); + return __copy_to_user_nocheck(dst, src, size); + } + + static __always_inline __must_check +-int __copy_in_user(void __user *dst, const void __user *src, unsigned size) ++unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size) + { +- int ret = 0; ++ unsigned ret = 0; + + might_fault(); ++ ++ if (size > INT_MAX) ++ return size; ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (!access_ok_noprefault(VERIFY_READ, src, size)) ++ return size; ++ if (!access_ok_noprefault(VERIFY_WRITE, dst, size)) ++ return size; ++#endif ++ + if (!__builtin_constant_p(size)) +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); + switch (size) { + case 1: { + u8 tmp; +- __get_user_asm(tmp, (u8 __user *)src, ++ __get_user_asm(tmp, (const u8 __user *)src, + ret, "b", "b", "=q", 1); + if (likely(!ret)) + __put_user_asm(tmp, (u8 __user *)dst, +@@ -169,7 +221,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) + } + case 2: { + u16 tmp; +- __get_user_asm(tmp, (u16 __user *)src, ++ __get_user_asm(tmp, (const u16 __user *)src, + ret, "w", "w", "=r", 2); + if (likely(!ret)) + __put_user_asm(tmp, (u16 __user *)dst, +@@ -179,7 +231,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) + + case 4: { + u32 tmp; +- __get_user_asm(tmp, (u32 __user *)src, ++ __get_user_asm(tmp, (const u32 __user *)src, + ret, "l", "k", "=r", 4); + if (likely(!ret)) + __put_user_asm(tmp, (u32 __user *)dst, +@@ -188,7 +240,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) + } + case 8: { + u64 tmp; +- __get_user_asm(tmp, (u64 __user *)src, ++ __get_user_asm(tmp, (const u64 __user *)src, + ret, "q", "", "=r", 8); + if (likely(!ret)) + __put_user_asm(tmp, (u64 __user *)dst, +@@ -196,41 +248,58 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) + return ret; + } + default: +- return copy_user_generic((__force void *)dst, +- (__force void *)src, size); ++ return copy_user_generic((__force_kernel void *)____m(dst), ++ (__force_kernel const void *)____m(src), size); + } + } + +-static __must_check __always_inline int +-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size) ++static __must_check __always_inline unsigned long ++__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size) + { + return __copy_from_user_nocheck(dst, src, size); + } + +-static __must_check __always_inline int +-__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size) ++static __must_check __always_inline unsigned long ++__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size) + { + return __copy_to_user_nocheck(dst, src, size); + } + +-extern long __copy_user_nocache(void *dst, const void __user *src, +- unsigned size, int zerorest); ++extern unsigned long __copy_user_nocache(void *dst, const void __user *src, ++ unsigned long size, int zerorest); + +-static inline int +-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size) ++static inline unsigned long ++__copy_from_user_nocache(void *dst, const void __user *src, unsigned long size) + { + might_fault(); ++ ++ if (size > INT_MAX) ++ return size; ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (!access_ok_noprefault(VERIFY_READ, src, size)) ++ return size; ++#endif ++ + return __copy_user_nocache(dst, src, size, 1); + } + +-static inline int ++static inline unsigned long + __copy_from_user_inatomic_nocache(void *dst, const void __user *src, +- unsigned size) ++ unsigned long size) + { ++ if (size > INT_MAX) ++ return size; ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (!access_ok_noprefault(VERIFY_READ, src, size)) ++ return size; ++#endif ++ + return __copy_user_nocache(dst, src, size, 0); + } + + unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest); ++copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest) __size_overflow(3); + + #endif /* _ASM_X86_UACCESS_64_H */ +diff --git a/arch/x86/include/asm/word-at-a-time.h b/arch/x86/include/asm/word-at-a-time.h +index 5b238981..77fdd78 100644 +--- a/arch/x86/include/asm/word-at-a-time.h ++++ b/arch/x86/include/asm/word-at-a-time.h +@@ -11,7 +11,7 @@ + * and shift, for example. + */ + struct word_at_a_time { +- const unsigned long one_bits, high_bits; ++ unsigned long one_bits, high_bits; + }; + + #define WORD_AT_A_TIME_CONSTANTS { REPEAT_BYTE(0x01), REPEAT_BYTE(0x80) } +diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h +index e45e4da..44e8572 100644 +--- a/arch/x86/include/asm/x86_init.h ++++ b/arch/x86/include/asm/x86_init.h +@@ -129,7 +129,7 @@ struct x86_init_ops { + struct x86_init_timers timers; + struct x86_init_iommu iommu; + struct x86_init_pci pci; +-}; ++} __no_const; + + /** + * struct x86_cpuinit_ops - platform specific cpu hotplug setups +@@ -140,7 +140,7 @@ struct x86_cpuinit_ops { + void (*setup_percpu_clockev)(void); + void (*early_percpu_clock_init)(void); + void (*fixup_cpu_id)(struct cpuinfo_x86 *c, int node); +-}; ++} __no_const; + + struct timespec; + +@@ -168,7 +168,7 @@ struct x86_platform_ops { + void (*save_sched_clock_state)(void); + void (*restore_sched_clock_state)(void); + void (*apic_post_init)(void); +-}; ++} __no_const; + + struct pci_dev; + struct msi_msg; +@@ -185,7 +185,7 @@ struct x86_msi_ops { + int (*setup_hpet_msi)(unsigned int irq, unsigned int id); + u32 (*msi_mask_irq)(struct msi_desc *desc, u32 mask, u32 flag); + u32 (*msix_mask_irq)(struct msi_desc *desc, u32 flag); +-}; ++} __no_const; + + struct IO_APIC_route_entry; + struct io_apic_irq_attr; +@@ -206,7 +206,7 @@ struct x86_io_apic_ops { + unsigned int destination, int vector, + struct io_apic_irq_attr *attr); + void (*eoi_ioapic_pin)(int apic, int pin, int vector); +-}; ++} __no_const; + + extern struct x86_init_ops x86_init; + extern struct x86_cpuinit_ops x86_cpuinit; +diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h +index 3e276eb..2eb3c30 100644 +--- a/arch/x86/include/asm/xen/page.h ++++ b/arch/x86/include/asm/xen/page.h +@@ -56,7 +56,7 @@ extern int m2p_remove_override(struct page *page, + extern struct page *m2p_find_override(unsigned long mfn); + extern unsigned long m2p_find_override_pfn(unsigned long mfn, unsigned long pfn); + +-static inline unsigned long pfn_to_mfn(unsigned long pfn) ++static inline unsigned long __intentional_overflow(-1) pfn_to_mfn(unsigned long pfn) + { + unsigned long mfn; + +diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h +index 5547389..da68716 100644 +--- a/arch/x86/include/asm/xsave.h ++++ b/arch/x86/include/asm/xsave.h +@@ -76,8 +76,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) + return -EFAULT; + ++ pax_open_userland(); + __asm__ __volatile__(ASM_STAC "\n" +- "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" ++ "1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x27\n" + "2: " ASM_CLAC "\n" + ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" +@@ -87,18 +90,22 @@ static inline int xsave_user(struct xsave_struct __user *buf) + : [err] "=r" (err) + : "D" (buf), "a" (-1), "d" (-1), "0" (0) + : "memory"); ++ pax_close_userland(); + return err; + } + + static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + { + int err; +- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf); ++ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf); + u32 lmask = mask; + u32 hmask = mask >> 32; + ++ pax_open_userland(); + __asm__ __volatile__(ASM_STAC "\n" +- "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" ++ "1:" ++ __copyuser_seg ++ ".byte " REX_PREFIX "0x0f,0xae,0x2f\n" + "2: " ASM_CLAC "\n" + ".section .fixup,\"ax\"\n" + "3: movl $-1,%[err]\n" +@@ -108,6 +115,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + : [err] "=r" (err) + : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0) + : "memory"); /* memory required? */ ++ pax_close_userland(); + return err; + } + +diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h +index bbae024..e1528f9 100644 +--- a/arch/x86/include/uapi/asm/e820.h ++++ b/arch/x86/include/uapi/asm/e820.h +@@ -63,7 +63,7 @@ struct e820map { + #define ISA_START_ADDRESS 0xa0000 + #define ISA_END_ADDRESS 0x100000 + +-#define BIOS_BEGIN 0x000a0000 ++#define BIOS_BEGIN 0x000c0000 + #define BIOS_END 0x00100000 + + #define BIOS_ROM_BASE 0xffe00000 +diff --git a/arch/x86/include/uapi/asm/ptrace-abi.h b/arch/x86/include/uapi/asm/ptrace-abi.h +index 7b0a55a..ad115bf 100644 +--- a/arch/x86/include/uapi/asm/ptrace-abi.h ++++ b/arch/x86/include/uapi/asm/ptrace-abi.h +@@ -49,7 +49,6 @@ + #define EFLAGS 144 + #define RSP 152 + #define SS 160 +-#define ARGOFFSET R11 + #endif /* __ASSEMBLY__ */ + + /* top of stack page */ +diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile +index cb648c8..91cb07e 100644 +--- a/arch/x86/kernel/Makefile ++++ b/arch/x86/kernel/Makefile +@@ -24,7 +24,7 @@ obj-y += time.o ioport.o ldt.o dumpstack.o nmi.o + obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o + obj-$(CONFIG_IRQ_WORK) += irq_work.o + obj-y += probe_roms.o +-obj-$(CONFIG_X86_32) += i386_ksyms_32.o ++obj-$(CONFIG_X86_32) += sys_i386_32.o i386_ksyms_32.o + obj-$(CONFIG_X86_64) += sys_x86_64.o x8664_ksyms_64.o + obj-y += syscall_$(BITS).o + obj-$(CONFIG_X86_64) += vsyscall_64.o +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index 1dac942..19c8b0c 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -1312,7 +1312,7 @@ static int __init dmi_ignore_irq0_timer_override(const struct dmi_system_id *d) + * If your system is blacklisted here, but you find that acpi=force + * works for you, please contact linux-acpi@vger.kernel.org + */ +-static struct dmi_system_id __initdata acpi_dmi_table[] = { ++static const struct dmi_system_id __initconst acpi_dmi_table[] = { + /* + * Boxes that need ACPI disabled + */ +@@ -1387,7 +1387,7 @@ static struct dmi_system_id __initdata acpi_dmi_table[] = { + }; + + /* second table for DMI checks that should run after early-quirks */ +-static struct dmi_system_id __initdata acpi_dmi_table_late[] = { ++static const struct dmi_system_id __initconst acpi_dmi_table_late[] = { + /* + * HP laptops which use a DSDT reporting as HP/SB400/10000, + * which includes some code which overrides all temperature +diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c +index 3a2ae4c..9db31d6 100644 +--- a/arch/x86/kernel/acpi/sleep.c ++++ b/arch/x86/kernel/acpi/sleep.c +@@ -99,8 +99,12 @@ int x86_acpi_suspend_lowlevel(void) + #else /* CONFIG_64BIT */ + #ifdef CONFIG_SMP + stack_start = (unsigned long)temp_stack + sizeof(temp_stack); ++ ++ pax_open_kernel(); + early_gdt_descr.address = + (unsigned long)get_cpu_gdt_table(smp_processor_id()); ++ pax_close_kernel(); ++ + initial_gs = per_cpu_offset(smp_processor_id()); + #endif + initial_code = (unsigned long)wakeup_long64; +diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S +index 665c6b7..eae4d56 100644 +--- a/arch/x86/kernel/acpi/wakeup_32.S ++++ b/arch/x86/kernel/acpi/wakeup_32.S +@@ -29,13 +29,11 @@ wakeup_pmode_return: + # and restore the stack ... but you need gdt for this to work + movl saved_context_esp, %esp + +- movl %cs:saved_magic, %eax +- cmpl $0x12345678, %eax ++ cmpl $0x12345678, saved_magic + jne bogus_magic + + # jump to place where we left off +- movl saved_eip, %eax +- jmp *%eax ++ jmp *(saved_eip) + + bogus_magic: + jmp bogus_magic +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index df94598..f3b29bf 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -269,6 +269,13 @@ void __init_or_module apply_alternatives(struct alt_instr *start, + */ + for (a = start; a < end; a++) { + instr = (u8 *)&a->instr_offset + a->instr_offset; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++ if (instr < (u8 *)_text || (u8 *)_einittext <= instr) ++ instr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ + replacement = (u8 *)&a->repl_offset + a->repl_offset; + BUG_ON(a->replacementlen > a->instrlen); + BUG_ON(a->instrlen > sizeof(insnbuf)); +@@ -300,10 +307,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end, + for (poff = start; poff < end; poff++) { + u8 *ptr = (u8 *)poff + *poff; + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr) ++ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ + if (!*poff || ptr < text || ptr >= text_end) + continue; + /* turn DS segment override prefix into lock prefix */ +- if (*ptr == 0x3e) ++ if (*ktla_ktva(ptr) == 0x3e) + text_poke(ptr, ((unsigned char []){0xf0}), 1); + } + mutex_unlock(&text_mutex); +@@ -318,10 +331,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end, + for (poff = start; poff < end; poff++) { + u8 *ptr = (u8 *)poff + *poff; + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr) ++ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ + if (!*poff || ptr < text || ptr >= text_end) + continue; + /* turn lock prefix into DS segment override prefix */ +- if (*ptr == 0xf0) ++ if (*ktla_ktva(ptr) == 0xf0) + text_poke(ptr, ((unsigned char []){0x3E}), 1); + } + mutex_unlock(&text_mutex); +@@ -458,7 +477,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start, + + BUG_ON(p->len > MAX_PATCH_LEN); + /* prep the buffer with the original instructions */ +- memcpy(insnbuf, p->instr, p->len); ++ memcpy(insnbuf, ktla_ktva(p->instr), p->len); + used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf, + (unsigned long)p->instr, p->len); + +@@ -505,7 +524,7 @@ void __init alternative_instructions(void) + if (!uniproc_patched || num_possible_cpus() == 1) + free_init_pages("SMP alternatives", + (unsigned long)__smp_locks, +- (unsigned long)__smp_locks_end); ++ PAGE_ALIGN((unsigned long)__smp_locks_end)); + #endif + + apply_paravirt(__parainstructions, __parainstructions_end); +@@ -525,13 +544,17 @@ void __init alternative_instructions(void) + * instructions. And on the local CPU you need to be protected again NMI or MCE + * handlers seeing an inconsistent instruction while you patch. + */ +-void *__init_or_module text_poke_early(void *addr, const void *opcode, ++void *__kprobes text_poke_early(void *addr, const void *opcode, + size_t len) + { + unsigned long flags; + local_irq_save(flags); +- memcpy(addr, opcode, len); ++ ++ pax_open_kernel(); ++ memcpy(ktla_ktva(addr), opcode, len); + sync_core(); ++ pax_close_kernel(); ++ + local_irq_restore(flags); + /* Could also do a CLFLUSH here to speed up CPU recovery; but + that causes hangs on some VIA CPUs. */ +@@ -553,36 +576,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode, + */ + void *__kprobes text_poke(void *addr, const void *opcode, size_t len) + { +- unsigned long flags; +- char *vaddr; ++ unsigned char *vaddr = ktla_ktva(addr); + struct page *pages[2]; +- int i; ++ size_t i; + + if (!core_kernel_text((unsigned long)addr)) { +- pages[0] = vmalloc_to_page(addr); +- pages[1] = vmalloc_to_page(addr + PAGE_SIZE); ++ pages[0] = vmalloc_to_page(vaddr); ++ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE); + } else { +- pages[0] = virt_to_page(addr); ++ pages[0] = virt_to_page(vaddr); + WARN_ON(!PageReserved(pages[0])); +- pages[1] = virt_to_page(addr + PAGE_SIZE); ++ pages[1] = virt_to_page(vaddr + PAGE_SIZE); + } + BUG_ON(!pages[0]); +- local_irq_save(flags); +- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0])); +- if (pages[1]) +- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1])); +- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0); +- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len); +- clear_fixmap(FIX_TEXT_POKE0); +- if (pages[1]) +- clear_fixmap(FIX_TEXT_POKE1); +- local_flush_tlb(); +- sync_core(); +- /* Could also do a CLFLUSH here to speed up CPU recovery; but +- that causes hangs on some VIA CPUs. */ ++ text_poke_early(addr, opcode, len); + for (i = 0; i < len; i++) +- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); +- local_irq_restore(flags); ++ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]); + return addr; + } + +@@ -602,7 +611,7 @@ int poke_int3_handler(struct pt_regs *regs) + if (likely(!bp_patching_in_progress)) + return 0; + +- if (user_mode_vm(regs) || regs->ip != (unsigned long)bp_int3_addr) ++ if (user_mode(regs) || regs->ip != (unsigned long)bp_int3_addr) + return 0; + + /* set up the specified breakpoint handler */ +@@ -636,7 +645,7 @@ int poke_int3_handler(struct pt_regs *regs) + */ + void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler) + { +- unsigned char int3 = 0xcc; ++ const unsigned char int3 = 0xcc; + + bp_int3_handler = handler; + bp_int3_addr = (u8 *)addr + sizeof(int3); +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 7f26c9a..694544e 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -198,7 +198,7 @@ int first_system_vector = 0xfe; + /* + * Debug level, exported for io_apic.c + */ +-unsigned int apic_verbosity; ++int apic_verbosity; + + int pic_mode; + +@@ -1992,7 +1992,7 @@ static inline void __smp_error_interrupt(struct pt_regs *regs) + apic_write(APIC_ESR, 0); + v = apic_read(APIC_ESR); + ack_APIC_irq(); +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + + apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x", + smp_processor_id(), v); +diff --git a/arch/x86/kernel/apic/apic_flat_64.c b/arch/x86/kernel/apic/apic_flat_64.c +index 2c621a6..fa2b1ae 100644 +--- a/arch/x86/kernel/apic/apic_flat_64.c ++++ b/arch/x86/kernel/apic/apic_flat_64.c +@@ -154,7 +154,7 @@ static int flat_probe(void) + return 1; + } + +-static struct apic apic_flat = { ++static struct apic apic_flat __read_only = { + .name = "flat", + .probe = flat_probe, + .acpi_madt_oem_check = flat_acpi_madt_oem_check, +@@ -268,7 +268,7 @@ static int physflat_probe(void) + return 0; + } + +-static struct apic apic_physflat = { ++static struct apic apic_physflat __read_only = { + + .name = "physical flat", + .probe = physflat_probe, +diff --git a/arch/x86/kernel/apic/apic_noop.c b/arch/x86/kernel/apic/apic_noop.c +index 191ce75..2db6d63 100644 +--- a/arch/x86/kernel/apic/apic_noop.c ++++ b/arch/x86/kernel/apic/apic_noop.c +@@ -118,7 +118,7 @@ static void noop_apic_write(u32 reg, u32 v) + WARN_ON_ONCE(cpu_has_apic && !disable_apic); + } + +-struct apic apic_noop = { ++struct apic apic_noop __read_only = { + .name = "noop", + .probe = noop_probe, + .acpi_madt_oem_check = NULL, +diff --git a/arch/x86/kernel/apic/bigsmp_32.c b/arch/x86/kernel/apic/bigsmp_32.c +index d50e364..543bee3 100644 +--- a/arch/x86/kernel/apic/bigsmp_32.c ++++ b/arch/x86/kernel/apic/bigsmp_32.c +@@ -152,7 +152,7 @@ static int probe_bigsmp(void) + return dmi_bigsmp; + } + +-static struct apic apic_bigsmp = { ++static struct apic apic_bigsmp __read_only = { + + .name = "bigsmp", + .probe = probe_bigsmp, +diff --git a/arch/x86/kernel/apic/es7000_32.c b/arch/x86/kernel/apic/es7000_32.c +index c552247..587a316 100644 +--- a/arch/x86/kernel/apic/es7000_32.c ++++ b/arch/x86/kernel/apic/es7000_32.c +@@ -608,8 +608,7 @@ static int es7000_mps_oem_check_cluster(struct mpc_table *mpc, char *oem, + return ret && es7000_apic_is_cluster(); + } + +-/* We've been warned by a false positive warning.Use __refdata to keep calm. */ +-static struct apic __refdata apic_es7000_cluster = { ++static struct apic apic_es7000_cluster __read_only = { + + .name = "es7000", + .probe = probe_es7000, +@@ -675,7 +674,7 @@ static struct apic __refdata apic_es7000_cluster = { + .x86_32_early_logical_apicid = es7000_early_logical_apicid, + }; + +-static struct apic __refdata apic_es7000 = { ++static struct apic apic_es7000 __read_only = { + + .name = "es7000", + .probe = probe_es7000, +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index 6ad4658..38a7b5c 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1057,7 +1057,7 @@ int IO_APIC_get_PCI_irq_vector(int bus, int slot, int pin, + } + EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector); + +-void lock_vector_lock(void) ++void lock_vector_lock(void) __acquires(vector_lock) + { + /* Used to the online set of cpus does not change + * during assign_irq_vector. +@@ -1065,7 +1065,7 @@ void lock_vector_lock(void) + raw_spin_lock(&vector_lock); + } + +-void unlock_vector_lock(void) ++void unlock_vector_lock(void) __releases(vector_lock) + { + raw_spin_unlock(&vector_lock); + } +@@ -2364,7 +2364,7 @@ static void ack_apic_edge(struct irq_data *data) + ack_APIC_irq(); + } + +-atomic_t irq_mis_count; ++atomic_unchecked_t irq_mis_count; + + #ifdef CONFIG_GENERIC_PENDING_IRQ + static bool io_apic_level_ack_pending(struct irq_cfg *cfg) +@@ -2505,7 +2505,7 @@ static void ack_apic_level(struct irq_data *data) + * at the cpu. + */ + if (!(v & (1 << (i & 0x1f)))) { +- atomic_inc(&irq_mis_count); ++ atomic_inc_unchecked(&irq_mis_count); + + eoi_ioapic_irq(irq, cfg); + } +diff --git a/arch/x86/kernel/apic/numaq_32.c b/arch/x86/kernel/apic/numaq_32.c +index 1e42e8f..daacf44 100644 +--- a/arch/x86/kernel/apic/numaq_32.c ++++ b/arch/x86/kernel/apic/numaq_32.c +@@ -455,8 +455,7 @@ static void numaq_setup_portio_remap(void) + (u_long) xquad_portio, (u_long) num_quads*XQUAD_PORTIO_QUAD); + } + +-/* Use __refdata to keep false positive warning calm. */ +-static struct apic __refdata apic_numaq = { ++static struct apic apic_numaq __read_only = { + + .name = "NUMAQ", + .probe = probe_numaq, +diff --git a/arch/x86/kernel/apic/probe_32.c b/arch/x86/kernel/apic/probe_32.c +index eb35ef9..f184a21 100644 +--- a/arch/x86/kernel/apic/probe_32.c ++++ b/arch/x86/kernel/apic/probe_32.c +@@ -72,7 +72,7 @@ static int probe_default(void) + return 1; + } + +-static struct apic apic_default = { ++static struct apic apic_default __read_only = { + + .name = "default", + .probe = probe_default, +diff --git a/arch/x86/kernel/apic/summit_32.c b/arch/x86/kernel/apic/summit_32.c +index 00146f9..5e299b8 100644 +--- a/arch/x86/kernel/apic/summit_32.c ++++ b/arch/x86/kernel/apic/summit_32.c +@@ -485,7 +485,7 @@ void setup_summit(void) + } + #endif + +-static struct apic apic_summit = { ++static struct apic apic_summit __read_only = { + + .name = "summit", + .probe = probe_summit, +diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c +index cac85ee..01fa741 100644 +--- a/arch/x86/kernel/apic/x2apic_cluster.c ++++ b/arch/x86/kernel/apic/x2apic_cluster.c +@@ -182,7 +182,7 @@ update_clusterinfo(struct notifier_block *nfb, unsigned long action, void *hcpu) + return notifier_from_errno(err); + } + +-static struct notifier_block __refdata x2apic_cpu_notifier = { ++static struct notifier_block x2apic_cpu_notifier = { + .notifier_call = update_clusterinfo, + }; + +@@ -234,7 +234,7 @@ static void cluster_vector_allocation_domain(int cpu, struct cpumask *retmask, + cpumask_and(retmask, mask, per_cpu(cpus_in_cluster, cpu)); + } + +-static struct apic apic_x2apic_cluster = { ++static struct apic apic_x2apic_cluster __read_only = { + + .name = "cluster x2apic", + .probe = x2apic_cluster_probe, +diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c +index de231e3..1d1b2ee 100644 +--- a/arch/x86/kernel/apic/x2apic_phys.c ++++ b/arch/x86/kernel/apic/x2apic_phys.c +@@ -88,7 +88,7 @@ static int x2apic_phys_probe(void) + return apic == &apic_x2apic_phys; + } + +-static struct apic apic_x2apic_phys = { ++static struct apic apic_x2apic_phys __read_only = { + + .name = "physical x2apic", + .probe = x2apic_phys_probe, +diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c +index d263b13..963258b 100644 +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -350,7 +350,7 @@ static int uv_probe(void) + return apic == &apic_x2apic_uv_x; + } + +-static struct apic __refdata apic_x2apic_uv_x = { ++static struct apic apic_x2apic_uv_x __read_only = { + + .name = "UV large system", + .probe = uv_probe, +diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c +index 3ab0343..814c4787 100644 +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -433,7 +433,7 @@ static DEFINE_MUTEX(apm_mutex); + * This is for buggy BIOS's that refer to (real mode) segment 0x40 + * even though they are called in protected mode. + */ +-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, ++static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093, + (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1); + + static const char driver_version[] = "1.16ac"; /* no spaces */ +@@ -611,7 +611,10 @@ static long __apm_bios_call(void *_call) + BUG_ON(cpu != 0); + gdt = get_cpu_gdt_table(cpu); + save_desc_40 = gdt[0x40 / 8]; ++ ++ pax_open_kernel(); + gdt[0x40 / 8] = bad_bios_desc; ++ pax_close_kernel(); + + apm_irq_save(flags); + APM_DO_SAVE_SEGS; +@@ -620,7 +623,11 @@ static long __apm_bios_call(void *_call) + &call->esi); + APM_DO_RESTORE_SEGS; + apm_irq_restore(flags); ++ ++ pax_open_kernel(); + gdt[0x40 / 8] = save_desc_40; ++ pax_close_kernel(); ++ + put_cpu(); + + return call->eax & 0xff; +@@ -687,7 +694,10 @@ static long __apm_bios_call_simple(void *_call) + BUG_ON(cpu != 0); + gdt = get_cpu_gdt_table(cpu); + save_desc_40 = gdt[0x40 / 8]; ++ ++ pax_open_kernel(); + gdt[0x40 / 8] = bad_bios_desc; ++ pax_close_kernel(); + + apm_irq_save(flags); + APM_DO_SAVE_SEGS; +@@ -695,7 +705,11 @@ static long __apm_bios_call_simple(void *_call) + &call->eax); + APM_DO_RESTORE_SEGS; + apm_irq_restore(flags); ++ ++ pax_open_kernel(); + gdt[0x40 / 8] = save_desc_40; ++ pax_close_kernel(); ++ + put_cpu(); + return error; + } +@@ -2362,12 +2376,15 @@ static int __init apm_init(void) + * code to that CPU. + */ + gdt = get_cpu_gdt_table(0); ++ ++ pax_open_kernel(); + set_desc_base(&gdt[APM_CS >> 3], + (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4)); + set_desc_base(&gdt[APM_CS_16 >> 3], + (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4)); + set_desc_base(&gdt[APM_DS >> 3], + (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4)); ++ pax_close_kernel(); + + proc_create("apm", 0, NULL, &apm_file_ops); + +diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c +index 9f6b934..cf5ffb3 100644 +--- a/arch/x86/kernel/asm-offsets.c ++++ b/arch/x86/kernel/asm-offsets.c +@@ -32,6 +32,8 @@ void common(void) { + OFFSET(TI_flags, thread_info, flags); + OFFSET(TI_status, thread_info, status); + OFFSET(TI_addr_limit, thread_info, addr_limit); ++ OFFSET(TI_lowest_stack, thread_info, lowest_stack); ++ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo)); + + BLANK(); + OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx); +@@ -52,8 +54,26 @@ void common(void) { + OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit); + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0); + OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2); ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0); + #endif + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3); ++ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3); ++#ifdef CONFIG_X86_64 ++ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched); ++#endif ++#endif ++ ++#endif ++ ++ BLANK(); ++ DEFINE(PAGE_SIZE_asm, PAGE_SIZE); ++ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT); ++ DEFINE(THREAD_SIZE_asm, THREAD_SIZE); ++ + #ifdef CONFIG_XEN + BLANK(); + OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask); +diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c +index e7c798b..2b2019b 100644 +--- a/arch/x86/kernel/asm-offsets_64.c ++++ b/arch/x86/kernel/asm-offsets_64.c +@@ -77,6 +77,7 @@ int main(void) + BLANK(); + #undef ENTRY + ++ DEFINE(TSS_size, sizeof(struct tss_struct)); + OFFSET(TSS_ist, tss_struct, x86_tss.ist); + BLANK(); + +diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile +index 7fd54f0..0691410 100644 +--- a/arch/x86/kernel/cpu/Makefile ++++ b/arch/x86/kernel/cpu/Makefile +@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg + CFLAGS_REMOVE_perf_event.o = -pg + endif + +-# Make sure load_percpu_segment has no stackprotector +-nostackp := $(call cc-option, -fno-stack-protector) +-CFLAGS_common.o := $(nostackp) +- + obj-y := intel_cacheinfo.o scattered.o topology.o + obj-y += proc.o capflags.o powerflags.o common.o + obj-y += rdrand.o +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index c67ffa6..f41fbbf 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -752,7 +752,7 @@ static void init_amd(struct cpuinfo_x86 *c) + static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size) + { + /* AMD errata T13 (order #21922) */ +- if ((c->x86 == 6)) { ++ if (c->x86 == 6) { + /* Duron Rev A0 */ + if (c->x86_model == 3 && c->x86_mask == 0) + size = 64; +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 8e28bf2..bf5c0d2 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = { + + static const struct cpu_dev *this_cpu = &default_cpu; + +-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = { +-#ifdef CONFIG_X86_64 +- /* +- * We need valid kernel segments for data and code in long mode too +- * IRET will check the segment types kkeil 2000/10/28 +- * Also sysret mandates a special GDT layout +- * +- * TLS descriptors are currently at a different place compared to i386. +- * Hopefully nobody expects them at a fixed place (Wine?) +- */ +- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff), +- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff), +- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff), +- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff), +- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff), +- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff), +-#else +- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff), +- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), +- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff), +- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff), +- /* +- * Segments used for calling PnP BIOS have byte granularity. +- * They code segments and data segments have fixed 64k limits, +- * the transfer segment sizes are set at run time. +- */ +- /* 32-bit code */ +- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff), +- /* 16-bit code */ +- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff), +- /* 16-bit data */ +- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff), +- /* 16-bit data */ +- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0), +- /* 16-bit data */ +- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0), +- /* +- * The APM segments have byte granularity and their bases +- * are set at run time. All have 64k limits. +- */ +- /* 32-bit code */ +- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff), +- /* 16-bit code */ +- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff), +- /* data */ +- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff), +- +- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), +- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff), +- GDT_STACK_CANARY_INIT +-#endif +-} }; +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page); +- + static int __init x86_xsave_setup(char *s) + { + setup_clear_cpu_cap(X86_FEATURE_XSAVE); +@@ -293,6 +239,59 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) + } + } + ++#ifdef CONFIG_X86_64 ++static __init int setup_disable_pcid(char *arg) ++{ ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ setup_clear_cpu_cap(X86_FEATURE_INVPCID); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (clone_pgd_mask != ~(pgdval_t)0UL) ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++#endif ++ ++ return 1; ++} ++__setup("nopcid", setup_disable_pcid); ++ ++static void setup_pcid(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has(c, X86_FEATURE_PCID)) { ++ clear_cpu_cap(c, X86_FEATURE_INVPCID); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (clone_pgd_mask != ~(pgdval_t)0UL) { ++ pax_open_kernel(); ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++ pax_close_kernel(); ++ printk("PAX: slow and weak UDEREF enabled\n"); ++ } else ++ printk("PAX: UDEREF disabled\n"); ++#endif ++ ++ return; ++ } ++ ++ printk("PAX: PCID detected\n"); ++ set_in_cr4(X86_CR4_PCIDE); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_open_kernel(); ++ clone_pgd_mask = ~(pgdval_t)0UL; ++ pax_close_kernel(); ++ if (pax_user_shadow_base) ++ printk("PAX: weak UDEREF enabled\n"); ++ else { ++ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF); ++ printk("PAX: strong UDEREF enabled\n"); ++ } ++#endif ++ ++ if (cpu_has(c, X86_FEATURE_INVPCID)) ++ printk("PAX: INVPCID detected\n"); ++} ++#endif ++ + /* + * Some CPU features depend on higher CPUID levels, which may not always + * be available due to CPUID level capping or broken virtualization +@@ -393,7 +392,7 @@ void switch_to_new_gdt(int cpu) + { + struct desc_ptr gdt_descr; + +- gdt_descr.address = (long)get_cpu_gdt_table(cpu); ++ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu); + gdt_descr.size = GDT_SIZE - 1; + load_gdt(&gdt_descr); + /* Reload the per-cpu base */ +@@ -883,6 +882,10 @@ static void identify_cpu(struct cpuinfo_x86 *c) + setup_smep(c); + setup_smap(c); + ++#ifdef CONFIG_X86_64 ++ setup_pcid(c); ++#endif ++ + /* + * The vendor-specific functions might have changed features. + * Now we do "generic changes." +@@ -891,6 +894,10 @@ static void identify_cpu(struct cpuinfo_x86 *c) + /* Filter out anything that depends on CPUID levels we don't have */ + filter_cpuid_features(c, true); + ++#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) ++ setup_clear_cpu_cap(X86_FEATURE_SEP); ++#endif ++ + /* If the model name is still unset, do table lookup. */ + if (!c->x86_model_id[0]) { + const char *p; +@@ -1078,10 +1085,12 @@ static __init int setup_disablecpuid(char *arg) + } + __setup("clearcpuid=", setup_disablecpuid); + ++DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo; ++EXPORT_PER_CPU_SYMBOL(current_tinfo); ++ + #ifdef CONFIG_X86_64 +-struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table }; +-struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1, +- (unsigned long) debug_idt_table }; ++struct desc_ptr idt_descr __read_only = { NR_VECTORS * 16 - 1, (unsigned long) idt_table }; ++const struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) debug_idt_table }; + + DEFINE_PER_CPU_FIRST(union irq_stack_union, + irq_stack_union) __aligned(PAGE_SIZE) __visible; +@@ -1095,7 +1104,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = + EXPORT_PER_CPU_SYMBOL(current_task); + + DEFINE_PER_CPU(unsigned long, kernel_stack) = +- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE; ++ (unsigned long)&init_thread_union - 16 + THREAD_SIZE; + EXPORT_PER_CPU_SYMBOL(kernel_stack); + + DEFINE_PER_CPU(char *, irq_stack_ptr) = +@@ -1245,7 +1254,7 @@ void cpu_init(void) + load_ucode_ap(); + + cpu = stack_smp_processor_id(); +- t = &per_cpu(init_tss, cpu); ++ t = init_tss + cpu; + oist = &per_cpu(orig_ist, cpu); + + #ifdef CONFIG_NUMA +@@ -1280,7 +1289,6 @@ void cpu_init(void) + wrmsrl(MSR_KERNEL_GS_BASE, 0); + barrier(); + +- x86_configure_nx(); + enable_x2apic(); + + /* +@@ -1332,7 +1340,7 @@ void cpu_init(void) + { + int cpu = smp_processor_id(); + struct task_struct *curr = current; +- struct tss_struct *t = &per_cpu(init_tss, cpu); ++ struct tss_struct *t = init_tss + cpu; + struct thread_struct *thread = &curr->thread; + + show_ucode_info_early(); +diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c +index 0641113..06f5ba4 100644 +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -1014,6 +1014,22 @@ static struct attribute *default_attrs[] = { + }; + + #ifdef CONFIG_AMD_NB ++static struct attribute *default_attrs_amd_nb[] = { ++ &type.attr, ++ &level.attr, ++ &coherency_line_size.attr, ++ &physical_line_partition.attr, ++ &ways_of_associativity.attr, ++ &number_of_sets.attr, ++ &size.attr, ++ &shared_cpu_map.attr, ++ &shared_cpu_list.attr, ++ NULL, ++ NULL, ++ NULL, ++ NULL ++}; ++ + static struct attribute **amd_l3_attrs(void) + { + static struct attribute **attrs; +@@ -1024,18 +1040,7 @@ static struct attribute **amd_l3_attrs(void) + + n = ARRAY_SIZE(default_attrs); + +- if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE)) +- n += 2; +- +- if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING)) +- n += 1; +- +- attrs = kzalloc(n * sizeof (struct attribute *), GFP_KERNEL); +- if (attrs == NULL) +- return attrs = default_attrs; +- +- for (n = 0; default_attrs[n]; n++) +- attrs[n] = default_attrs[n]; ++ attrs = default_attrs_amd_nb; + + if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE)) { + attrs[n++] = &cache_disable_0.attr; +@@ -1086,6 +1091,13 @@ static struct kobj_type ktype_cache = { + .default_attrs = default_attrs, + }; + ++#ifdef CONFIG_AMD_NB ++static struct kobj_type ktype_cache_amd_nb = { ++ .sysfs_ops = &sysfs_ops, ++ .default_attrs = default_attrs_amd_nb, ++}; ++#endif ++ + static struct kobj_type ktype_percpu_entry = { + .sysfs_ops = &sysfs_ops, + }; +@@ -1151,20 +1163,26 @@ static int cache_add_dev(struct device *dev) + return retval; + } + ++#ifdef CONFIG_AMD_NB ++ amd_l3_attrs(); ++#endif ++ + for (i = 0; i < num_cache_leaves; i++) { ++ struct kobj_type *ktype; ++ + this_object = INDEX_KOBJECT_PTR(cpu, i); + this_object->cpu = cpu; + this_object->index = i; + + this_leaf = CPUID4_INFO_IDX(cpu, i); + +- ktype_cache.default_attrs = default_attrs; ++ ktype = &ktype_cache; + #ifdef CONFIG_AMD_NB + if (this_leaf->base.nb) +- ktype_cache.default_attrs = amd_l3_attrs(); ++ ktype = &ktype_cache_amd_nb; + #endif + retval = kobject_init_and_add(&(this_object->kobj), +- &ktype_cache, ++ ktype, + per_cpu(ici_cache_kobject, cpu), + "index%1lu", i); + if (unlikely(retval)) { +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 4d5419b..95f11bb 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include "mce-internal.h" + +@@ -258,7 +259,7 @@ static void print_mce(struct mce *m) + !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "", + m->cs, m->ip); + +- if (m->cs == __KERNEL_CS) ++ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS) + print_symbol("{%s}", m->ip); + pr_cont("\n"); + } +@@ -291,10 +292,10 @@ static void print_mce(struct mce *m) + + #define PANIC_TIMEOUT 5 /* 5 seconds */ + +-static atomic_t mce_paniced; ++static atomic_unchecked_t mce_paniced; + + static int fake_panic; +-static atomic_t mce_fake_paniced; ++static atomic_unchecked_t mce_fake_paniced; + + /* Panic in progress. Enable interrupts and wait for final IPI */ + static void wait_for_panic(void) +@@ -318,7 +319,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp) + /* + * Make sure only one CPU runs in machine check panic + */ +- if (atomic_inc_return(&mce_paniced) > 1) ++ if (atomic_inc_return_unchecked(&mce_paniced) > 1) + wait_for_panic(); + barrier(); + +@@ -326,7 +327,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp) + console_verbose(); + } else { + /* Don't log too much for fake panic */ +- if (atomic_inc_return(&mce_fake_paniced) > 1) ++ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1) + return; + } + /* First print corrected ones that are still unlogged */ +@@ -365,7 +366,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp) + if (!fake_panic) { + if (panic_timeout == 0) + panic_timeout = mca_cfg.panic_timeout; +- panic(msg); ++ panic("%s", msg); + } else + pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg); + } +@@ -695,7 +696,7 @@ static int mce_timed_out(u64 *t) + * might have been modified by someone else. + */ + rmb(); +- if (atomic_read(&mce_paniced)) ++ if (atomic_read_unchecked(&mce_paniced)) + wait_for_panic(); + if (!mca_cfg.monarch_timeout) + goto out; +@@ -1666,7 +1667,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) + } + + /* Call the installed machine check handler for this CPU setup. */ +-void (*machine_check_vector)(struct pt_regs *, long error_code) = ++void (*machine_check_vector)(struct pt_regs *, long error_code) __read_only = + unexpected_machine_check; + + /* +@@ -1689,7 +1690,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c) + return; + } + ++ pax_open_kernel(); + machine_check_vector = do_machine_check; ++ pax_close_kernel(); + + __mcheck_cpu_init_generic(); + __mcheck_cpu_init_vendor(c); +@@ -1703,7 +1706,7 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c) + */ + + static DEFINE_SPINLOCK(mce_chrdev_state_lock); +-static int mce_chrdev_open_count; /* #times opened */ ++static local_t mce_chrdev_open_count; /* #times opened */ + static int mce_chrdev_open_exclu; /* already open exclusive? */ + + static int mce_chrdev_open(struct inode *inode, struct file *file) +@@ -1711,7 +1714,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) + spin_lock(&mce_chrdev_state_lock); + + if (mce_chrdev_open_exclu || +- (mce_chrdev_open_count && (file->f_flags & O_EXCL))) { ++ (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) { + spin_unlock(&mce_chrdev_state_lock); + + return -EBUSY; +@@ -1719,7 +1722,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) + + if (file->f_flags & O_EXCL) + mce_chrdev_open_exclu = 1; +- mce_chrdev_open_count++; ++ local_inc(&mce_chrdev_open_count); + + spin_unlock(&mce_chrdev_state_lock); + +@@ -1730,7 +1733,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file) + { + spin_lock(&mce_chrdev_state_lock); + +- mce_chrdev_open_count--; ++ local_dec(&mce_chrdev_open_count); + mce_chrdev_open_exclu = 0; + + spin_unlock(&mce_chrdev_state_lock); +@@ -2406,7 +2409,7 @@ static __init void mce_init_banks(void) + + for (i = 0; i < mca_cfg.banks; i++) { + struct mce_bank *b = &mce_banks[i]; +- struct device_attribute *a = &b->attr; ++ device_attribute_no_const *a = &b->attr; + + sysfs_attr_init(&a->attr); + a->attr.name = b->attrname; +@@ -2474,7 +2477,7 @@ struct dentry *mce_get_debugfs_dir(void) + static void mce_reset(void) + { + cpu_missing = 0; +- atomic_set(&mce_fake_paniced, 0); ++ atomic_set_unchecked(&mce_fake_paniced, 0); + atomic_set(&mce_executing, 0); + atomic_set(&mce_callin, 0); + atomic_set(&global_nwo, 0); +diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c +index a304298..49b6d06 100644 +--- a/arch/x86/kernel/cpu/mcheck/p5.c ++++ b/arch/x86/kernel/cpu/mcheck/p5.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + /* By default disabled */ + int mce_p5_enabled __read_mostly; +@@ -48,7 +49,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c) + if (!cpu_has(c, X86_FEATURE_MCE)) + return; + ++ pax_open_kernel(); + machine_check_vector = pentium_machine_check; ++ pax_close_kernel(); + /* Make sure the vector pointer is visible before we enable MCEs: */ + wmb(); + +diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c +index 7dc5564..1273569 100644 +--- a/arch/x86/kernel/cpu/mcheck/winchip.c ++++ b/arch/x86/kernel/cpu/mcheck/winchip.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + /* Machine check handler for WinChip C6: */ + static void winchip_machine_check(struct pt_regs *regs, long error_code) +@@ -22,7 +23,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c) + { + u32 lo, hi; + ++ pax_open_kernel(); + machine_check_vector = winchip_machine_check; ++ pax_close_kernel(); + /* Make sure the vector pointer is visible before we enable MCEs: */ + wmb(); + +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c +index 15c9876..0a43909 100644 +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -513,7 +513,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu) + return NOTIFY_OK; + } + +-static struct notifier_block __refdata mc_cpu_notifier = { ++static struct notifier_block mc_cpu_notifier = { + .notifier_call = mc_cpu_callback, + }; + +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c +index a276fa7..e66810f 100644 +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -293,13 +293,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device, + + static int get_ucode_user(void *to, const void *from, size_t n) + { +- return copy_from_user(to, from, n); ++ return copy_from_user(to, (const void __force_user *)from, n); + } + + static enum ucode_state + request_microcode_user(int cpu, const void __user *buf, size_t size) + { +- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); ++ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user); + } + + static void microcode_fini_cpu(int cpu) +diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c +index f961de9..8a9d332 100644 +--- a/arch/x86/kernel/cpu/mtrr/main.c ++++ b/arch/x86/kernel/cpu/mtrr/main.c +@@ -66,7 +66,7 @@ static DEFINE_MUTEX(mtrr_mutex); + u64 size_or_mask, size_and_mask; + static bool mtrr_aps_delayed_init; + +-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM]; ++static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only; + + const struct mtrr_ops *mtrr_if; + +diff --git a/arch/x86/kernel/cpu/mtrr/mtrr.h b/arch/x86/kernel/cpu/mtrr/mtrr.h +index df5e41f..816c719 100644 +--- a/arch/x86/kernel/cpu/mtrr/mtrr.h ++++ b/arch/x86/kernel/cpu/mtrr/mtrr.h +@@ -25,7 +25,7 @@ struct mtrr_ops { + int (*validate_add_page)(unsigned long base, unsigned long size, + unsigned int type); + int (*have_wrcomb)(void); +-}; ++} __do_const; + + extern int generic_get_free_region(unsigned long base, unsigned long size, + int replace_reg); +diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c +index 79f9f84..38ace52 100644 +--- a/arch/x86/kernel/cpu/perf_event.c ++++ b/arch/x86/kernel/cpu/perf_event.c +@@ -1351,7 +1351,7 @@ static void __init pmu_check_apic(void) + pr_info("no hardware sampling interrupt available.\n"); + } + +-static struct attribute_group x86_pmu_format_group = { ++static attribute_group_no_const x86_pmu_format_group = { + .name = "format", + .attrs = NULL, + }; +@@ -1450,7 +1450,7 @@ static struct attribute *events_attr[] = { + NULL, + }; + +-static struct attribute_group x86_pmu_events_group = { ++static attribute_group_no_const x86_pmu_events_group = { + .name = "events", + .attrs = events_attr, + }; +@@ -1971,7 +1971,7 @@ static unsigned long get_segment_base(unsigned int segment) + if (idx > GDT_ENTRIES) + return 0; + +- desc = __this_cpu_ptr(&gdt_page.gdt[0]); ++ desc = get_cpu_gdt_table(smp_processor_id()); + } + + return get_desc_base(desc + idx); +@@ -2061,7 +2061,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs) + break; + + perf_callchain_store(entry, frame.return_address); +- fp = frame.next_frame; ++ fp = (const void __force_user *)frame.next_frame; + } + } + +diff --git a/arch/x86/kernel/cpu/perf_event_amd_iommu.c b/arch/x86/kernel/cpu/perf_event_amd_iommu.c +index 639d128..e92d7e5 100644 +--- a/arch/x86/kernel/cpu/perf_event_amd_iommu.c ++++ b/arch/x86/kernel/cpu/perf_event_amd_iommu.c +@@ -405,7 +405,7 @@ static void perf_iommu_del(struct perf_event *event, int flags) + static __init int _init_events_attrs(struct perf_amd_iommu *perf_iommu) + { + struct attribute **attrs; +- struct attribute_group *attr_group; ++ attribute_group_no_const *attr_group; + int i = 0, j; + + while (amd_iommu_v2_event_descs[i].attr.attr.name) +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c +index aa333d9..f9db700 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2309,10 +2309,10 @@ __init int intel_pmu_init(void) + x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3); + + if (boot_cpu_has(X86_FEATURE_PDCM)) { +- u64 capabilities; ++ u64 capabilities = x86_pmu.intel_cap.capabilities; + +- rdmsrl(MSR_IA32_PERF_CAPABILITIES, capabilities); +- x86_pmu.intel_cap.capabilities = capabilities; ++ if (rdmsrl_safe(MSR_IA32_PERF_CAPABILITIES, &x86_pmu.intel_cap.capabilities)) ++ x86_pmu.intel_cap.capabilities = capabilities; + } + + intel_ds_init(); +diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c +index 5ad35ad..e0a3960 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c +@@ -425,7 +425,7 @@ static struct attribute *rapl_events_cln_attr[] = { + NULL, + }; + +-static struct attribute_group rapl_pmu_events_group = { ++static attribute_group_no_const rapl_pmu_events_group __read_only = { + .name = "events", + .attrs = NULL, /* patched at runtime */ + }; +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +index 047f540..afdeba0 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +@@ -3326,7 +3326,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) + static int __init uncore_type_init(struct intel_uncore_type *type) + { + struct intel_uncore_pmu *pmus; +- struct attribute_group *attr_group; ++ attribute_group_no_const *attr_group; + struct attribute **attrs; + int i, j; + +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h +index a80ab71..4089da5 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h +@@ -498,7 +498,7 @@ struct intel_uncore_box { + struct uncore_event_desc { + struct kobj_attribute attr; + const char *config; +-}; ++} __do_const; + + #define INTEL_UNCORE_EVENT_DESC(_name, _config) \ + { \ +diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c +index 7d9481c..99c7e4b 100644 +--- a/arch/x86/kernel/cpuid.c ++++ b/arch/x86/kernel/cpuid.c +@@ -170,7 +170,7 @@ static int cpuid_class_cpu_callback(struct notifier_block *nfb, + return notifier_from_errno(err); + } + +-static struct notifier_block __refdata cpuid_class_cpu_notifier = ++static struct notifier_block cpuid_class_cpu_notifier = + { + .notifier_call = cpuid_class_cpu_callback, + }; +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index a57902e..ebaae2a 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -57,10 +57,8 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs) + { + #ifdef CONFIG_X86_32 + struct pt_regs fixed_regs; +-#endif + +-#ifdef CONFIG_X86_32 +- if (!user_mode_vm(regs)) { ++ if (!user_mode(regs)) { + crash_fixup_ss_esp(&fixed_regs, regs); + regs = &fixed_regs; + } +diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c +index afa64ad..dce67dd 100644 +--- a/arch/x86/kernel/crash_dump_64.c ++++ b/arch/x86/kernel/crash_dump_64.c +@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, + return -ENOMEM; + + if (userbuf) { +- if (copy_to_user(buf, vaddr + offset, csize)) { ++ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) { + iounmap(vaddr); + return -EFAULT; + } +diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c +index f6dfd93..892ade4 100644 +--- a/arch/x86/kernel/doublefault.c ++++ b/arch/x86/kernel/doublefault.c +@@ -12,7 +12,7 @@ + + #define DOUBLEFAULT_STACKSIZE (1024) + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE]; +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE) ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2) + + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM) + +@@ -22,7 +22,7 @@ static void doublefault_fn(void) + unsigned long gdt, tss; + + native_store_gdt(&gdt_desc); +- gdt = gdt_desc.address; ++ gdt = (unsigned long)gdt_desc.address; + + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size); + +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cacheline_aligned = { + /* 0x2 bit is always set */ + .flags = X86_EFLAGS_SF | 0x2, + .sp = STACK_START, +- .es = __USER_DS, ++ .es = __KERNEL_DS, + .cs = __KERNEL_CS, + .ss = __KERNEL_DS, +- .ds = __USER_DS, ++ .ds = __KERNEL_DS, + .fs = __KERNEL_PERCPU, + + .__cr3 = __pa_nodebug(swapper_pg_dir), +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c +index d9c12d3..7858b62 100644 +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -2,6 +2,9 @@ + * Copyright (C) 1991, 1992 Linus Torvalds + * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs + */ ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++#define __INCLUDED_BY_HIDESYM 1 ++#endif + #include + #include + #include +@@ -40,16 +43,14 @@ void printk_address(unsigned long address) + static void + print_ftrace_graph_addr(unsigned long addr, void *data, + const struct stacktrace_ops *ops, +- struct thread_info *tinfo, int *graph) ++ struct task_struct *task, int *graph) + { +- struct task_struct *task; + unsigned long ret_addr; + int index; + + if (addr != (unsigned long)return_to_handler) + return; + +- task = tinfo->task; + index = task->curr_ret_stack; + + if (!task->ret_stack || index < *graph) +@@ -66,7 +67,7 @@ print_ftrace_graph_addr(unsigned long addr, void *data, + static inline void + print_ftrace_graph_addr(unsigned long addr, void *data, + const struct stacktrace_ops *ops, +- struct thread_info *tinfo, int *graph) ++ struct task_struct *task, int *graph) + { } + #endif + +@@ -77,10 +78,8 @@ print_ftrace_graph_addr(unsigned long addr, void *data, + * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack + */ + +-static inline int valid_stack_ptr(struct thread_info *tinfo, +- void *p, unsigned int size, void *end) ++static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end) + { +- void *t = tinfo; + if (end) { + if (p < end && p >= (end-THREAD_SIZE)) + return 1; +@@ -91,14 +90,14 @@ static inline int valid_stack_ptr(struct thread_info *tinfo, + } + + unsigned long +-print_context_stack(struct thread_info *tinfo, ++print_context_stack(struct task_struct *task, void *stack_start, + unsigned long *stack, unsigned long bp, + const struct stacktrace_ops *ops, void *data, + unsigned long *end, int *graph) + { + struct stack_frame *frame = (struct stack_frame *)bp; + +- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) { ++ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) { + unsigned long addr; + + addr = *stack; +@@ -110,7 +109,7 @@ print_context_stack(struct thread_info *tinfo, + } else { + ops->address(data, addr, 0); + } +- print_ftrace_graph_addr(addr, data, ops, tinfo, graph); ++ print_ftrace_graph_addr(addr, data, ops, task, graph); + } + stack++; + } +@@ -119,7 +118,7 @@ print_context_stack(struct thread_info *tinfo, + EXPORT_SYMBOL_GPL(print_context_stack); + + unsigned long +-print_context_stack_bp(struct thread_info *tinfo, ++print_context_stack_bp(struct task_struct *task, void *stack_start, + unsigned long *stack, unsigned long bp, + const struct stacktrace_ops *ops, void *data, + unsigned long *end, int *graph) +@@ -127,7 +126,7 @@ print_context_stack_bp(struct thread_info *tinfo, + struct stack_frame *frame = (struct stack_frame *)bp; + unsigned long *ret_addr = &frame->return_address; + +- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) { ++ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) { + unsigned long addr = *ret_addr; + + if (!__kernel_text_address(addr)) +@@ -136,7 +135,7 @@ print_context_stack_bp(struct thread_info *tinfo, + ops->address(data, addr, 1); + frame = frame->next_frame; + ret_addr = &frame->return_address; +- print_ftrace_graph_addr(addr, data, ops, tinfo, graph); ++ print_ftrace_graph_addr(addr, data, ops, task, graph); + } + + return (unsigned long)frame; +@@ -155,7 +154,7 @@ static int print_trace_stack(void *data, char *name) + static void print_trace_address(void *data, unsigned long addr, int reliable) + { + touch_nmi_watchdog(); +- printk(data); ++ printk("%s", (char *)data); + printk_stack_address(addr, reliable); + } + +@@ -224,6 +223,8 @@ unsigned __kprobes long oops_begin(void) + } + EXPORT_SYMBOL_GPL(oops_begin); + ++extern void gr_handle_kernel_exploit(void); ++ + void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) + { + if (regs && kexec_should_crash(current)) +@@ -245,7 +246,10 @@ void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) + panic("Fatal exception in interrupt"); + if (panic_on_oops) + panic("Fatal exception"); +- do_exit(signr); ++ ++ gr_handle_kernel_exploit(); ++ ++ do_group_exit(signr); + } + + int __kprobes __die(const char *str, struct pt_regs *regs, long err) +@@ -273,7 +277,7 @@ int __kprobes __die(const char *str, struct pt_regs *regs, long err) + print_modules(); + show_regs(regs); + #ifdef CONFIG_X86_32 +- if (user_mode_vm(regs)) { ++ if (user_mode(regs)) { + sp = regs->sp; + ss = regs->ss & 0xffff; + } else { +@@ -301,7 +305,7 @@ void die(const char *str, struct pt_regs *regs, long err) + unsigned long flags = oops_begin(); + int sig = SIGSEGV; + +- if (!user_mode_vm(regs)) ++ if (!user_mode(regs)) + report_bug(regs->ip, regs); + + if (__die(str, regs, err)) +diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c +index f2a1770..540657f 100644 +--- a/arch/x86/kernel/dumpstack_32.c ++++ b/arch/x86/kernel/dumpstack_32.c +@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + bp = stack_frame(task, regs); + + for (;;) { +- struct thread_info *context; ++ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1)); + +- context = (struct thread_info *) +- ((unsigned long)stack & (~(THREAD_SIZE - 1))); +- bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph); ++ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph); + +- stack = (unsigned long *)context->previous_esp; +- if (!stack) ++ if (stack_start == task_stack_page(task)) + break; ++ stack = *(unsigned long **)stack_start; + if (ops->stack(data, "IRQ") < 0) + break; + touch_nmi_watchdog(); +@@ -87,27 +85,28 @@ void show_regs(struct pt_regs *regs) + int i; + + show_regs_print_info(KERN_EMERG); +- __show_regs(regs, !user_mode_vm(regs)); ++ __show_regs(regs, !user_mode(regs)); + + /* + * When in-kernel, we also print out the stack and code at the + * time of the fault.. + */ +- if (!user_mode_vm(regs)) { ++ if (!user_mode(regs)) { + unsigned int code_prologue = code_bytes * 43 / 64; + unsigned int code_len = code_bytes; + unsigned char c; + u8 *ip; ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]); + + pr_emerg("Stack:\n"); + show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG); + + pr_emerg("Code:"); + +- ip = (u8 *)regs->ip - code_prologue; ++ ip = (u8 *)regs->ip - code_prologue + cs_base; + if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) { + /* try starting at IP */ +- ip = (u8 *)regs->ip; ++ ip = (u8 *)regs->ip + cs_base; + code_len = code_len - code_prologue + 1; + } + for (i = 0; i < code_len; i++, ip++) { +@@ -116,7 +115,7 @@ void show_regs(struct pt_regs *regs) + pr_cont(" Bad EIP value."); + break; + } +- if (ip == (u8 *)regs->ip) ++ if (ip == (u8 *)regs->ip + cs_base) + pr_cont(" <%02x>", c); + else + pr_cont(" %02x", c); +@@ -129,6 +128,7 @@ int is_valid_bugaddr(unsigned long ip) + { + unsigned short ud2; + ++ ip = ktla_ktva(ip); + if (ip < PAGE_OFFSET) + return 0; + if (probe_kernel_address((unsigned short *)ip, ud2)) +@@ -136,3 +136,15 @@ int is_valid_bugaddr(unsigned long ip) + + return ud2 == 0x0b0f; + } ++ ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++void pax_check_alloca(unsigned long size) ++{ ++ unsigned long sp = (unsigned long)&sp, stack_left; ++ ++ /* all kernel stacks are of the same size */ ++ stack_left = sp & (THREAD_SIZE - 1); ++ BUG_ON(stack_left < 256 || size >= stack_left - 256); ++} ++EXPORT_SYMBOL(pax_check_alloca); ++#endif +diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c +index addb207..99635fa 100644 +--- a/arch/x86/kernel/dumpstack_64.c ++++ b/arch/x86/kernel/dumpstack_64.c +@@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + unsigned long *irq_stack_end = + (unsigned long *)per_cpu(irq_stack_ptr, cpu); + unsigned used = 0; +- struct thread_info *tinfo; + int graph = 0; + unsigned long dummy; ++ void *stack_start; + + if (!task) + task = current; +@@ -142,10 +142,10 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + * current stack address. If the stacks consist of nested + * exceptions + */ +- tinfo = task_thread_info(task); + for (;;) { + char *id; + unsigned long *estack_end; ++ + estack_end = in_exception_stack(cpu, (unsigned long)stack, + &used, &id); + +@@ -153,7 +153,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + if (ops->stack(data, id) < 0) + break; + +- bp = ops->walk_stack(tinfo, stack, bp, ops, ++ bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops, + data, estack_end, &graph); + ops->stack(data, ""); + /* +@@ -161,6 +161,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + * second-to-last pointer (index -2 to end) in the + * exception stack: + */ ++ if ((u16)estack_end[-1] != __KERNEL_DS) ++ goto out; + stack = (unsigned long *) estack_end[-2]; + continue; + } +@@ -172,7 +174,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + if (in_irq_stack(stack, irq_stack, irq_stack_end)) { + if (ops->stack(data, "IRQ") < 0) + break; +- bp = ops->walk_stack(tinfo, stack, bp, ++ bp = ops->walk_stack(task, irq_stack, stack, bp, + ops, data, irq_stack_end, &graph); + /* + * We link to the next stack (which would be +@@ -191,7 +193,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs, + /* + * This handles the process stack: + */ +- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph); ++ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1)); ++ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph); ++out: + put_cpu(); + } + EXPORT_SYMBOL(dump_trace); +@@ -300,3 +304,50 @@ int is_valid_bugaddr(unsigned long ip) + + return ud2 == 0x0b0f; + } ++ ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++void pax_check_alloca(unsigned long size) ++{ ++ unsigned long sp = (unsigned long)&sp, stack_start, stack_end; ++ unsigned cpu, used; ++ char *id; ++ ++ /* check the process stack first */ ++ stack_start = (unsigned long)task_stack_page(current); ++ stack_end = stack_start + THREAD_SIZE; ++ if (likely(stack_start <= sp && sp < stack_end)) { ++ unsigned long stack_left = sp & (THREAD_SIZE - 1); ++ BUG_ON(stack_left < 256 || size >= stack_left - 256); ++ return; ++ } ++ ++ cpu = get_cpu(); ++ ++ /* check the irq stacks */ ++ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu); ++ stack_start = stack_end - IRQ_STACK_SIZE; ++ if (stack_start <= sp && sp < stack_end) { ++ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1); ++ put_cpu(); ++ BUG_ON(stack_left < 256 || size >= stack_left - 256); ++ return; ++ } ++ ++ /* check the exception stacks */ ++ used = 0; ++ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id); ++ stack_start = stack_end - EXCEPTION_STKSZ; ++ if (stack_end && stack_start <= sp && sp < stack_end) { ++ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1); ++ put_cpu(); ++ BUG_ON(stack_left < 256 || size >= stack_left - 256); ++ return; ++ } ++ ++ put_cpu(); ++ ++ /* unknown stack */ ++ BUG(); ++} ++EXPORT_SYMBOL(pax_check_alloca); ++#endif +diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c +index 988c00a..4f673b6 100644 +--- a/arch/x86/kernel/e820.c ++++ b/arch/x86/kernel/e820.c +@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void) + + static void early_panic(char *msg) + { +- early_printk(msg); +- panic(msg); ++ early_printk("%s", msg); ++ panic("%s", msg); + } + + static int userdef __initdata; +diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c +index 01d1c18..8073693 100644 +--- a/arch/x86/kernel/early_printk.c ++++ b/arch/x86/kernel/early_printk.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index a2a4f46..6cab058 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -177,13 +177,153 @@ + /*CFI_REL_OFFSET gs, PT_GS*/ + .endm + .macro SET_KERNEL_GS reg ++ ++#ifdef CONFIG_CC_STACKPROTECTOR + movl $(__KERNEL_STACK_CANARY), \reg ++#elif defined(CONFIG_PAX_MEMORY_UDEREF) ++ movl $(__USER_DS), \reg ++#else ++ xorl \reg, \reg ++#endif ++ + movl \reg, %gs + .endm + + #endif /* CONFIG_X86_32_LAZY_GS */ + +-.macro SAVE_ALL ++.macro pax_enter_kernel ++#ifdef CONFIG_PAX_KERNEXEC ++ call pax_enter_kernel ++#endif ++.endm ++ ++.macro pax_exit_kernel ++#ifdef CONFIG_PAX_KERNEXEC ++ call pax_exit_kernel ++#endif ++.endm ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ENTRY(pax_enter_kernel) ++#ifdef CONFIG_PARAVIRT ++ pushl %eax ++ pushl %ecx ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0) ++ mov %eax, %esi ++#else ++ mov %cr0, %esi ++#endif ++ bts $16, %esi ++ jnc 1f ++ mov %cs, %esi ++ cmp $__KERNEL_CS, %esi ++ jz 3f ++ ljmp $__KERNEL_CS, $3f ++1: ljmp $__KERNEXEC_KERNEL_CS, $2f ++2: ++#ifdef CONFIG_PARAVIRT ++ mov %esi, %eax ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0) ++#else ++ mov %esi, %cr0 ++#endif ++3: ++#ifdef CONFIG_PARAVIRT ++ popl %ecx ++ popl %eax ++#endif ++ ret ++ENDPROC(pax_enter_kernel) ++ ++ENTRY(pax_exit_kernel) ++#ifdef CONFIG_PARAVIRT ++ pushl %eax ++ pushl %ecx ++#endif ++ mov %cs, %esi ++ cmp $__KERNEXEC_KERNEL_CS, %esi ++ jnz 2f ++#ifdef CONFIG_PARAVIRT ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); ++ mov %eax, %esi ++#else ++ mov %cr0, %esi ++#endif ++ btr $16, %esi ++ ljmp $__KERNEL_CS, $1f ++1: ++#ifdef CONFIG_PARAVIRT ++ mov %esi, %eax ++ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0); ++#else ++ mov %esi, %cr0 ++#endif ++2: ++#ifdef CONFIG_PARAVIRT ++ popl %ecx ++ popl %eax ++#endif ++ ret ++ENDPROC(pax_exit_kernel) ++#endif ++ ++ .macro pax_erase_kstack ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++ call pax_erase_kstack ++#endif ++ .endm ++ ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++/* ++ * ebp: thread_info ++ */ ++ENTRY(pax_erase_kstack) ++ pushl %edi ++ pushl %ecx ++ pushl %eax ++ ++ mov TI_lowest_stack(%ebp), %edi ++ mov $-0xBEEF, %eax ++ std ++ ++1: mov %edi, %ecx ++ and $THREAD_SIZE_asm - 1, %ecx ++ shr $2, %ecx ++ repne scasl ++ jecxz 2f ++ ++ cmp $2*16, %ecx ++ jc 2f ++ ++ mov $2*16, %ecx ++ repe scasl ++ jecxz 2f ++ jne 1b ++ ++2: cld ++ mov %esp, %ecx ++ sub %edi, %ecx ++ ++ cmp $THREAD_SIZE_asm, %ecx ++ jb 3f ++ ud2 ++3: ++ ++ shr $2, %ecx ++ rep stosl ++ ++ mov TI_task_thread_sp0(%ebp), %edi ++ sub $128, %edi ++ mov %edi, TI_lowest_stack(%ebp) ++ ++ popl %eax ++ popl %ecx ++ popl %edi ++ ret ++ENDPROC(pax_erase_kstack) ++#endif ++ ++.macro __SAVE_ALL _DS + cld + PUSH_GS + pushl_cfi %fs +@@ -206,7 +346,7 @@ + CFI_REL_OFFSET ecx, 0 + pushl_cfi %ebx + CFI_REL_OFFSET ebx, 0 +- movl $(__USER_DS), %edx ++ movl $\_DS, %edx + movl %edx, %ds + movl %edx, %es + movl $(__KERNEL_PERCPU), %edx +@@ -214,6 +354,15 @@ + SET_KERNEL_GS %edx + .endm + ++.macro SAVE_ALL ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ __SAVE_ALL __KERNEL_DS ++ pax_enter_kernel ++#else ++ __SAVE_ALL __USER_DS ++#endif ++.endm ++ + .macro RESTORE_INT_REGS + popl_cfi %ebx + CFI_RESTORE ebx +@@ -297,7 +446,7 @@ ENTRY(ret_from_fork) + popfl_cfi + jmp syscall_exit + CFI_ENDPROC +-END(ret_from_fork) ++ENDPROC(ret_from_fork) + + ENTRY(ret_from_kernel_thread) + CFI_STARTPROC +@@ -344,7 +493,15 @@ ret_from_intr: + andl $SEGMENT_RPL_MASK, %eax + #endif + cmpl $USER_RPL, %eax ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ jae resume_userspace ++ ++ pax_exit_kernel ++ jmp resume_kernel ++#else + jb resume_kernel # not returning to v8086 or userspace ++#endif + + ENTRY(resume_userspace) + LOCKDEP_SYS_EXIT +@@ -356,8 +513,8 @@ ENTRY(resume_userspace) + andl $_TIF_WORK_MASK, %ecx # is there any work to be done on + # int/exception return? + jne work_pending +- jmp restore_all +-END(ret_from_exception) ++ jmp restore_all_pax ++ENDPROC(ret_from_exception) + + #ifdef CONFIG_PREEMPT + ENTRY(resume_kernel) +@@ -369,7 +526,7 @@ need_resched: + jz restore_all + call preempt_schedule_irq + jmp need_resched +-END(resume_kernel) ++ENDPROC(resume_kernel) + #endif + CFI_ENDPROC + /* +@@ -403,30 +560,45 @@ sysenter_past_esp: + /*CFI_REL_OFFSET cs, 0*/ + /* + * Push current_thread_info()->sysenter_return to the stack. +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words +- * pushed above; +8 corresponds to copy_thread's esp0 setting. + */ +- pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp) ++ pushl_cfi $0 + CFI_REL_OFFSET eip, 0 + + pushl_cfi %eax + SAVE_ALL ++ GET_THREAD_INFO(%ebp) ++ movl TI_sysenter_return(%ebp),%ebp ++ movl %ebp,PT_EIP(%esp) + ENABLE_INTERRUPTS(CLBR_NONE) + + /* + * Load the potential sixth argument from user stack. + * Careful about security. + */ ++ movl PT_OLDESP(%esp),%ebp ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ mov PT_OLDSS(%esp),%ds ++1: movl %ds:(%ebp),%ebp ++ push %ss ++ pop %ds ++#else + cmpl $__PAGE_OFFSET-3,%ebp + jae syscall_fault + ASM_STAC + 1: movl (%ebp),%ebp + ASM_CLAC ++#endif ++ + movl %ebp,PT_EBP(%esp) + _ASM_EXTABLE(1b,syscall_fault) + + GET_THREAD_INFO(%ebp) + ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) + jnz sysenter_audit + sysenter_do_call: +@@ -441,12 +613,24 @@ sysenter_do_call: + testl $_TIF_ALLWORK_MASK, %ecx + jne sysexit_audit + sysenter_exit: ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pushl_cfi %eax ++ movl %esp, %eax ++ call pax_randomize_kstack ++ popl_cfi %eax ++#endif ++ ++ pax_erase_kstack ++ + /* if something modifies registers it must also disable sysexit */ + movl PT_EIP(%esp), %edx + movl PT_OLDESP(%esp), %ecx + xorl %ebp,%ebp + TRACE_IRQS_ON + 1: mov PT_FS(%esp), %fs ++2: mov PT_DS(%esp), %ds ++3: mov PT_ES(%esp), %es + PTGS_TO_GS + ENABLE_INTERRUPTS_SYSEXIT + +@@ -463,6 +647,9 @@ sysenter_audit: + movl %eax,%edx /* 2nd arg: syscall number */ + movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ + call __audit_syscall_entry ++ ++ pax_erase_kstack ++ + pushl_cfi %ebx + movl PT_EAX(%esp),%eax /* reload syscall number */ + jmp sysenter_do_call +@@ -488,10 +675,16 @@ sysexit_audit: + + CFI_ENDPROC + .pushsection .fixup,"ax" +-2: movl $0,PT_FS(%esp) ++4: movl $0,PT_FS(%esp) ++ jmp 1b ++5: movl $0,PT_DS(%esp) ++ jmp 1b ++6: movl $0,PT_ES(%esp) + jmp 1b + .popsection +- _ASM_EXTABLE(1b,2b) ++ _ASM_EXTABLE(1b,4b) ++ _ASM_EXTABLE(2b,5b) ++ _ASM_EXTABLE(3b,6b) + PTGS_TO_GS_EX + ENDPROC(ia32_sysenter_target) + +@@ -506,6 +699,11 @@ ENTRY(system_call) + pushl_cfi %eax # save orig_eax + SAVE_ALL + GET_THREAD_INFO(%ebp) ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + # system call tracing in operation / emulation + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) + jnz syscall_trace_entry +@@ -524,6 +722,15 @@ syscall_exit: + testl $_TIF_ALLWORK_MASK, %ecx # current->work + jne syscall_exit_work + ++restore_all_pax: ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ movl %esp, %eax ++ call pax_randomize_kstack ++#endif ++ ++ pax_erase_kstack ++ + restore_all: + TRACE_IRQS_IRET + restore_all_notrace: +@@ -580,14 +787,34 @@ ldt_ss: + * compensating for the offset by changing to the ESPFIX segment with + * a base address that matches for the difference. + */ +-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8) ++#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx) + mov %esp, %edx /* load kernel esp */ + mov PT_OLDESP(%esp), %eax /* load userspace esp */ + mov %dx, %ax /* eax: new kernel esp */ + sub %eax, %edx /* offset (low word is 0) */ ++#ifdef CONFIG_SMP ++ movl PER_CPU_VAR(cpu_number), %ebx ++ shll $PAGE_SHIFT_asm, %ebx ++ addl $cpu_gdt_table, %ebx ++#else ++ movl $cpu_gdt_table, %ebx ++#endif + shr $16, %edx +- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */ +- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ mov %cr0, %esi ++ btr $16, %esi ++ mov %esi, %cr0 ++#endif ++ ++ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */ ++ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ bts $16, %esi ++ mov %esi, %cr0 ++#endif ++ + pushl_cfi $__ESPFIX_SS + pushl_cfi %eax /* new kernel esp */ + /* Disable interrupts, but do not irqtrace this section: we +@@ -616,20 +843,18 @@ work_resched: + movl TI_flags(%ebp), %ecx + andl $_TIF_WORK_MASK, %ecx # is there any work to be done other + # than syscall tracing? +- jz restore_all ++ jz restore_all_pax + testb $_TIF_NEED_RESCHED, %cl + jnz work_resched + + work_notifysig: # deal with pending signals and + # notify-resume requests ++ movl %esp, %eax + #ifdef CONFIG_VM86 + testl $X86_EFLAGS_VM, PT_EFLAGS(%esp) +- movl %esp, %eax + jne work_notifysig_v86 # returning to kernel-space or + # vm86-space + 1: +-#else +- movl %esp, %eax + #endif + TRACE_IRQS_ON + ENABLE_INTERRUPTS(CLBR_NONE) +@@ -650,7 +875,7 @@ work_notifysig_v86: + movl %eax, %esp + jmp 1b + #endif +-END(work_pending) ++ENDPROC(work_pending) + + # perform syscall exit tracing + ALIGN +@@ -658,11 +883,14 @@ syscall_trace_entry: + movl $-ENOSYS,PT_EAX(%esp) + movl %esp, %eax + call syscall_trace_enter ++ ++ pax_erase_kstack ++ + /* What it returned is what we'll actually use. */ + cmpl $(NR_syscalls), %eax + jnae syscall_call + jmp syscall_exit +-END(syscall_trace_entry) ++ENDPROC(syscall_trace_entry) + + # perform syscall exit tracing + ALIGN +@@ -675,21 +903,25 @@ syscall_exit_work: + movl %esp, %eax + call syscall_trace_leave + jmp resume_userspace +-END(syscall_exit_work) ++ENDPROC(syscall_exit_work) + CFI_ENDPROC + + RING0_INT_FRAME # can't unwind into user space anyway + syscall_fault: ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ push %ss ++ pop %ds ++#endif + ASM_CLAC + GET_THREAD_INFO(%ebp) + movl $-EFAULT,PT_EAX(%esp) + jmp resume_userspace +-END(syscall_fault) ++ENDPROC(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) + jmp resume_userspace +-END(syscall_badsys) ++ENDPROC(syscall_badsys) + CFI_ENDPROC + /* + * End of kprobes section +@@ -705,8 +937,15 @@ END(syscall_badsys) + * normal stack and adjusts ESP with the matching offset. + */ + /* fixup the stack */ +- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */ +- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */ ++#ifdef CONFIG_SMP ++ movl PER_CPU_VAR(cpu_number), %ebx ++ shll $PAGE_SHIFT_asm, %ebx ++ addl $cpu_gdt_table, %ebx ++#else ++ movl $cpu_gdt_table, %ebx ++#endif ++ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */ ++ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */ + shl $16, %eax + addl %esp, %eax /* the adjusted stack pointer */ + pushl_cfi $__KERNEL_DS +@@ -759,7 +998,7 @@ vector=vector+1 + .endr + 2: jmp common_interrupt + .endr +-END(irq_entries_start) ++ENDPROC(irq_entries_start) + + .previous + END(interrupt) +@@ -820,7 +1059,7 @@ ENTRY(coprocessor_error) + pushl_cfi $do_coprocessor_error + jmp error_code + CFI_ENDPROC +-END(coprocessor_error) ++ENDPROC(coprocessor_error) + + ENTRY(simd_coprocessor_error) + RING0_INT_FRAME +@@ -833,7 +1072,7 @@ ENTRY(simd_coprocessor_error) + .section .altinstructions,"a" + altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f + .previous +-.section .altinstr_replacement,"ax" ++.section .altinstr_replacement,"a" + 663: pushl $do_simd_coprocessor_error + 664: + .previous +@@ -842,7 +1081,7 @@ ENTRY(simd_coprocessor_error) + #endif + jmp error_code + CFI_ENDPROC +-END(simd_coprocessor_error) ++ENDPROC(simd_coprocessor_error) + + ENTRY(device_not_available) + RING0_INT_FRAME +@@ -851,18 +1090,18 @@ ENTRY(device_not_available) + pushl_cfi $do_device_not_available + jmp error_code + CFI_ENDPROC +-END(device_not_available) ++ENDPROC(device_not_available) + + #ifdef CONFIG_PARAVIRT + ENTRY(native_iret) + iret + _ASM_EXTABLE(native_iret, iret_exc) +-END(native_iret) ++ENDPROC(native_iret) + + ENTRY(native_irq_enable_sysexit) + sti + sysexit +-END(native_irq_enable_sysexit) ++ENDPROC(native_irq_enable_sysexit) + #endif + + ENTRY(overflow) +@@ -872,7 +1111,7 @@ ENTRY(overflow) + pushl_cfi $do_overflow + jmp error_code + CFI_ENDPROC +-END(overflow) ++ENDPROC(overflow) + + ENTRY(bounds) + RING0_INT_FRAME +@@ -881,7 +1120,7 @@ ENTRY(bounds) + pushl_cfi $do_bounds + jmp error_code + CFI_ENDPROC +-END(bounds) ++ENDPROC(bounds) + + ENTRY(invalid_op) + RING0_INT_FRAME +@@ -890,7 +1129,7 @@ ENTRY(invalid_op) + pushl_cfi $do_invalid_op + jmp error_code + CFI_ENDPROC +-END(invalid_op) ++ENDPROC(invalid_op) + + ENTRY(coprocessor_segment_overrun) + RING0_INT_FRAME +@@ -899,7 +1138,7 @@ ENTRY(coprocessor_segment_overrun) + pushl_cfi $do_coprocessor_segment_overrun + jmp error_code + CFI_ENDPROC +-END(coprocessor_segment_overrun) ++ENDPROC(coprocessor_segment_overrun) + + ENTRY(invalid_TSS) + RING0_EC_FRAME +@@ -907,7 +1146,7 @@ ENTRY(invalid_TSS) + pushl_cfi $do_invalid_TSS + jmp error_code + CFI_ENDPROC +-END(invalid_TSS) ++ENDPROC(invalid_TSS) + + ENTRY(segment_not_present) + RING0_EC_FRAME +@@ -915,7 +1154,7 @@ ENTRY(segment_not_present) + pushl_cfi $do_segment_not_present + jmp error_code + CFI_ENDPROC +-END(segment_not_present) ++ENDPROC(segment_not_present) + + ENTRY(stack_segment) + RING0_EC_FRAME +@@ -923,7 +1162,7 @@ ENTRY(stack_segment) + pushl_cfi $do_stack_segment + jmp error_code + CFI_ENDPROC +-END(stack_segment) ++ENDPROC(stack_segment) + + ENTRY(alignment_check) + RING0_EC_FRAME +@@ -931,7 +1170,7 @@ ENTRY(alignment_check) + pushl_cfi $do_alignment_check + jmp error_code + CFI_ENDPROC +-END(alignment_check) ++ENDPROC(alignment_check) + + ENTRY(divide_error) + RING0_INT_FRAME +@@ -940,7 +1179,7 @@ ENTRY(divide_error) + pushl_cfi $do_divide_error + jmp error_code + CFI_ENDPROC +-END(divide_error) ++ENDPROC(divide_error) + + #ifdef CONFIG_X86_MCE + ENTRY(machine_check) +@@ -950,7 +1189,7 @@ ENTRY(machine_check) + pushl_cfi machine_check_vector + jmp error_code + CFI_ENDPROC +-END(machine_check) ++ENDPROC(machine_check) + #endif + + ENTRY(spurious_interrupt_bug) +@@ -960,7 +1199,7 @@ ENTRY(spurious_interrupt_bug) + pushl_cfi $do_spurious_interrupt_bug + jmp error_code + CFI_ENDPROC +-END(spurious_interrupt_bug) ++ENDPROC(spurious_interrupt_bug) + /* + * End of kprobes section + */ +@@ -1070,7 +1309,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, + + ENTRY(mcount) + ret +-END(mcount) ++ENDPROC(mcount) + + ENTRY(ftrace_caller) + cmpl $0, function_trace_stop +@@ -1103,7 +1342,7 @@ ftrace_graph_call: + .globl ftrace_stub + ftrace_stub: + ret +-END(ftrace_caller) ++ENDPROC(ftrace_caller) + + ENTRY(ftrace_regs_caller) + pushf /* push flags before compare (in cs location) */ +@@ -1207,7 +1446,7 @@ trace: + popl %ecx + popl %eax + jmp ftrace_stub +-END(mcount) ++ENDPROC(mcount) + #endif /* CONFIG_DYNAMIC_FTRACE */ + #endif /* CONFIG_FUNCTION_TRACER */ + +@@ -1225,7 +1464,7 @@ ENTRY(ftrace_graph_caller) + popl %ecx + popl %eax + ret +-END(ftrace_graph_caller) ++ENDPROC(ftrace_graph_caller) + + .globl return_to_handler + return_to_handler: +@@ -1291,15 +1530,18 @@ error_code: + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart + REG_TO_PTGS %ecx + SET_KERNEL_GS %ecx +- movl $(__USER_DS), %ecx ++ movl $(__KERNEL_DS), %ecx + movl %ecx, %ds + movl %ecx, %es ++ ++ pax_enter_kernel ++ + TRACE_IRQS_OFF + movl %esp,%eax # pt_regs pointer + call *%edi + jmp ret_from_exception + CFI_ENDPROC +-END(page_fault) ++ENDPROC(page_fault) + + /* + * Debug traps and NMI can happen at the one SYSENTER instruction +@@ -1342,7 +1584,7 @@ debug_stack_correct: + call do_debug + jmp ret_from_exception + CFI_ENDPROC +-END(debug) ++ENDPROC(debug) + + /* + * NMI is doubly nasty. It can happen _while_ we're handling +@@ -1380,6 +1622,9 @@ nmi_stack_correct: + xorl %edx,%edx # zero error code + movl %esp,%eax # pt_regs pointer + call do_nmi ++ ++ pax_exit_kernel ++ + jmp restore_all_notrace + CFI_ENDPROC + +@@ -1416,12 +1661,15 @@ nmi_espfix_stack: + FIXUP_ESPFIX_STACK # %eax == %esp + xorl %edx,%edx # zero error code + call do_nmi ++ ++ pax_exit_kernel ++ + RESTORE_REGS + lss 12+4(%esp), %esp # back to espfix stack + CFI_ADJUST_CFA_OFFSET -24 + jmp irq_return + CFI_ENDPROC +-END(nmi) ++ENDPROC(nmi) + + ENTRY(int3) + RING0_INT_FRAME +@@ -1434,14 +1682,14 @@ ENTRY(int3) + call do_int3 + jmp ret_from_exception + CFI_ENDPROC +-END(int3) ++ENDPROC(int3) + + ENTRY(general_protection) + RING0_EC_FRAME + pushl_cfi $do_general_protection + jmp error_code + CFI_ENDPROC +-END(general_protection) ++ENDPROC(general_protection) + + #ifdef CONFIG_KVM_GUEST + ENTRY(async_page_fault) +@@ -1450,7 +1698,7 @@ ENTRY(async_page_fault) + pushl_cfi $do_async_page_fault + jmp error_code + CFI_ENDPROC +-END(async_page_fault) ++ENDPROC(async_page_fault) + #endif + + /* +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S +index 1e96c36..3ff710a 100644 +--- a/arch/x86/kernel/entry_64.S ++++ b/arch/x86/kernel/entry_64.S +@@ -59,6 +59,8 @@ + #include + #include + #include ++#include ++#include + + /* Avoid __ASSEMBLER__'ifying just for this. */ + #include +@@ -80,8 +82,9 @@ + #ifdef CONFIG_DYNAMIC_FTRACE + + ENTRY(function_hook) ++ pax_force_retaddr + retq +-END(function_hook) ++ENDPROC(function_hook) + + /* skip is set if stack has been adjusted */ + .macro ftrace_caller_setup skip=0 +@@ -122,8 +125,9 @@ GLOBAL(ftrace_graph_call) + #endif + + GLOBAL(ftrace_stub) ++ pax_force_retaddr + retq +-END(ftrace_caller) ++ENDPROC(ftrace_caller) + + ENTRY(ftrace_regs_caller) + /* Save the current flags before compare (in SS location)*/ +@@ -191,7 +195,7 @@ ftrace_restore_flags: + popfq + jmp ftrace_stub + +-END(ftrace_regs_caller) ++ENDPROC(ftrace_regs_caller) + + + #else /* ! CONFIG_DYNAMIC_FTRACE */ +@@ -212,6 +216,7 @@ ENTRY(function_hook) + #endif + + GLOBAL(ftrace_stub) ++ pax_force_retaddr + retq + + trace: +@@ -225,12 +230,13 @@ trace: + #endif + subq $MCOUNT_INSN_SIZE, %rdi + ++ pax_force_fptr ftrace_trace_function + call *ftrace_trace_function + + MCOUNT_RESTORE_FRAME + + jmp ftrace_stub +-END(function_hook) ++ENDPROC(function_hook) + #endif /* CONFIG_DYNAMIC_FTRACE */ + #endif /* CONFIG_FUNCTION_TRACER */ + +@@ -252,8 +258,9 @@ ENTRY(ftrace_graph_caller) + + MCOUNT_RESTORE_FRAME + ++ pax_force_retaddr + retq +-END(ftrace_graph_caller) ++ENDPROC(ftrace_graph_caller) + + GLOBAL(return_to_handler) + subq $24, %rsp +@@ -269,7 +276,9 @@ GLOBAL(return_to_handler) + movq 8(%rsp), %rdx + movq (%rsp), %rax + addq $24, %rsp ++ pax_force_fptr %rdi + jmp *%rdi ++ENDPROC(return_to_handler) + #endif + + +@@ -284,6 +293,430 @@ ENTRY(native_usergs_sysret64) + ENDPROC(native_usergs_sysret64) + #endif /* CONFIG_PARAVIRT */ + ++ .macro ljmpq sel, off ++#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM) ++ .byte 0x48; ljmp *1234f(%rip) ++ .pushsection .rodata ++ .align 16 ++ 1234: .quad \off; .word \sel ++ .popsection ++#else ++ pushq $\sel ++ pushq $\off ++ lretq ++#endif ++ .endm ++ ++ .macro pax_enter_kernel ++ pax_set_fptr_mask ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ call pax_enter_kernel ++#endif ++ .endm ++ ++ .macro pax_exit_kernel ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ call pax_exit_kernel ++#endif ++ ++ .endm ++ ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ENTRY(pax_enter_kernel) ++ pushq %rdi ++ ++#ifdef CONFIG_PARAVIRT ++ PV_SAVE_REGS(CLBR_RDI) ++#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ bts $16,%rdi ++ jnc 3f ++ mov %cs,%edi ++ cmp $__KERNEL_CS,%edi ++ jnz 2f ++1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jnz 112f ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++ jmp 111f ++112: cmp $1,%dil ++ jz 113f ++ ud2 ++113: sub $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif ++ ++#ifdef CONFIG_PARAVIRT ++ PV_RESTORE_REGS(CLBR_RDI) ++#endif ++ ++ popq %rdi ++ pax_force_retaddr ++ retq ++ ++#ifdef CONFIG_PAX_KERNEXEC ++2: ljmpq __KERNEL_CS,1b ++3: ljmpq __KERNEXEC_KERNEL_CS,4f ++4: SET_RDI_INTO_CR0 ++ jmp 1b ++#endif ++ENDPROC(pax_enter_kernel) ++ ++ENTRY(pax_exit_kernel) ++ pushq %rdi ++ ++#ifdef CONFIG_PARAVIRT ++ PV_SAVE_REGS(CLBR_RDI) ++#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ mov %cs,%rdi ++ cmp $__KERNEXEC_KERNEL_CS,%edi ++ jz 2f ++ GET_CR0_INTO_RDI ++ bts $16,%rdi ++ jnc 4f ++1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ mov %ss,%edi ++ cmp $__UDEREF_KERNEL_DS,%edi ++ jnz 111f ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 112f ++ ud2 ++112: add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif ++ ++#ifdef CONFIG_PARAVIRT ++ PV_RESTORE_REGS(CLBR_RDI); ++#endif ++ ++ popq %rdi ++ pax_force_retaddr ++ retq ++ ++#ifdef CONFIG_PAX_KERNEXEC ++2: GET_CR0_INTO_RDI ++ btr $16,%rdi ++ jnc 4f ++ ljmpq __KERNEL_CS,3f ++3: SET_RDI_INTO_CR0 ++ jmp 1b ++4: ud2 ++ jmp 4b ++#endif ++ENDPROC(pax_exit_kernel) ++#endif ++ ++ .macro pax_enter_kernel_user ++ pax_set_fptr_mask ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ call pax_enter_kernel_user ++#endif ++ .endm ++ ++ .macro pax_exit_kernel_user ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ call pax_exit_kernel_user ++#endif ++#ifdef CONFIG_PAX_RANDKSTACK ++ pushq %rax ++ pushq %r11 ++ call pax_randomize_kstack ++ popq %r11 ++ popq %rax ++#endif ++ .endm ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ENTRY(pax_enter_kernel_user) ++ pushq %rdi ++ pushq %rbx ++ ++#ifdef CONFIG_PARAVIRT ++ PV_SAVE_REGS(CLBR_RDI) ++#endif ++ ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $1,%dil ++ jnz 4f ++ sub $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ jmp 3f ++111: ++ ++ GET_CR3_INTO_RDI ++ mov %rdi,%rbx ++ add $__START_KERNEL_map,%rbx ++ sub phys_base(%rip),%rbx ++ ++#ifdef CONFIG_PARAVIRT ++ cmpl $0, pv_info+PARAVIRT_enabled ++ jz 1f ++ pushq %rdi ++ i = 0 ++ .rept USER_PGD_PTRS ++ mov i*8(%rbx),%rsi ++ mov $0,%sil ++ lea i*8(%rbx),%rdi ++ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) ++ i = i + 1 ++ .endr ++ popq %rdi ++ jmp 2f ++1: ++#endif ++ ++ i = 0 ++ .rept USER_PGD_PTRS ++ movb $0,i*8(%rbx) ++ i = i + 1 ++ .endr ++ ++2: SET_RDI_INTO_CR3 ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ bts $16,%rdi ++ SET_RDI_INTO_CR0 ++#endif ++ ++3: ++ ++#ifdef CONFIG_PARAVIRT ++ PV_RESTORE_REGS(CLBR_RDI) ++#endif ++ ++ popq %rbx ++ popq %rdi ++ pax_force_retaddr ++ retq ++4: ud2 ++ENDPROC(pax_enter_kernel_user) ++ ++ENTRY(pax_exit_kernel_user) ++ pushq %rdi ++ pushq %rbx ++ ++#ifdef CONFIG_PARAVIRT ++ PV_SAVE_REGS(CLBR_RDI) ++#endif ++ ++ GET_CR3_INTO_RDI ++ 661: jmp 1f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ cmp $0,%dil ++ jnz 3f ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ jmp 2f ++1: ++ ++ mov %rdi,%rbx ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ btr $16,%rdi ++ jnc 3f ++ SET_RDI_INTO_CR0 ++#endif ++ ++ add $__START_KERNEL_map,%rbx ++ sub phys_base(%rip),%rbx ++ ++#ifdef CONFIG_PARAVIRT ++ cmpl $0, pv_info+PARAVIRT_enabled ++ jz 1f ++ i = 0 ++ .rept USER_PGD_PTRS ++ mov i*8(%rbx),%rsi ++ mov $0x67,%sil ++ lea i*8(%rbx),%rdi ++ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) ++ i = i + 1 ++ .endr ++ jmp 2f ++1: ++#endif ++ ++ i = 0 ++ .rept USER_PGD_PTRS ++ movb $0x67,i*8(%rbx) ++ i = i + 1 ++ .endr ++2: ++ ++#ifdef CONFIG_PARAVIRT ++ PV_RESTORE_REGS(CLBR_RDI) ++#endif ++ ++ popq %rbx ++ popq %rdi ++ pax_force_retaddr ++ retq ++3: ud2 ++ENDPROC(pax_exit_kernel_user) ++#endif ++ ++ .macro pax_enter_kernel_nmi ++ pax_set_fptr_mask ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ GET_CR0_INTO_RDI ++ bts $16,%rdi ++ jc 110f ++ SET_RDI_INTO_CR0 ++ or $2,%ebx ++110: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 111f ++ sub $4097,%rdi ++ or $4,%ebx ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif ++ .endm ++ ++ .macro pax_exit_kernel_nmi ++#ifdef CONFIG_PAX_KERNEXEC ++ btr $1,%ebx ++ jnc 110f ++ GET_CR0_INTO_RDI ++ btr $16,%rdi ++ SET_RDI_INTO_CR0 ++110: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ btr $2,%ebx ++ jnc 111f ++ GET_CR3_INTO_RDI ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif ++ .endm ++ ++ .macro pax_erase_kstack ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++ call pax_erase_kstack ++#endif ++ .endm ++ ++#ifdef CONFIG_PAX_MEMORY_STACKLEAK ++ENTRY(pax_erase_kstack) ++ pushq %rdi ++ pushq %rcx ++ pushq %rax ++ pushq %r11 ++ ++ GET_THREAD_INFO(%r11) ++ mov TI_lowest_stack(%r11), %rdi ++ mov $-0xBEEF, %rax ++ std ++ ++1: mov %edi, %ecx ++ and $THREAD_SIZE_asm - 1, %ecx ++ shr $3, %ecx ++ repne scasq ++ jecxz 2f ++ ++ cmp $2*8, %ecx ++ jc 2f ++ ++ mov $2*8, %ecx ++ repe scasq ++ jecxz 2f ++ jne 1b ++ ++2: cld ++ mov %esp, %ecx ++ sub %edi, %ecx ++ ++ cmp $THREAD_SIZE_asm, %rcx ++ jb 3f ++ ud2 ++3: ++ ++ shr $3, %ecx ++ rep stosq ++ ++ mov TI_task_thread_sp0(%r11), %rdi ++ sub $256, %rdi ++ mov %rdi, TI_lowest_stack(%r11) ++ ++ popq %r11 ++ popq %rax ++ popq %rcx ++ popq %rdi ++ pax_force_retaddr ++ ret ++ENDPROC(pax_erase_kstack) ++#endif + + .macro TRACE_IRQS_IRETQ offset=ARGOFFSET + #ifdef CONFIG_TRACE_IRQFLAGS +@@ -320,7 +753,7 @@ ENDPROC(native_usergs_sysret64) + .endm + + .macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET +- bt $9,EFLAGS-\offset(%rsp) /* interrupts off? */ ++ bt $X86_EFLAGS_IF_BIT,EFLAGS-\offset(%rsp) /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON_DEBUG + 1: +@@ -358,27 +791,6 @@ ENDPROC(native_usergs_sysret64) + movq \tmp,R11+\offset(%rsp) + .endm + +- .macro FAKE_STACK_FRAME child_rip +- /* push in order ss, rsp, eflags, cs, rip */ +- xorl %eax, %eax +- pushq_cfi $__KERNEL_DS /* ss */ +- /*CFI_REL_OFFSET ss,0*/ +- pushq_cfi %rax /* rsp */ +- CFI_REL_OFFSET rsp,0 +- pushq_cfi $(X86_EFLAGS_IF|X86_EFLAGS_FIXED) /* eflags - interrupts on */ +- /*CFI_REL_OFFSET rflags,0*/ +- pushq_cfi $__KERNEL_CS /* cs */ +- /*CFI_REL_OFFSET cs,0*/ +- pushq_cfi \child_rip /* rip */ +- CFI_REL_OFFSET rip,0 +- pushq_cfi %rax /* orig rax */ +- .endm +- +- .macro UNFAKE_STACK_FRAME +- addq $8*6, %rsp +- CFI_ADJUST_CFA_OFFSET -(6*8) +- .endm +- + /* + * initial frame state for interrupts (and exceptions without error code) + */ +@@ -445,25 +857,26 @@ ENDPROC(native_usergs_sysret64) + /* save partial stack frame */ + .macro SAVE_ARGS_IRQ + cld +- /* start from rbp in pt_regs and jump over */ +- movq_cfi rdi, (RDI-RBP) +- movq_cfi rsi, (RSI-RBP) +- movq_cfi rdx, (RDX-RBP) +- movq_cfi rcx, (RCX-RBP) +- movq_cfi rax, (RAX-RBP) +- movq_cfi r8, (R8-RBP) +- movq_cfi r9, (R9-RBP) +- movq_cfi r10, (R10-RBP) +- movq_cfi r11, (R11-RBP) ++ /* start from r15 in pt_regs and jump over */ ++ movq_cfi rdi, RDI ++ movq_cfi rsi, RSI ++ movq_cfi rdx, RDX ++ movq_cfi rcx, RCX ++ movq_cfi rax, RAX ++ movq_cfi r8, R8 ++ movq_cfi r9, R9 ++ movq_cfi r10, R10 ++ movq_cfi r11, R11 ++ movq_cfi r12, R12 + + /* Save rbp so that we can unwind from get_irq_regs() */ +- movq_cfi rbp, 0 ++ movq_cfi rbp, RBP + + /* Save previous stack value */ + movq %rsp, %rsi + +- leaq -RBP(%rsp),%rdi /* arg1 for handler */ +- testl $3, CS-RBP(%rsi) ++ movq %rsp,%rdi /* arg1 for handler */ ++ testb $3, CS(%rsi) + je 1f + SWAPGS + /* +@@ -483,6 +896,18 @@ ENDPROC(native_usergs_sysret64) + 0x06 /* DW_OP_deref */, \ + 0x08 /* DW_OP_const1u */, SS+8-RBP, \ + 0x22 /* DW_OP_plus */ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ testb $3, CS(%rdi) ++ jnz 1f ++ pax_enter_kernel ++ jmp 2f ++1: pax_enter_kernel_user ++2: ++#else ++ pax_enter_kernel ++#endif ++ + /* We entered an interrupt context - irqs are off: */ + TRACE_IRQS_OFF + .endm +@@ -514,9 +939,52 @@ ENTRY(save_paranoid) + js 1f /* negative -> in kernel */ + SWAPGS + xorl %ebx,%ebx +-1: ret ++1: ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ testb $3, CS+8(%rsp) ++ jnz 1f ++ pax_enter_kernel ++ jmp 2f ++1: pax_enter_kernel_user ++2: ++#else ++ pax_enter_kernel ++#endif ++ pax_force_retaddr ++ ret + CFI_ENDPROC +-END(save_paranoid) ++ENDPROC(save_paranoid) ++ ++ENTRY(save_paranoid_nmi) ++ XCPT_FRAME 1 RDI+8 ++ cld ++ movq_cfi rdi, RDI+8 ++ movq_cfi rsi, RSI+8 ++ movq_cfi rdx, RDX+8 ++ movq_cfi rcx, RCX+8 ++ movq_cfi rax, RAX+8 ++ movq_cfi r8, R8+8 ++ movq_cfi r9, R9+8 ++ movq_cfi r10, R10+8 ++ movq_cfi r11, R11+8 ++ movq_cfi rbx, RBX+8 ++ movq_cfi rbp, RBP+8 ++ movq_cfi r12, R12+8 ++ movq_cfi r13, R13+8 ++ movq_cfi r14, R14+8 ++ movq_cfi r15, R15+8 ++ movl $1,%ebx ++ movl $MSR_GS_BASE,%ecx ++ rdmsr ++ testl %edx,%edx ++ js 1f /* negative -> in kernel */ ++ SWAPGS ++ xorl %ebx,%ebx ++1: pax_enter_kernel_nmi ++ pax_force_retaddr ++ ret ++ CFI_ENDPROC ++ENDPROC(save_paranoid_nmi) + .popsection + + /* +@@ -538,7 +1006,7 @@ ENTRY(ret_from_fork) + + RESTORE_REST + +- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread? ++ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread? + jz 1f + + testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET +@@ -548,15 +1016,13 @@ ENTRY(ret_from_fork) + jmp ret_from_sys_call # go to the SYSRET fastpath + + 1: +- subq $REST_SKIP, %rsp # leave space for volatiles +- CFI_ADJUST_CFA_OFFSET REST_SKIP + movq %rbp, %rdi + call *%rbx + movl $0, RAX(%rsp) + RESTORE_REST + jmp int_ret_from_sys_call + CFI_ENDPROC +-END(ret_from_fork) ++ENDPROC(ret_from_fork) + + /* + * System call entry. Up to 6 arguments in registers are supported. +@@ -593,7 +1059,7 @@ END(ret_from_fork) + ENTRY(system_call) + CFI_STARTPROC simple + CFI_SIGNAL_FRAME +- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET ++ CFI_DEF_CFA rsp,0 + CFI_REGISTER rip,rcx + /*CFI_REGISTER rflags,r11*/ + SWAPGS_UNSAFE_STACK +@@ -606,16 +1072,23 @@ GLOBAL(system_call_after_swapgs) + + movq %rsp,PER_CPU_VAR(old_rsp) + movq PER_CPU_VAR(kernel_stack),%rsp ++ SAVE_ARGS 8*6,0 ++ pax_enter_kernel_user ++ ++#ifdef CONFIG_PAX_RANDKSTACK ++ pax_erase_kstack ++#endif ++ + /* + * No need to follow this irqs off/on section - it's straight + * and short: + */ + ENABLE_INTERRUPTS(CLBR_NONE) +- SAVE_ARGS 8,0 + movq %rax,ORIG_RAX-ARGOFFSET(%rsp) + movq %rcx,RIP-ARGOFFSET(%rsp) + CFI_REL_OFFSET rip,RIP-ARGOFFSET +- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ GET_THREAD_INFO(%rcx) ++ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx) + jnz tracesys + system_call_fastpath: + #if __SYSCALL_MASK == ~0 +@@ -639,10 +1112,13 @@ sysret_check: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF +- movl TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET),%edx ++ GET_THREAD_INFO(%rcx) ++ movl TI_flags(%rcx),%edx + andl %edi,%edx + jnz sysret_careful + CFI_REMEMBER_STATE ++ pax_exit_kernel_user ++ pax_erase_kstack + /* + * sysretq will re-enable interrupts: + */ +@@ -701,6 +1177,9 @@ auditsys: + movq %rax,%rsi /* 2nd arg: syscall number */ + movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ + call __audit_syscall_entry ++ ++ pax_erase_kstack ++ + LOAD_ARGS 0 /* reload call-clobbered registers */ + jmp system_call_fastpath + +@@ -722,7 +1201,7 @@ sysret_audit: + /* Do syscall tracing */ + tracesys: + #ifdef CONFIG_AUDITSYSCALL +- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%rcx) + jz auditsys + #endif + SAVE_REST +@@ -730,12 +1209,15 @@ tracesys: + FIXUP_TOP_OF_STACK %rdi + movq %rsp,%rdi + call syscall_trace_enter ++ ++ pax_erase_kstack ++ + /* + * Reload arg registers from stack in case ptrace changed them. + * We don't reload %rax because syscall_trace_enter() returned + * the value it wants us to use in the table lookup. + */ +- LOAD_ARGS ARGOFFSET, 1 ++ LOAD_ARGS 1 + RESTORE_REST + #if __SYSCALL_MASK == ~0 + cmpq $__NR_syscall_max,%rax +@@ -765,7 +1247,9 @@ GLOBAL(int_with_check) + andl %edi,%edx + jnz int_careful + andl $~TS_COMPAT,TI_status(%rcx) +- jmp retint_swapgs ++ pax_exit_kernel_user ++ pax_erase_kstack ++ jmp retint_swapgs_pax + + /* Either reschedule or signal or syscall exit tracking needed. */ + /* First do a reschedule test. */ +@@ -811,7 +1295,7 @@ int_restore_rest: + TRACE_IRQS_OFF + jmp int_with_check + CFI_ENDPROC +-END(system_call) ++ENDPROC(system_call) + + .macro FORK_LIKE func + ENTRY(stub_\func) +@@ -824,9 +1308,10 @@ ENTRY(stub_\func) + DEFAULT_FRAME 0 8 /* offset 8: return address */ + call sys_\func + RESTORE_TOP_OF_STACK %r11, 8 +- ret $REST_SKIP /* pop extended registers */ ++ pax_force_retaddr ++ ret + CFI_ENDPROC +-END(stub_\func) ++ENDPROC(stub_\func) + .endm + + .macro FIXED_FRAME label,func +@@ -836,9 +1321,10 @@ ENTRY(\label) + FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET + call \func + RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET ++ pax_force_retaddr + ret + CFI_ENDPROC +-END(\label) ++ENDPROC(\label) + .endm + + FORK_LIKE clone +@@ -846,19 +1332,6 @@ END(\label) + FORK_LIKE vfork + FIXED_FRAME stub_iopl, sys_iopl + +-ENTRY(ptregscall_common) +- DEFAULT_FRAME 1 8 /* offset 8: return address */ +- RESTORE_TOP_OF_STACK %r11, 8 +- movq_cfi_restore R15+8, r15 +- movq_cfi_restore R14+8, r14 +- movq_cfi_restore R13+8, r13 +- movq_cfi_restore R12+8, r12 +- movq_cfi_restore RBP+8, rbp +- movq_cfi_restore RBX+8, rbx +- ret $REST_SKIP /* pop extended registers */ +- CFI_ENDPROC +-END(ptregscall_common) +- + ENTRY(stub_execve) + CFI_STARTPROC + addq $8, %rsp +@@ -870,7 +1343,7 @@ ENTRY(stub_execve) + RESTORE_REST + jmp int_ret_from_sys_call + CFI_ENDPROC +-END(stub_execve) ++ENDPROC(stub_execve) + + /* + * sigreturn is special because it needs to restore all registers on return. +@@ -887,7 +1360,7 @@ ENTRY(stub_rt_sigreturn) + RESTORE_REST + jmp int_ret_from_sys_call + CFI_ENDPROC +-END(stub_rt_sigreturn) ++ENDPROC(stub_rt_sigreturn) + + #ifdef CONFIG_X86_X32_ABI + ENTRY(stub_x32_rt_sigreturn) +@@ -901,7 +1374,7 @@ ENTRY(stub_x32_rt_sigreturn) + RESTORE_REST + jmp int_ret_from_sys_call + CFI_ENDPROC +-END(stub_x32_rt_sigreturn) ++ENDPROC(stub_x32_rt_sigreturn) + + ENTRY(stub_x32_execve) + CFI_STARTPROC +@@ -915,7 +1388,7 @@ ENTRY(stub_x32_execve) + RESTORE_REST + jmp int_ret_from_sys_call + CFI_ENDPROC +-END(stub_x32_execve) ++ENDPROC(stub_x32_execve) + + #endif + +@@ -952,7 +1425,7 @@ vector=vector+1 + 2: jmp common_interrupt + .endr + CFI_ENDPROC +-END(irq_entries_start) ++ENDPROC(irq_entries_start) + + .previous + END(interrupt) +@@ -969,8 +1442,8 @@ END(interrupt) + /* 0(%rsp): ~(interrupt number) */ + .macro interrupt func + /* reserve pt_regs for scratch regs and rbp */ +- subq $ORIG_RAX-RBP, %rsp +- CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP ++ subq $ORIG_RAX, %rsp ++ CFI_ADJUST_CFA_OFFSET ORIG_RAX + SAVE_ARGS_IRQ + call \func + .endm +@@ -997,14 +1470,14 @@ ret_from_intr: + + /* Restore saved previous stack */ + popq %rsi +- CFI_DEF_CFA rsi,SS+8-RBP /* reg/off reset after def_cfa_expr */ +- leaq ARGOFFSET-RBP(%rsi), %rsp ++ CFI_DEF_CFA rsi,SS+8 /* reg/off reset after def_cfa_expr */ ++ movq %rsi, %rsp + CFI_DEF_CFA_REGISTER rsp +- CFI_ADJUST_CFA_OFFSET RBP-ARGOFFSET ++ CFI_ADJUST_CFA_OFFSET -ARGOFFSET + + exit_intr: + GET_THREAD_INFO(%rcx) +- testl $3,CS-ARGOFFSET(%rsp) ++ testb $3,CS-ARGOFFSET(%rsp) + je retint_kernel + + /* Interrupt came from user space */ +@@ -1026,12 +1499,16 @@ retint_swapgs: /* return to user-space */ + * The iretq could re-enable interrupts: + */ + DISABLE_INTERRUPTS(CLBR_ANY) ++ pax_exit_kernel_user ++retint_swapgs_pax: + TRACE_IRQS_IRETQ + SWAPGS + jmp restore_args + + retint_restore_args: /* return to kernel space */ + DISABLE_INTERRUPTS(CLBR_ANY) ++ pax_exit_kernel ++ pax_force_retaddr (RIP-ARGOFFSET) + /* + * The iretq could re-enable interrupts: + */ +@@ -1112,7 +1589,7 @@ ENTRY(retint_kernel) + #endif + + CFI_ENDPROC +-END(common_interrupt) ++ENDPROC(common_interrupt) + /* + * End of kprobes section + */ +@@ -1130,7 +1607,7 @@ ENTRY(\sym) + interrupt \do_sym + jmp ret_from_intr + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + + #ifdef CONFIG_TRACING +@@ -1218,7 +1695,7 @@ ENTRY(\sym) + call \do_sym + jmp error_exit /* %ebx: no swapgs flag */ + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + + .macro paranoidzeroentry sym do_sym +@@ -1236,10 +1713,10 @@ ENTRY(\sym) + call \do_sym + jmp paranoid_exit /* %ebx: no swapgs flag */ + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + +-#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8) ++#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r13) + .macro paranoidzeroentry_ist sym do_sym ist + ENTRY(\sym) + INTR_FRAME +@@ -1252,12 +1729,18 @@ ENTRY(\sym) + TRACE_IRQS_OFF_DEBUG + movq %rsp,%rdi /* pt_regs pointer */ + xorl %esi,%esi /* no error code */ ++#ifdef CONFIG_SMP ++ imul $TSS_size, PER_CPU_VAR(cpu_number), %r13d ++ lea init_tss(%r13), %r13 ++#else ++ lea init_tss(%rip), %r13 ++#endif + subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) + call \do_sym + addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist) + jmp paranoid_exit /* %ebx: no swapgs flag */ + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + + .macro errorentry sym do_sym +@@ -1275,7 +1758,7 @@ ENTRY(\sym) + call \do_sym + jmp error_exit /* %ebx: no swapgs flag */ + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + + #ifdef CONFIG_TRACING +@@ -1306,7 +1789,7 @@ ENTRY(\sym) + call \do_sym + jmp paranoid_exit /* %ebx: no swapgs flag */ + CFI_ENDPROC +-END(\sym) ++ENDPROC(\sym) + .endm + + zeroentry divide_error do_divide_error +@@ -1336,9 +1819,10 @@ gs_change: + 2: mfence /* workaround */ + SWAPGS + popfq_cfi ++ pax_force_retaddr + ret + CFI_ENDPROC +-END(native_load_gs_index) ++ENDPROC(native_load_gs_index) + + _ASM_EXTABLE(gs_change,bad_gs) + .section .fixup,"ax" +@@ -1366,9 +1850,10 @@ ENTRY(do_softirq_own_stack) + CFI_DEF_CFA_REGISTER rsp + CFI_ADJUST_CFA_OFFSET -8 + decl PER_CPU_VAR(irq_count) ++ pax_force_retaddr + ret + CFI_ENDPROC +-END(do_softirq_own_stack) ++ENDPROC(do_softirq_own_stack) + + #ifdef CONFIG_XEN + zeroentry xen_hypervisor_callback xen_do_hypervisor_callback +@@ -1406,7 +1891,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) + decl PER_CPU_VAR(irq_count) + jmp error_exit + CFI_ENDPROC +-END(xen_do_hypervisor_callback) ++ENDPROC(xen_do_hypervisor_callback) + + /* + * Hypervisor uses this for application faults while it executes. +@@ -1465,7 +1950,7 @@ ENTRY(xen_failsafe_callback) + SAVE_ALL + jmp error_exit + CFI_ENDPROC +-END(xen_failsafe_callback) ++ENDPROC(xen_failsafe_callback) + + apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ + xen_hvm_callback_vector xen_evtchn_do_upcall +@@ -1517,18 +2002,33 @@ ENTRY(paranoid_exit) + DEFAULT_FRAME + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF_DEBUG +- testl %ebx,%ebx /* swapgs needed? */ ++ testl $1,%ebx /* swapgs needed? */ + jnz paranoid_restore +- testl $3,CS(%rsp) ++ testb $3,CS(%rsp) + jnz paranoid_userspace ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_exit_kernel ++ TRACE_IRQS_IRETQ 0 ++ SWAPGS_UNSAFE_STACK ++ RESTORE_ALL 8 ++ pax_force_retaddr_bts ++ jmp irq_return ++#endif + paranoid_swapgs: ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_exit_kernel_user ++#else ++ pax_exit_kernel ++#endif + TRACE_IRQS_IRETQ 0 + SWAPGS_UNSAFE_STACK + RESTORE_ALL 8 + jmp irq_return + paranoid_restore: ++ pax_exit_kernel + TRACE_IRQS_IRETQ_DEBUG 0 + RESTORE_ALL 8 ++ pax_force_retaddr_bts + jmp irq_return + paranoid_userspace: + GET_THREAD_INFO(%rcx) +@@ -1557,7 +2057,7 @@ paranoid_schedule: + TRACE_IRQS_OFF + jmp paranoid_userspace + CFI_ENDPROC +-END(paranoid_exit) ++ENDPROC(paranoid_exit) + + /* + * Exception entry point. This expects an error code/orig_rax on the stack. +@@ -1584,12 +2084,23 @@ ENTRY(error_entry) + movq_cfi r14, R14+8 + movq_cfi r15, R15+8 + xorl %ebx,%ebx +- testl $3,CS+8(%rsp) ++ testb $3,CS+8(%rsp) + je error_kernelspace + error_swapgs: + SWAPGS + error_sti: ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ testb $3, CS+8(%rsp) ++ jnz 1f ++ pax_enter_kernel ++ jmp 2f ++1: pax_enter_kernel_user ++2: ++#else ++ pax_enter_kernel ++#endif + TRACE_IRQS_OFF ++ pax_force_retaddr + ret + + /* +@@ -1616,7 +2127,7 @@ bstep_iret: + movq %rcx,RIP+8(%rsp) + jmp error_swapgs + CFI_ENDPROC +-END(error_entry) ++ENDPROC(error_entry) + + + /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ +@@ -1627,7 +2138,7 @@ ENTRY(error_exit) + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF + GET_THREAD_INFO(%rcx) +- testl %eax,%eax ++ testl $1,%eax + jne retint_kernel + LOCKDEP_SYS_EXIT_IRQ + movl TI_flags(%rcx),%edx +@@ -1636,7 +2147,7 @@ ENTRY(error_exit) + jnz retint_careful + jmp retint_swapgs + CFI_ENDPROC +-END(error_exit) ++ENDPROC(error_exit) + + /* + * Test if a given stack is an NMI stack or not. +@@ -1694,9 +2205,11 @@ ENTRY(nmi) + * If %cs was not the kernel segment, then the NMI triggered in user + * space, which means it is definitely not nested. + */ ++ cmpl $__KERNEXEC_KERNEL_CS, 16(%rsp) ++ je 1f + cmpl $__KERNEL_CS, 16(%rsp) + jne first_nmi +- ++1: + /* + * Check the special variable on the stack to see if NMIs are + * executing. +@@ -1730,8 +2243,7 @@ nested_nmi: + + 1: + /* Set up the interrupted NMIs stack to jump to repeat_nmi */ +- leaq -1*8(%rsp), %rdx +- movq %rdx, %rsp ++ subq $8, %rsp + CFI_ADJUST_CFA_OFFSET 1*8 + leaq -10*8(%rsp), %rdx + pushq_cfi $__KERNEL_DS +@@ -1749,6 +2261,7 @@ nested_nmi_out: + CFI_RESTORE rdx + + /* No need to check faults here */ ++# pax_force_retaddr_bts + INTERRUPT_RETURN + + CFI_RESTORE_STATE +@@ -1845,13 +2358,13 @@ end_repeat_nmi: + subq $ORIG_RAX-R15, %rsp + CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 + /* +- * Use save_paranoid to handle SWAPGS, but no need to use paranoid_exit ++ * Use save_paranoid_nmi to handle SWAPGS, but no need to use paranoid_exit + * as we should not be calling schedule in NMI context. + * Even with normal interrupts enabled. An NMI should not be + * setting NEED_RESCHED or anything that normal interrupts and + * exceptions might do. + */ +- call save_paranoid ++ call save_paranoid_nmi + DEFAULT_FRAME 0 + + /* +@@ -1861,9 +2374,9 @@ end_repeat_nmi: + * NMI itself takes a page fault, the page fault that was preempted + * will read the information from the NMI page fault and not the + * origin fault. Save it off and restore it if it changes. +- * Use the r12 callee-saved register. ++ * Use the r13 callee-saved register. + */ +- movq %cr2, %r12 ++ movq %cr2, %r13 + + /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ + movq %rsp,%rdi +@@ -1872,31 +2385,36 @@ end_repeat_nmi: + + /* Did the NMI take a page fault? Restore cr2 if it did */ + movq %cr2, %rcx +- cmpq %rcx, %r12 ++ cmpq %rcx, %r13 + je 1f +- movq %r12, %cr2 ++ movq %r13, %cr2 + 1: + +- testl %ebx,%ebx /* swapgs needed? */ ++ testl $1,%ebx /* swapgs needed? */ + jnz nmi_restore + nmi_swapgs: + SWAPGS_UNSAFE_STACK + nmi_restore: ++ pax_exit_kernel_nmi + /* Pop the extra iret frame at once */ + RESTORE_ALL 6*8 ++ testb $3, 8(%rsp) ++ jnz 1f ++ pax_force_retaddr_bts ++1: + + /* Clear the NMI executing stack variable */ + movq $0, 5*8(%rsp) + jmp irq_return + CFI_ENDPROC +-END(nmi) ++ENDPROC(nmi) + + ENTRY(ignore_sysret) + CFI_STARTPROC + mov $-ENOSYS,%eax + sysret + CFI_ENDPROC +-END(ignore_sysret) ++ENDPROC(ignore_sysret) + + /* + * End of kprobes section +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c +index e625319..b9abb9d 100644 +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -104,6 +104,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code, + { + unsigned char replaced[MCOUNT_INSN_SIZE]; + ++ ip = ktla_ktva(ip); ++ + /* + * Note: Due to modules and __init, code can + * disappear and change, we need to protect against faulting +@@ -229,7 +231,7 @@ static int update_ftrace_func(unsigned long ip, void *new) + unsigned char old[MCOUNT_INSN_SIZE]; + int ret; + +- memcpy(old, (void *)ip, MCOUNT_INSN_SIZE); ++ memcpy(old, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE); + + ftrace_update_func = ip; + /* Make sure the breakpoints see the ftrace_update_func update */ +@@ -306,7 +308,7 @@ static int ftrace_write(unsigned long ip, const char *val, int size) + * kernel identity mapping to modify code. + */ + if (within(ip, (unsigned long)_text, (unsigned long)_etext)) +- ip = (unsigned long)__va(__pa_symbol(ip)); ++ ip = (unsigned long)__va(__pa_symbol(ktla_ktva(ip))); + + return probe_kernel_write((void *)ip, val, size); + } +@@ -316,7 +318,7 @@ static int add_break(unsigned long ip, const char *old) + unsigned char replaced[MCOUNT_INSN_SIZE]; + unsigned char brk = BREAKPOINT_INSTRUCTION; + +- if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE)) ++ if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE)) + return -EFAULT; + + /* Make sure it is what we expect it to be */ +@@ -664,7 +666,7 @@ ftrace_modify_code(unsigned long ip, unsigned const char *old_code, + return ret; + + fail_update: +- probe_kernel_write((void *)ip, &old_code[0], 1); ++ probe_kernel_write((void *)ktla_ktva(ip), &old_code[0], 1); + goto out; + } + +diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c +index 85126cc..1bbce17 100644 +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -67,12 +67,12 @@ again: + pgd = *pgd_p; + + /* +- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is +- * critical -- __PAGE_OFFSET would point us back into the dynamic ++ * The use of __early_va rather than __va here is critical: ++ * __va would point us back into the dynamic + * range and we might end up looping forever... + */ + if (pgd) +- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base); ++ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK)); + else { + if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) { + reset_early_page_tables(); +@@ -82,13 +82,13 @@ again: + pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++]; + for (i = 0; i < PTRS_PER_PUD; i++) + pud_p[i] = 0; +- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE; ++ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE; + } + pud_p += pud_index(address); + pud = *pud_p; + + if (pud) +- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base); ++ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK)); + else { + if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) { + reset_early_page_tables(); +@@ -98,7 +98,7 @@ again: + pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++]; + for (i = 0; i < PTRS_PER_PMD; i++) + pmd_p[i] = 0; +- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE; ++ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE; + } + pmd = (physaddr & PMD_MASK) + early_pmd_flags; + pmd_p[pmd_index(address)] = pmd; +@@ -175,7 +175,6 @@ asmlinkage void __init x86_64_start_kernel(char * real_mode_data) + if (console_loglevel == 10) + early_printk("Kernel alive\n"); + +- clear_page(init_level4_pgt); + /* set init_level4_pgt kernel high mapping*/ + init_level4_pgt[511] = early_level4_pgt[511]; + +diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S +index f36bd42..56ee1534 100644 +--- a/arch/x86/kernel/head_32.S ++++ b/arch/x86/kernel/head_32.S +@@ -26,6 +26,12 @@ + /* Physical address */ + #define pa(X) ((X) - __PAGE_OFFSET) + ++#ifdef CONFIG_PAX_KERNEXEC ++#define ta(X) (X) ++#else ++#define ta(X) ((X) - __PAGE_OFFSET) ++#endif ++ + /* + * References to members of the new_cpu_data structure. + */ +@@ -55,11 +61,7 @@ + * and small than max_low_pfn, otherwise will waste some page table entries + */ + +-#if PTRS_PER_PMD > 1 +-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD) +-#else +-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD) +-#endif ++#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE) + + /* Number of possible pages in the lowmem region */ + LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT) +@@ -78,6 +80,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_PAGES) * PAGE_SIZE + RESERVE_BRK(pagetables, INIT_MAP_SIZE) + + /* ++ * Real beginning of normal "text" segment ++ */ ++ENTRY(stext) ++ENTRY(_stext) ++ ++/* + * 32-bit kernel entrypoint; only used by the boot CPU. On entry, + * %esi points to the real-mode code as a 32-bit pointer. + * CS and DS must be 4 GB flat segments, but we don't depend on +@@ -85,6 +93,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE) + * can. + */ + __HEAD ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ jmp startup_32 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */ ++.fill PAGE_SIZE-5,1,0xcc ++#endif ++ + ENTRY(startup_32) + movl pa(stack_start),%ecx + +@@ -106,6 +121,59 @@ ENTRY(startup_32) + 2: + leal -__PAGE_OFFSET(%ecx),%esp + ++#ifdef CONFIG_SMP ++ movl $pa(cpu_gdt_table),%edi ++ movl $__per_cpu_load,%eax ++ movw %ax,GDT_ENTRY_PERCPU * 8 + 2(%edi) ++ rorl $16,%eax ++ movb %al,GDT_ENTRY_PERCPU * 8 + 4(%edi) ++ movb %ah,GDT_ENTRY_PERCPU * 8 + 7(%edi) ++ movl $__per_cpu_end - 1,%eax ++ subl $__per_cpu_start,%eax ++ movw %ax,GDT_ENTRY_PERCPU * 8 + 0(%edi) ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ movl $NR_CPUS,%ecx ++ movl $pa(cpu_gdt_table),%edi ++1: ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi) ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi) ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi) ++ addl $PAGE_SIZE_asm,%edi ++ loop 1b ++#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ movl $pa(boot_gdt),%edi ++ movl $__LOAD_PHYSICAL_ADDR,%eax ++ movw %ax,GDT_ENTRY_BOOT_CS * 8 + 2(%edi) ++ rorl $16,%eax ++ movb %al,GDT_ENTRY_BOOT_CS * 8 + 4(%edi) ++ movb %ah,GDT_ENTRY_BOOT_CS * 8 + 7(%edi) ++ rorl $16,%eax ++ ++ ljmp $(__BOOT_CS),$1f ++1: ++ ++ movl $NR_CPUS,%ecx ++ movl $pa(cpu_gdt_table),%edi ++ addl $__PAGE_OFFSET,%eax ++1: ++ movb $0xc0,GDT_ENTRY_KERNEL_CS * 8 + 6(%edi) ++ movb $0xc0,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 6(%edi) ++ movw %ax,GDT_ENTRY_KERNEL_CS * 8 + 2(%edi) ++ movw %ax,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 2(%edi) ++ rorl $16,%eax ++ movb %al,GDT_ENTRY_KERNEL_CS * 8 + 4(%edi) ++ movb %al,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 4(%edi) ++ movb %ah,GDT_ENTRY_KERNEL_CS * 8 + 7(%edi) ++ movb %ah,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 7(%edi) ++ rorl $16,%eax ++ addl $PAGE_SIZE_asm,%edi ++ loop 1b ++#endif ++ + /* + * Clear BSS first so that there are no surprises... + */ +@@ -201,8 +269,11 @@ ENTRY(startup_32) + movl %eax, pa(max_pfn_mapped) + + /* Do early initialization of the fixmap area */ +- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax +- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8) ++#ifdef CONFIG_COMPAT_VDSO ++ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8) ++#else ++ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8) ++#endif + #else /* Not PAE */ + + page_pde_offset = (__PAGE_OFFSET >> 20); +@@ -232,8 +303,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20); + movl %eax, pa(max_pfn_mapped) + + /* Do early initialization of the fixmap area */ +- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax +- movl %eax,pa(initial_page_table+0xffc) ++#ifdef CONFIG_COMPAT_VDSO ++ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc) ++#else ++ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc) ++#endif + #endif + + #ifdef CONFIG_PARAVIRT +@@ -247,9 +321,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20); + cmpl $num_subarch_entries, %eax + jae bad_subarch + +- movl pa(subarch_entries)(,%eax,4), %eax +- subl $__PAGE_OFFSET, %eax +- jmp *%eax ++ jmp *pa(subarch_entries)(,%eax,4) + + bad_subarch: + WEAK(lguest_entry) +@@ -261,10 +333,10 @@ WEAK(xen_entry) + __INITDATA + + subarch_entries: +- .long default_entry /* normal x86/PC */ +- .long lguest_entry /* lguest hypervisor */ +- .long xen_entry /* Xen hypervisor */ +- .long default_entry /* Moorestown MID */ ++ .long ta(default_entry) /* normal x86/PC */ ++ .long ta(lguest_entry) /* lguest hypervisor */ ++ .long ta(xen_entry) /* Xen hypervisor */ ++ .long ta(default_entry) /* Moorestown MID */ + num_subarch_entries = (. - subarch_entries) / 4 + .previous + #else +@@ -354,6 +426,7 @@ default_entry: + movl pa(mmu_cr4_features),%eax + movl %eax,%cr4 + ++#ifdef CONFIG_X86_PAE + testb $X86_CR4_PAE, %al # check if PAE is enabled + jz enable_paging + +@@ -382,6 +455,9 @@ default_entry: + /* Make changes effective */ + wrmsr + ++ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4) ++#endif ++ + enable_paging: + + /* +@@ -449,14 +525,20 @@ is486: + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers + movl %eax,%ss # after changing gdt. + +- movl $(__USER_DS),%eax # DS/ES contains default USER segment ++# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment + movl %eax,%ds + movl %eax,%es + + movl $(__KERNEL_PERCPU), %eax + movl %eax,%fs # set this cpu's percpu + ++#ifdef CONFIG_CC_STACKPROTECTOR + movl $(__KERNEL_STACK_CANARY),%eax ++#elif defined(CONFIG_PAX_MEMORY_UDEREF) ++ movl $(__USER_DS),%eax ++#else ++ xorl %eax,%eax ++#endif + movl %eax,%gs + + xorl %eax,%eax # Clear LDT +@@ -512,8 +594,11 @@ setup_once: + * relocation. Manually set base address in stack canary + * segment descriptor. + */ +- movl $gdt_page,%eax ++ movl $cpu_gdt_table,%eax + movl $stack_canary,%ecx ++#ifdef CONFIG_SMP ++ addl $__per_cpu_load,%ecx ++#endif + movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax) + shrl $16, %ecx + movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax) +@@ -548,7 +633,7 @@ ENTRY(early_idt_handler) + cmpl $2,(%esp) # X86_TRAP_NMI + je is_nmi # Ignore NMI + +- cmpl $2,%ss:early_recursion_flag ++ cmpl $1,%ss:early_recursion_flag + je hlt_loop + incl %ss:early_recursion_flag + +@@ -586,8 +671,8 @@ ENTRY(early_idt_handler) + pushl (20+6*4)(%esp) /* trapno */ + pushl $fault_msg + call printk +-#endif + call dump_stack ++#endif + hlt_loop: + hlt + jmp hlt_loop +@@ -607,8 +692,11 @@ ENDPROC(early_idt_handler) + /* This is the default interrupt "handler" :-) */ + ALIGN + ignore_int: +- cld + #ifdef CONFIG_PRINTK ++ cmpl $2,%ss:early_recursion_flag ++ je hlt_loop ++ incl %ss:early_recursion_flag ++ cld + pushl %eax + pushl %ecx + pushl %edx +@@ -617,9 +705,6 @@ ignore_int: + movl $(__KERNEL_DS),%eax + movl %eax,%ds + movl %eax,%es +- cmpl $2,early_recursion_flag +- je hlt_loop +- incl early_recursion_flag + pushl 16(%esp) + pushl 24(%esp) + pushl 32(%esp) +@@ -653,29 +738,34 @@ ENTRY(setup_once_ref) + /* + * BSS section + */ +-__PAGE_ALIGNED_BSS +- .align PAGE_SIZE + #ifdef CONFIG_X86_PAE ++.section .initial_pg_pmd,"a",@progbits + initial_pg_pmd: + .fill 1024*KPMDS,4,0 + #else ++.section .initial_page_table,"a",@progbits + ENTRY(initial_page_table) + .fill 1024,4,0 + #endif ++.section .initial_pg_fixmap,"a",@progbits + initial_pg_fixmap: + .fill 1024,4,0 ++.section .empty_zero_page,"a",@progbits + ENTRY(empty_zero_page) + .fill 4096,1,0 ++.section .swapper_pg_dir,"a",@progbits + ENTRY(swapper_pg_dir) ++#ifdef CONFIG_X86_PAE ++ .fill 4,8,0 ++#else + .fill 1024,4,0 ++#endif + + /* + * This starts the data section. + */ + #ifdef CONFIG_X86_PAE +-__PAGE_ALIGNED_DATA +- /* Page-aligned for the benefit of paravirt? */ +- .align PAGE_SIZE ++.section .initial_page_table,"a",@progbits + ENTRY(initial_page_table) + .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ + # if KPMDS == 3 +@@ -694,12 +784,20 @@ ENTRY(initial_page_table) + # error "Kernel PMDs should be 1, 2 or 3" + # endif + .align PAGE_SIZE /* needs to be page-sized too */ ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ENTRY(cpu_pgd) ++ .rept 2*NR_CPUS ++ .fill 4,8,0 ++ .endr ++#endif ++ + #endif + + .data + .balign 4 + ENTRY(stack_start) +- .long init_thread_union+THREAD_SIZE ++ .long init_thread_union+THREAD_SIZE-8 + + __INITRODATA + int_msg: +@@ -727,7 +825,7 @@ fault_msg: + * segment size, and 32-bit linear address value: + */ + +- .data ++.section .rodata,"a",@progbits + .globl boot_gdt_descr + .globl idt_descr + +@@ -736,7 +834,7 @@ fault_msg: + .word 0 # 32 bit align gdt_desc.address + boot_gdt_descr: + .word __BOOT_DS+7 +- .long boot_gdt - __PAGE_OFFSET ++ .long pa(boot_gdt) + + .word 0 # 32-bit align idt_desc.address + idt_descr: +@@ -747,7 +845,7 @@ idt_descr: + .word 0 # 32 bit align gdt_desc.address + ENTRY(early_gdt_descr) + .word GDT_ENTRIES*8-1 +- .long gdt_page /* Overwritten for secondary CPUs */ ++ .long cpu_gdt_table /* Overwritten for secondary CPUs */ + + /* + * The boot_gdt must mirror the equivalent in setup.S and is +@@ -756,5 +854,65 @@ ENTRY(early_gdt_descr) + .align L1_CACHE_BYTES + ENTRY(boot_gdt) + .fill GDT_ENTRY_BOOT_CS,8,0 +- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */ +- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */ ++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */ ++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */ ++ ++ .align PAGE_SIZE_asm ++ENTRY(cpu_gdt_table) ++ .rept NR_CPUS ++ .quad 0x0000000000000000 /* NULL descriptor */ ++ .quad 0x0000000000000000 /* 0x0b reserved */ ++ .quad 0x0000000000000000 /* 0x13 reserved */ ++ .quad 0x0000000000000000 /* 0x1b reserved */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */ ++#else ++ .quad 0x0000000000000000 /* 0x20 unused */ ++#endif ++ ++ .quad 0x0000000000000000 /* 0x28 unused */ ++ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */ ++ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */ ++ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */ ++ .quad 0x0000000000000000 /* 0x4b reserved */ ++ .quad 0x0000000000000000 /* 0x53 reserved */ ++ .quad 0x0000000000000000 /* 0x5b reserved */ ++ ++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */ ++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */ ++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */ ++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */ ++ ++ .quad 0x0000000000000000 /* 0x80 TSS descriptor */ ++ .quad 0x0000000000000000 /* 0x88 LDT descriptor */ ++ ++ /* ++ * Segments used for calling PnP BIOS have byte granularity. ++ * The code segments and data segments have fixed 64k limits, ++ * the transfer segment sizes are set at run time. ++ */ ++ .quad 0x00409b000000ffff /* 0x90 32-bit code */ ++ .quad 0x00009b000000ffff /* 0x98 16-bit code */ ++ .quad 0x000093000000ffff /* 0xa0 16-bit data */ ++ .quad 0x0000930000000000 /* 0xa8 16-bit data */ ++ .quad 0x0000930000000000 /* 0xb0 16-bit data */ ++ ++ /* ++ * The APM segments have byte granularity and their bases ++ * are set at run time. All have 64k limits. ++ */ ++ .quad 0x00409b000000ffff /* 0xb8 APM CS code */ ++ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ ++ .quad 0x004093000000ffff /* 0xc8 APM DS data */ ++ ++ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ ++ .quad 0x0040930000000000 /* 0xd8 - PERCPU */ ++ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ ++ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ ++ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */ ++ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */ ++ ++ /* Be sure this is zeroed to avoid false validations in Xen */ ++ .fill PAGE_SIZE_asm - GDT_SIZE,1,0 ++ .endr +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S +index a468c0a..c7dec74 100644 +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -20,6 +20,8 @@ + #include + #include + #include ++#include ++#include + + #ifdef CONFIG_PARAVIRT + #include +@@ -41,6 +43,12 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET) + L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET) + L4_START_KERNEL = pgd_index(__START_KERNEL_map) + L3_START_KERNEL = pud_index(__START_KERNEL_map) ++L4_VMALLOC_START = pgd_index(VMALLOC_START) ++L3_VMALLOC_START = pud_index(VMALLOC_START) ++L4_VMALLOC_END = pgd_index(VMALLOC_END) ++L3_VMALLOC_END = pud_index(VMALLOC_END) ++L4_VMEMMAP_START = pgd_index(VMEMMAP_START) ++L3_VMEMMAP_START = pud_index(VMEMMAP_START) + + .text + __HEAD +@@ -89,11 +97,24 @@ startup_64: + * Fixup the physical addresses in the page table + */ + addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip) + +- addq %rbp, level3_kernel_pgt + (510*8)(%rip) +- addq %rbp, level3_kernel_pgt + (511*8)(%rip) ++ addq %rbp, level3_ident_pgt + (0*8)(%rip) ++#ifndef CONFIG_XEN ++ addq %rbp, level3_ident_pgt + (1*8)(%rip) ++#endif ++ ++ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) ++ ++ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) ++ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip) + + addq %rbp, level2_fixmap_pgt + (506*8)(%rip) ++ addq %rbp, level2_fixmap_pgt + (507*8)(%rip) + + /* + * Set up the identity mapping for the switchover. These +@@ -177,8 +198,8 @@ ENTRY(secondary_startup_64) + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +- /* Enable PAE mode and PGE */ +- movl $(X86_CR4_PAE | X86_CR4_PGE), %ecx ++ /* Enable PAE mode and PSE/PGE */ ++ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %ecx + movq %rcx, %cr4 + + /* Setup early boot stage 4 level pagetables. */ +@@ -199,10 +220,19 @@ ENTRY(secondary_startup_64) + movl $MSR_EFER, %ecx + rdmsr + btsl $_EFER_SCE, %eax /* Enable System Call */ +- btl $20,%edi /* No Execute supported? */ ++ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */ + jnc 1f + btsl $_EFER_NX, %eax + btsq $_PAGE_BIT_NX,early_pmd_flags(%rip) ++#ifndef CONFIG_EFI ++ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip) ++#endif ++ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip) ++ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip) ++ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip) ++ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*506(%rip) ++ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*507(%rip) ++ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip) + 1: wrmsr /* Make changes effective */ + + /* Setup cr0 */ +@@ -282,6 +312,7 @@ ENTRY(secondary_startup_64) + * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, + * address given in m16:64. + */ ++ pax_set_fptr_mask + movq initial_code(%rip),%rax + pushq $0 # fake return address to stop unwinder + pushq $__KERNEL_CS # set correct cs +@@ -313,7 +344,7 @@ ENDPROC(start_cpu0) + .quad INIT_PER_CPU_VAR(irq_stack_union) + + GLOBAL(stack_start) +- .quad init_thread_union+THREAD_SIZE-8 ++ .quad init_thread_union+THREAD_SIZE-16 + .word 0 + __FINITDATA + +@@ -391,7 +422,7 @@ ENTRY(early_idt_handler) + call dump_stack + #ifdef CONFIG_KALLSYMS + leaq early_idt_ripmsg(%rip),%rdi +- movq 40(%rsp),%rsi # %rip again ++ movq 88(%rsp),%rsi # %rip again + call __print_symbol + #endif + #endif /* EARLY_PRINTK */ +@@ -420,6 +451,7 @@ ENDPROC(early_idt_handler) + early_recursion_flag: + .long 0 + ++ .section .rodata,"a",@progbits + #ifdef CONFIG_EARLY_PRINTK + early_idt_msg: + .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" +@@ -447,29 +479,52 @@ NEXT_PAGE(early_level4_pgt) + NEXT_PAGE(early_dynamic_pgts) + .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0 + +- .data ++ .section .rodata,"a",@progbits + +-#ifndef CONFIG_XEN + NEXT_PAGE(init_level4_pgt) +- .fill 512,8,0 +-#else +-NEXT_PAGE(init_level4_pgt) +- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE + .org init_level4_pgt + L4_PAGE_OFFSET*8, 0 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE ++ .org init_level4_pgt + L4_VMALLOC_START*8, 0 ++ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE ++ .org init_level4_pgt + L4_VMALLOC_END*8, 0 ++ .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE ++ .org init_level4_pgt + L4_VMEMMAP_START*8, 0 ++ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE + .org init_level4_pgt + L4_START_KERNEL*8, 0 + /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */ + .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++NEXT_PAGE(cpu_pgd) ++ .rept 2*NR_CPUS ++ .fill 512,8,0 ++ .endr ++#endif ++ + NEXT_PAGE(level3_ident_pgt) + .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE ++#ifdef CONFIG_XEN + .fill 511, 8, 0 ++#else ++ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE ++ .fill 510,8,0 ++#endif ++ ++NEXT_PAGE(level3_vmalloc_start_pgt) ++ .fill 512,8,0 ++ ++NEXT_PAGE(level3_vmalloc_end_pgt) ++ .fill 512,8,0 ++ ++NEXT_PAGE(level3_vmemmap_pgt) ++ .fill L3_VMEMMAP_START,8,0 ++ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE ++ + NEXT_PAGE(level2_ident_pgt) +- /* Since I easily can, map the first 1G. ++ /* Since I easily can, map the first 2G. + * Don't set NX because code runs from these pages. + */ +- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD) +-#endif ++ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD) + + NEXT_PAGE(level3_kernel_pgt) + .fill L3_START_KERNEL,8,0 +@@ -477,6 +532,9 @@ NEXT_PAGE(level3_kernel_pgt) + .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE + .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE + ++NEXT_PAGE(level2_vmemmap_pgt) ++ .fill 512,8,0 ++ + NEXT_PAGE(level2_kernel_pgt) + /* + * 512 MB kernel mapping. We spend a full page on this pagetable +@@ -494,28 +552,64 @@ NEXT_PAGE(level2_kernel_pgt) + NEXT_PAGE(level2_fixmap_pgt) + .fill 506,8,0 + .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE +- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */ +- .fill 5,8,0 ++ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE ++ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */ ++ .fill 4,8,0 + + NEXT_PAGE(level1_fixmap_pgt) + .fill 512,8,0 + ++NEXT_PAGE(level1_vsyscall_pgt) ++ .fill 512,8,0 ++ + #undef PMDS + +- .data ++ .align PAGE_SIZE ++ENTRY(cpu_gdt_table) ++ .rept NR_CPUS ++ .quad 0x0000000000000000 /* NULL descriptor */ ++ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */ ++ .quad 0x00af9b000000ffff /* __KERNEL_CS */ ++ .quad 0x00cf93000000ffff /* __KERNEL_DS */ ++ .quad 0x00cffb000000ffff /* __USER32_CS */ ++ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */ ++ .quad 0x00affb000000ffff /* __USER_CS */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */ ++#else ++ .quad 0x0 /* unused */ ++#endif ++ ++ .quad 0,0 /* TSS */ ++ .quad 0,0 /* LDT */ ++ .quad 0,0,0 /* three TLS descriptors */ ++ .quad 0x0000f40000000000 /* node/CPU stored in limit */ ++ /* asm/segment.h:GDT_ENTRIES must match this */ ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */ ++#else ++ .quad 0x0 /* unused */ ++#endif ++ ++ /* zero the remaining page */ ++ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 ++ .endr ++ + .align 16 + .globl early_gdt_descr + early_gdt_descr: + .word GDT_ENTRIES*8-1 + early_gdt_descr_base: +- .quad INIT_PER_CPU_VAR(gdt_page) ++ .quad cpu_gdt_table + + ENTRY(phys_base) + /* This must match the first entry in level2_kernel_pgt */ + .quad 0x0000000000000000 + + #include "../../x86/xen/xen-head.S" +- +- __PAGE_ALIGNED_BSS ++ ++ .section .rodata,"a",@progbits + NEXT_PAGE(empty_zero_page) + .skip PAGE_SIZE +diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c +index 05fd74f..c3548b1 100644 +--- a/arch/x86/kernel/i386_ksyms_32.c ++++ b/arch/x86/kernel/i386_ksyms_32.c +@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void); + EXPORT_SYMBOL(cmpxchg8b_emu); + #endif + ++EXPORT_SYMBOL_GPL(cpu_gdt_table); ++ + /* Networking helper routines. */ + EXPORT_SYMBOL(csum_partial_copy_generic); ++EXPORT_SYMBOL(csum_partial_copy_generic_to_user); ++EXPORT_SYMBOL(csum_partial_copy_generic_from_user); + + EXPORT_SYMBOL(__get_user_1); + EXPORT_SYMBOL(__get_user_2); +@@ -44,3 +48,11 @@ EXPORT_SYMBOL(___preempt_schedule); + EXPORT_SYMBOL(___preempt_schedule_context); + #endif + #endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); ++#endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif +diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c +index d5dd808..b6432cf 100644 +--- a/arch/x86/kernel/i387.c ++++ b/arch/x86/kernel/i387.c +@@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void) + static inline bool interrupted_user_mode(void) + { + struct pt_regs *regs = get_irq_regs(); +- return regs && user_mode_vm(regs); ++ return regs && user_mode(regs); + } + + /* +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 2e977b5..5f2c273 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq) + static void make_8259A_irq(unsigned int irq) + { + disable_irq_nosync(irq); +- io_apic_irqs &= ~(1< + #include + #include ++#include + #include + #include + #include +@@ -30,6 +31,12 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + return -EINVAL; + if (turn_on && !capable(CAP_SYS_RAWIO)) + return -EPERM; ++#ifdef CONFIG_GRKERNSEC_IO ++ if (turn_on && grsec_disable_privio) { ++ gr_handle_ioperm(); ++ return -ENODEV; ++ } ++#endif + + /* + * If it's the first ioperm() call in this thread's lifetime, set the +@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + * because the ->io_bitmap_max value must match the bitmap + * contents: + */ +- tss = &per_cpu(init_tss, get_cpu()); ++ tss = init_tss + get_cpu(); + + if (turn_on) + bitmap_clear(t->io_bitmap_ptr, from, num); +@@ -105,6 +112,12 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + if (level > old) { + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; ++#ifdef CONFIG_GRKERNSEC_IO ++ if (grsec_disable_privio) { ++ gr_handle_iopl(); ++ return -ENODEV; ++ } ++#endif + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); + t->iopl = level << 12; +diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c +index d99f31d..1c0f466 100644 +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -21,7 +21,7 @@ + #define CREATE_TRACE_POINTS + #include + +-atomic_t irq_err_count; ++atomic_unchecked_t irq_err_count; + + /* Function pointer for generic interrupt vector handling */ + void (*x86_platform_ipi_callback)(void) = NULL; +@@ -125,9 +125,9 @@ int arch_show_interrupts(struct seq_file *p, int prec) + seq_printf(p, "%10u ", per_cpu(mce_poll_count, j)); + seq_printf(p, " Machine check polls\n"); + #endif +- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count)); ++ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count)); + #if defined(CONFIG_X86_IO_APIC) +- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count)); ++ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count)); + #endif + return 0; + } +@@ -167,7 +167,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu) + + u64 arch_irq_stat(void) + { +- u64 sum = atomic_read(&irq_err_count); ++ u64 sum = atomic_read_unchecked(&irq_err_count); + return sum; + } + +diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c +index d7fcbed..1f747f7 100644 +--- a/arch/x86/kernel/irq_32.c ++++ b/arch/x86/kernel/irq_32.c +@@ -39,7 +39,7 @@ static int check_stack_overflow(void) + __asm__ __volatile__("andl %%esp,%0" : + "=r" (sp) : "0" (THREAD_SIZE - 1)); + +- return sp < (sizeof(struct thread_info) + STACK_WARN); ++ return sp < STACK_WARN; + } + + static void print_stack_overflow(void) +@@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { } + * per-CPU IRQ handling contexts (thread information and stack) + */ + union irq_ctx { +- struct thread_info tinfo; +- u32 stack[THREAD_SIZE/sizeof(u32)]; ++ unsigned long previous_esp; ++ u32 stack[THREAD_SIZE/sizeof(u32)]; + } __attribute__((aligned(THREAD_SIZE))); + + static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx); +@@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack) + static inline int + execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) + { +- union irq_ctx *curctx, *irqctx; ++ union irq_ctx *irqctx; + u32 *isp, arg1, arg2; + +- curctx = (union irq_ctx *) current_thread_info(); + irqctx = __this_cpu_read(hardirq_ctx); + + /* +@@ -92,13 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) + * handler) we can't do that and just have to keep using the + * current stack (which is the irq stack already after all) + */ +- if (unlikely(curctx == irqctx)) ++ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE)) + return 0; + + /* build the stack frame on the IRQ stack */ +- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx)); +- irqctx->tinfo.task = curctx->tinfo.task; +- irqctx->tinfo.previous_esp = current_stack_pointer; ++ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8); ++ irqctx->previous_esp = current_stack_pointer; ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(MAKE_MM_SEG(0)); ++#endif + + if (unlikely(overflow)) + call_on_stack(print_stack_overflow, isp); +@@ -110,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) + : "0" (irq), "1" (desc), "2" (isp), + "D" (desc->handle_irq) + : "memory", "cc", "ecx"); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(current_thread_info()->addr_limit); ++#endif ++ + return 1; + } + +@@ -118,48 +125,34 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq) + */ + void irq_ctx_init(int cpu) + { +- union irq_ctx *irqctx; +- + if (per_cpu(hardirq_ctx, cpu)) + return; + +- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu), +- THREADINFO_GFP, +- THREAD_SIZE_ORDER)); +- memset(&irqctx->tinfo, 0, sizeof(struct thread_info)); +- irqctx->tinfo.cpu = cpu; +- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0); +- +- per_cpu(hardirq_ctx, cpu) = irqctx; +- +- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu), +- THREADINFO_GFP, +- THREAD_SIZE_ORDER)); +- memset(&irqctx->tinfo, 0, sizeof(struct thread_info)); +- irqctx->tinfo.cpu = cpu; +- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0); +- +- per_cpu(softirq_ctx, cpu) = irqctx; +- +- printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n", +- cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu)); ++ per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER)); ++ per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER)); + } + + void do_softirq_own_stack(void) + { +- struct thread_info *curctx; + union irq_ctx *irqctx; + u32 *isp; + +- curctx = current_thread_info(); + irqctx = __this_cpu_read(softirq_ctx); +- irqctx->tinfo.task = curctx->task; +- irqctx->tinfo.previous_esp = current_stack_pointer; ++ irqctx->previous_esp = current_stack_pointer; + + /* build the stack frame on the softirq stack */ +- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx)); ++ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(MAKE_MM_SEG(0)); ++#endif + + call_on_stack(__do_softirq, isp); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(current_thread_info()->addr_limit); ++#endif ++ + } + + bool handle_irq(unsigned irq, struct pt_regs *regs) +@@ -173,7 +166,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs) + if (unlikely(!desc)) + return false; + +- if (user_mode_vm(regs) || !execute_on_irq_stack(overflow, desc, irq)) { ++ if (user_mode(regs) || !execute_on_irq_stack(overflow, desc, irq)) { + if (unlikely(overflow)) + print_stack_overflow(); + desc->handle_irq(irq, desc); +diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c +index 4d1c746..232961d 100644 +--- a/arch/x86/kernel/irq_64.c ++++ b/arch/x86/kernel/irq_64.c +@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) + u64 estack_top, estack_bottom; + u64 curbase = (u64)task_stack_page(current); + +- if (user_mode_vm(regs)) ++ if (user_mode(regs)) + return; + + if (regs->sp >= curbase + sizeof(struct thread_info) + +diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c +index 26d5a55..a01160a 100644 +--- a/arch/x86/kernel/jump_label.c ++++ b/arch/x86/kernel/jump_label.c +@@ -51,7 +51,7 @@ static void __jump_label_transform(struct jump_entry *entry, + * Jump label is enabled for the first time. + * So we expect a default_nop... + */ +- if (unlikely(memcmp((void *)entry->code, default_nop, 5) ++ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5) + != 0)) + bug_at((void *)entry->code, __LINE__); + } else { +@@ -59,7 +59,7 @@ static void __jump_label_transform(struct jump_entry *entry, + * ...otherwise expect an ideal_nop. Otherwise + * something went horribly wrong. + */ +- if (unlikely(memcmp((void *)entry->code, ideal_nop, 5) ++ if (unlikely(memcmp((void *)ktla_ktva(entry->code), ideal_nop, 5) + != 0)) + bug_at((void *)entry->code, __LINE__); + } +@@ -75,13 +75,13 @@ static void __jump_label_transform(struct jump_entry *entry, + * are converting the default nop to the ideal nop. + */ + if (init) { +- if (unlikely(memcmp((void *)entry->code, default_nop, 5) != 0)) ++ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5) != 0)) + bug_at((void *)entry->code, __LINE__); + } else { + code.jump = 0xe9; + code.offset = entry->target - + (entry->code + JUMP_LABEL_NOP_SIZE); +- if (unlikely(memcmp((void *)entry->code, &code, 5) != 0)) ++ if (unlikely(memcmp((void *)ktla_ktva(entry->code), &code, 5) != 0)) + bug_at((void *)entry->code, __LINE__); + } + memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE); +diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c +index 7ec1d5f..5a7d130 100644 +--- a/arch/x86/kernel/kgdb.c ++++ b/arch/x86/kernel/kgdb.c +@@ -126,11 +126,11 @@ char *dbg_get_reg(int regno, void *mem, struct pt_regs *regs) + #ifdef CONFIG_X86_32 + switch (regno) { + case GDB_SS: +- if (!user_mode_vm(regs)) ++ if (!user_mode(regs)) + *(unsigned long *)mem = __KERNEL_DS; + break; + case GDB_SP: +- if (!user_mode_vm(regs)) ++ if (!user_mode(regs)) + *(unsigned long *)mem = kernel_stack_pointer(regs); + break; + case GDB_GS: +@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void) + bp->attr.bp_addr = breakinfo[breakno].addr; + bp->attr.bp_len = breakinfo[breakno].len; + bp->attr.bp_type = breakinfo[breakno].type; +- info->address = breakinfo[breakno].addr; ++ if (breakinfo[breakno].type == X86_BREAKPOINT_EXECUTE) ++ info->address = ktla_ktva(breakinfo[breakno].addr); ++ else ++ info->address = breakinfo[breakno].addr; + info->len = breakinfo[breakno].len; + info->type = breakinfo[breakno].type; + val = arch_install_hw_breakpoint(bp); +@@ -475,12 +478,12 @@ int kgdb_arch_handle_exception(int e_vector, int signo, int err_code, + case 'k': + /* clear the trace bit */ + linux_regs->flags &= ~X86_EFLAGS_TF; +- atomic_set(&kgdb_cpu_doing_single_step, -1); ++ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1); + + /* set the trace bit if we're stepping */ + if (remcomInBuffer[0] == 's') { + linux_regs->flags |= X86_EFLAGS_TF; +- atomic_set(&kgdb_cpu_doing_single_step, ++ atomic_set_unchecked(&kgdb_cpu_doing_single_step, + raw_smp_processor_id()); + } + +@@ -545,7 +548,7 @@ static int __kgdb_notify(struct die_args *args, unsigned long cmd) + + switch (cmd) { + case DIE_DEBUG: +- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) { ++ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) { + if (user_mode(regs)) + return single_step_cont(regs, args); + break; +@@ -750,11 +753,11 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt) + #endif /* CONFIG_DEBUG_RODATA */ + + bpt->type = BP_BREAKPOINT; +- err = probe_kernel_read(bpt->saved_instr, (char *)bpt->bpt_addr, ++ err = probe_kernel_read(bpt->saved_instr, ktla_ktva((char *)bpt->bpt_addr), + BREAK_INSTR_SIZE); + if (err) + return err; +- err = probe_kernel_write((char *)bpt->bpt_addr, ++ err = probe_kernel_write(ktla_ktva((char *)bpt->bpt_addr), + arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE); + #ifdef CONFIG_DEBUG_RODATA + if (!err) +@@ -767,7 +770,7 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt) + return -EBUSY; + text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, + BREAK_INSTR_SIZE); +- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); ++ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); + if (err) + return err; + if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE)) +@@ -792,13 +795,13 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt) + if (mutex_is_locked(&text_mutex)) + goto knl_write; + text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE); +- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); ++ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); + if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE)) + goto knl_write; + return err; + knl_write: + #endif /* CONFIG_DEBUG_RODATA */ +- return probe_kernel_write((char *)bpt->bpt_addr, ++ return probe_kernel_write(ktla_ktva((char *)bpt->bpt_addr), + (char *)bpt->saved_instr, BREAK_INSTR_SIZE); + } + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 79a3f96..6ba030a 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) + s32 raddr; + } __packed *insn; + +- insn = (struct __arch_relative_insn *)from; ++ insn = (struct __arch_relative_insn *)ktla_ktva(from); ++ ++ pax_open_kernel(); + insn->raddr = (s32)((long)(to) - ((long)(from) + 5)); + insn->op = op; ++ pax_close_kernel(); + } + + /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/ +@@ -164,7 +167,7 @@ int __kprobes can_boost(kprobe_opcode_t *opcodes) + kprobe_opcode_t opcode; + kprobe_opcode_t *orig_opcodes = opcodes; + +- if (search_exception_tables((unsigned long)opcodes)) ++ if (search_exception_tables(ktva_ktla((unsigned long)opcodes))) + return 0; /* Page fault may occur on this address. */ + + retry: +@@ -238,9 +241,9 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr) + * for the first byte, we can recover the original instruction + * from it and kp->opcode. + */ +- memcpy(buf, kp->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); ++ memcpy(buf, ktla_ktva(kp->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); + buf[0] = kp->opcode; +- return (unsigned long)buf; ++ return ktva_ktla((unsigned long)buf); + } + + /* +@@ -332,7 +335,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src) + /* Another subsystem puts a breakpoint, failed to recover */ + if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION) + return 0; ++ pax_open_kernel(); + memcpy(dest, insn.kaddr, insn.length); ++ pax_close_kernel(); + + #ifdef CONFIG_X86_64 + if (insn_rip_relative(&insn)) { +@@ -359,7 +364,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src) + return 0; + } + disp = (u8 *) dest + insn_offset_displacement(&insn); ++ pax_open_kernel(); + *(s32 *) disp = (s32) newdisp; ++ pax_close_kernel(); + } + #endif + return insn.length; +@@ -498,7 +505,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k + * nor set current_kprobe, because it doesn't use single + * stepping. + */ +- regs->ip = (unsigned long)p->ainsn.insn; ++ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn); + preempt_enable_no_resched(); + return; + } +@@ -515,9 +522,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k + regs->flags &= ~X86_EFLAGS_IF; + /* single step inline if the instruction is an int3 */ + if (p->opcode == BREAKPOINT_INSTRUCTION) +- regs->ip = (unsigned long)p->addr; ++ regs->ip = ktla_ktva((unsigned long)p->addr); + else +- regs->ip = (unsigned long)p->ainsn.insn; ++ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn); + } + + /* +@@ -596,7 +603,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs) + setup_singlestep(p, regs, kcb, 0); + return 1; + } +- } else if (*addr != BREAKPOINT_INSTRUCTION) { ++ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) { + /* + * The breakpoint instruction was removed right + * after we hit it. Another cpu has removed +@@ -642,6 +649,9 @@ static void __used __kprobes kretprobe_trampoline_holder(void) + " movq %rax, 152(%rsp)\n" + RESTORE_REGS_STRING + " popfq\n" ++#ifdef KERNEXEC_PLUGIN ++ " btsq $63,(%rsp)\n" ++#endif + #else + " pushf\n" + SAVE_REGS_STRING +@@ -779,7 +789,7 @@ static void __kprobes + resume_execution(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + { + unsigned long *tos = stack_addr(regs); +- unsigned long copy_ip = (unsigned long)p->ainsn.insn; ++ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn); + unsigned long orig_ip = (unsigned long)p->addr; + kprobe_opcode_t *insn = p->ainsn.insn; + +@@ -961,7 +971,7 @@ kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *d + struct die_args *args = data; + int ret = NOTIFY_DONE; + +- if (args->regs && user_mode_vm(args->regs)) ++ if (args->regs && user_mode(args->regs)) + return ret; + + switch (val) { +diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c +index 898160b..758cde8 100644 +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -79,6 +79,7 @@ found: + /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */ + static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val) + { ++ pax_open_kernel(); + #ifdef CONFIG_X86_64 + *addr++ = 0x48; + *addr++ = 0xbf; +@@ -86,6 +87,7 @@ static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long v + *addr++ = 0xb8; + #endif + *(unsigned long *)addr = val; ++ pax_close_kernel(); + } + + asm ( +@@ -335,7 +337,7 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op) + * Verify if the address gap is in 2GB range, because this uses + * a relative jump. + */ +- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE; ++ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE; + if (abs(rel) > 0x7fffffff) + return -ERANGE; + +@@ -350,16 +352,18 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op) + op->optinsn.size = ret; + + /* Copy arch-dep-instance from template */ +- memcpy(buf, &optprobe_template_entry, TMPL_END_IDX); ++ pax_open_kernel(); ++ memcpy(buf, ktla_ktva(&optprobe_template_entry), TMPL_END_IDX); ++ pax_close_kernel(); + + /* Set probe information */ + synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op); + + /* Set probe function call */ +- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback); ++ synthesize_relcall(ktva_ktla(buf) + TMPL_CALL_IDX, optimized_callback); + + /* Set returning jmp instruction at the tail of out-of-line buffer */ +- synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, ++ synthesize_reljump(ktva_ktla(buf) + TMPL_END_IDX + op->optinsn.size, + (u8 *)op->kp.addr + op->optinsn.size); + + flush_icache_range((unsigned long) buf, +@@ -384,7 +388,7 @@ void __kprobes arch_optimize_kprobes(struct list_head *oplist) + WARN_ON(kprobe_disabled(&op->kp)); + + /* Backup instructions which will be replaced by jump address */ +- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE, ++ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE, + RELATIVE_ADDR_SIZE); + + insn_buf[0] = RELATIVEJUMP_OPCODE; +@@ -433,7 +437,7 @@ setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter) + /* This kprobe is really able to run optimized path. */ + op = container_of(p, struct optimized_kprobe, kp); + /* Detour through copied instructions */ +- regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX; ++ regs->ip = ktva_ktla((unsigned long)op->optinsn.insn) + TMPL_END_IDX; + if (!reenter) + reset_current_kprobe(); + preempt_enable_no_resched(); +diff --git a/arch/x86/kernel/ksysfs.c b/arch/x86/kernel/ksysfs.c +index c2bedae..25e7ab6 100644 +--- a/arch/x86/kernel/ksysfs.c ++++ b/arch/x86/kernel/ksysfs.c +@@ -184,7 +184,7 @@ out: + + static struct kobj_attribute type_attr = __ATTR_RO(type); + +-static struct bin_attribute data_attr = { ++static bin_attribute_no_const data_attr __read_only = { + .attr = { + .name = "data", + .mode = S_IRUGO, +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c +index ebc9873..37b8776 100644 +--- a/arch/x86/kernel/ldt.c ++++ b/arch/x86/kernel/ldt.c +@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) + if (reload) { + #ifdef CONFIG_SMP + preempt_disable(); +- load_LDT(pc); ++ load_LDT_nolock(pc); + if (!cpumask_equal(mm_cpumask(current->mm), + cpumask_of(smp_processor_id()))) + smp_call_function(flush_ldt, current->mm, 1); + preempt_enable(); + #else +- load_LDT(pc); ++ load_LDT_nolock(pc); + #endif + } + if (oldsize) { +@@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old) + return err; + + for (i = 0; i < old->size; i++) +- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE); ++ write_ldt_entry(new->ldt, i, old->ldt + i); + return 0; + } + +@@ -115,6 +115,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) + retval = copy_ldt(&mm->context, &old_mm->context); + mutex_unlock(&old_mm->context.lock); + } ++ ++ if (tsk == current) { ++ mm->context.vdso = 0; ++ ++#ifdef CONFIG_X86_32 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++ mm->context.user_cs_base = 0UL; ++ mm->context.user_cs_limit = ~0UL; ++ ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) ++ cpus_clear(mm->context.cpu_user_cs_mask); ++#endif ++ ++#endif ++#endif ++ ++ } ++ + return retval; + } + +@@ -229,6 +247,24 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) + } + } + ++#ifdef CONFIG_PAX_SEGMEXEC ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) { ++ error = -EINVAL; ++ goto out_unlock; ++ } ++#endif ++ ++ /* ++ * On x86-64 we do not support 16-bit segments due to ++ * IRET leaking the high bits of the kernel stack address. ++ */ ++#ifdef CONFIG_X86_64 ++ if (!ldt_info.seg_32bit) { ++ error = -EINVAL; ++ goto out_unlock; ++ } ++#endif ++ + fill_ldt(&ldt, &ldt_info); + if (oldmode) + ldt.avl = 0; +diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c +index 1667b1d..16492c5 100644 +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -25,7 +25,7 @@ + #include + #include + +-static void set_idt(void *newidt, __u16 limit) ++static void set_idt(struct desc_struct *newidt, __u16 limit) + { + struct desc_ptr curidt; + +@@ -37,7 +37,7 @@ static void set_idt(void *newidt, __u16 limit) + } + + +-static void set_gdt(void *newgdt, __u16 limit) ++static void set_gdt(struct desc_struct *newgdt, __u16 limit) + { + struct desc_ptr curgdt; + +@@ -215,7 +215,7 @@ void machine_kexec(struct kimage *image) + } + + control_page = page_address(image->control_code_page); +- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE); ++ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE); + + relocate_kernel_ptr = control_page; + page_list[PA_CONTROL_PAGE] = __pa(control_page); +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c +index 18be189..4a9fe40 100644 +--- a/arch/x86/kernel/module.c ++++ b/arch/x86/kernel/module.c +@@ -43,15 +43,60 @@ do { \ + } while (0) + #endif + +-void *module_alloc(unsigned long size) ++static inline void *__module_alloc(unsigned long size, pgprot_t prot) + { +- if (PAGE_ALIGN(size) > MODULES_LEN) ++ if (!size || PAGE_ALIGN(size) > MODULES_LEN) + return NULL; + return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END, +- GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC, ++ GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot, + NUMA_NO_NODE, __builtin_return_address(0)); + } + ++void *module_alloc(unsigned long size) ++{ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ return __module_alloc(size, PAGE_KERNEL); ++#else ++ return __module_alloc(size, PAGE_KERNEL_EXEC); ++#endif ++ ++} ++ ++#ifdef CONFIG_PAX_KERNEXEC ++#ifdef CONFIG_X86_32 ++void *module_alloc_exec(unsigned long size) ++{ ++ struct vm_struct *area; ++ ++ if (size == 0) ++ return NULL; ++ ++ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END); ++ return area ? area->addr : NULL; ++} ++EXPORT_SYMBOL(module_alloc_exec); ++ ++void module_free_exec(struct module *mod, void *module_region) ++{ ++ vunmap(module_region); ++} ++EXPORT_SYMBOL(module_free_exec); ++#else ++void module_free_exec(struct module *mod, void *module_region) ++{ ++ module_free(mod, module_region); ++} ++EXPORT_SYMBOL(module_free_exec); ++ ++void *module_alloc_exec(unsigned long size) ++{ ++ return __module_alloc(size, PAGE_KERNEL_RX); ++} ++EXPORT_SYMBOL(module_alloc_exec); ++#endif ++#endif ++ + #ifdef CONFIG_X86_32 + int apply_relocate(Elf32_Shdr *sechdrs, + const char *strtab, +@@ -62,14 +107,16 @@ int apply_relocate(Elf32_Shdr *sechdrs, + unsigned int i; + Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr; + Elf32_Sym *sym; +- uint32_t *location; ++ uint32_t *plocation, location; + + DEBUGP("Applying relocate section %u to %u\n", + relsec, sechdrs[relsec].sh_info); + for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) { + /* This is where to make the change */ +- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr +- + rel[i].r_offset; ++ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset; ++ location = (uint32_t)plocation; ++ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR) ++ plocation = ktla_ktva((void *)plocation); + /* This is the symbol it is referring to. Note that all + undefined symbols have been resolved. */ + sym = (Elf32_Sym *)sechdrs[symindex].sh_addr +@@ -78,11 +125,15 @@ int apply_relocate(Elf32_Shdr *sechdrs, + switch (ELF32_R_TYPE(rel[i].r_info)) { + case R_386_32: + /* We add the value into the location given */ +- *location += sym->st_value; ++ pax_open_kernel(); ++ *plocation += sym->st_value; ++ pax_close_kernel(); + break; + case R_386_PC32: + /* Add the value, subtract its position */ +- *location += sym->st_value - (uint32_t)location; ++ pax_open_kernel(); ++ *plocation += sym->st_value - location; ++ pax_close_kernel(); + break; + default: + pr_err("%s: Unknown relocation: %u\n", +@@ -127,21 +178,30 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, + case R_X86_64_NONE: + break; + case R_X86_64_64: ++ pax_open_kernel(); + *(u64 *)loc = val; ++ pax_close_kernel(); + break; + case R_X86_64_32: ++ pax_open_kernel(); + *(u32 *)loc = val; ++ pax_close_kernel(); + if (val != *(u32 *)loc) + goto overflow; + break; + case R_X86_64_32S: ++ pax_open_kernel(); + *(s32 *)loc = val; ++ pax_close_kernel(); + if ((s64)val != *(s32 *)loc) + goto overflow; + break; + case R_X86_64_PC32: + val -= (u64)loc; ++ pax_open_kernel(); + *(u32 *)loc = val; ++ pax_close_kernel(); ++ + #if 0 + if ((s64)val != *(s32 *)loc) + goto overflow; +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 05266b5..3432443 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -103,6 +104,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++#ifdef CONFIG_GRKERNSEC_KMEM ++ gr_handle_msr_write(); ++ return -EPERM; ++#endif ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -150,6 +156,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EBADF; + break; + } ++#ifdef CONFIG_GRKERNSEC_KMEM ++ gr_handle_msr_write(); ++ return -EPERM; ++#endif + if (copy_from_user(®s, uregs, sizeof regs)) { + err = -EFAULT; + break; +@@ -233,7 +243,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb, + return notifier_from_errno(err); + } + +-static struct notifier_block __refdata msr_class_cpu_notifier = { ++static struct notifier_block msr_class_cpu_notifier = { + .notifier_call = msr_class_cpu_callback, + }; + +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c +index 6fcb49c..5b3f4ff 100644 +--- a/arch/x86/kernel/nmi.c ++++ b/arch/x86/kernel/nmi.c +@@ -138,7 +138,7 @@ static int __kprobes nmi_handle(unsigned int type, struct pt_regs *regs, bool b2 + return handled; + } + +-int __register_nmi_handler(unsigned int type, struct nmiaction *action) ++int __register_nmi_handler(unsigned int type, const struct nmiaction *action) + { + struct nmi_desc *desc = nmi_to_desc(type); + unsigned long flags; +@@ -162,9 +162,9 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action) + * event confuses some handlers (kdump uses this flag) + */ + if (action->flags & NMI_FLAG_FIRST) +- list_add_rcu(&action->list, &desc->head); ++ pax_list_add_rcu((struct list_head *)&action->list, &desc->head); + else +- list_add_tail_rcu(&action->list, &desc->head); ++ pax_list_add_tail_rcu((struct list_head *)&action->list, &desc->head); + + spin_unlock_irqrestore(&desc->lock, flags); + return 0; +@@ -187,7 +187,7 @@ void unregister_nmi_handler(unsigned int type, const char *name) + if (!strcmp(n->name, name)) { + WARN(in_nmi(), + "Trying to free NMI (%s) from NMI context!\n", n->name); +- list_del_rcu(&n->list); ++ pax_list_del_rcu((struct list_head *)&n->list); + break; + } + } +@@ -512,6 +512,17 @@ static inline void nmi_nesting_postprocess(void) + dotraplinkage notrace __kprobes void + do_nmi(struct pt_regs *regs, long error_code) + { ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ if (!user_mode(regs)) { ++ unsigned long cs = regs->cs & 0xFFFF; ++ unsigned long ip = ktva_ktla(regs->ip); ++ ++ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext) ++ regs->ip = ip; ++ } ++#endif ++ + nmi_nesting_preprocess(regs); + + nmi_enter(); +diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c +index 6d9582e..f746287 100644 +--- a/arch/x86/kernel/nmi_selftest.c ++++ b/arch/x86/kernel/nmi_selftest.c +@@ -43,7 +43,7 @@ static void __init init_nmi_testsuite(void) + { + /* trap all the unknown NMIs we may generate */ + register_nmi_handler(NMI_UNKNOWN, nmi_unk_cb, 0, "nmi_selftest_unk", +- __initdata); ++ __initconst); + } + + static void __init cleanup_nmi_testsuite(void) +@@ -66,7 +66,7 @@ static void __init test_nmi_ipi(struct cpumask *mask) + unsigned long timeout; + + if (register_nmi_handler(NMI_LOCAL, test_nmi_ipi_callback, +- NMI_FLAG_FIRST, "nmi_selftest", __initdata)) { ++ NMI_FLAG_FIRST, "nmi_selftest", __initconst)) { + nmi_fail = FAILURE; + return; + } +diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c +index bbb6c73..24a58ef 100644 +--- a/arch/x86/kernel/paravirt-spinlocks.c ++++ b/arch/x86/kernel/paravirt-spinlocks.c +@@ -8,7 +8,7 @@ + + #include + +-struct pv_lock_ops pv_lock_ops = { ++struct pv_lock_ops pv_lock_ops __read_only = { + #ifdef CONFIG_SMP + .lock_spinning = __PV_IS_CALLEE_SAVE(paravirt_nop), + .unlock_kick = paravirt_nop, +diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c +index 1b10af8..0b58cbc 100644 +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -55,6 +55,9 @@ u64 _paravirt_ident_64(u64 x) + { + return x; + } ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64); ++#endif + + void __init default_banner(void) + { +@@ -142,15 +145,19 @@ unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf, + if (opfunc == NULL) + /* If there's no function, patch it with a ud2a (BUG) */ + ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a)); +- else if (opfunc == _paravirt_nop) ++ else if (opfunc == (void *)_paravirt_nop) + /* If the operation is a nop, then nop the callsite */ + ret = paravirt_patch_nop(); + + /* identity functions just return their single argument */ +- else if (opfunc == _paravirt_ident_32) ++ else if (opfunc == (void *)_paravirt_ident_32) + ret = paravirt_patch_ident_32(insnbuf, len); +- else if (opfunc == _paravirt_ident_64) ++ else if (opfunc == (void *)_paravirt_ident_64) + ret = paravirt_patch_ident_64(insnbuf, len); ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64) ++ ret = paravirt_patch_ident_64(insnbuf, len); ++#endif + + else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) || + type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) || +@@ -175,7 +182,7 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len, + if (insn_len > len || start == NULL) + insn_len = len; + else +- memcpy(insnbuf, start, insn_len); ++ memcpy(insnbuf, ktla_ktva(start), insn_len); + + return insn_len; + } +@@ -299,7 +306,7 @@ enum paravirt_lazy_mode paravirt_get_lazy_mode(void) + return this_cpu_read(paravirt_lazy_mode); + } + +-struct pv_info pv_info = { ++struct pv_info pv_info __read_only = { + .name = "bare hardware", + .paravirt_enabled = 0, + .kernel_rpl = 0, +@@ -310,16 +317,16 @@ struct pv_info pv_info = { + #endif + }; + +-struct pv_init_ops pv_init_ops = { ++struct pv_init_ops pv_init_ops __read_only = { + .patch = native_patch, + }; + +-struct pv_time_ops pv_time_ops = { ++struct pv_time_ops pv_time_ops __read_only = { + .sched_clock = native_sched_clock, + .steal_clock = native_steal_clock, + }; + +-__visible struct pv_irq_ops pv_irq_ops = { ++__visible struct pv_irq_ops pv_irq_ops __read_only = { + .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl), + .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl), + .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable), +@@ -331,7 +338,7 @@ __visible struct pv_irq_ops pv_irq_ops = { + #endif + }; + +-__visible struct pv_cpu_ops pv_cpu_ops = { ++__visible struct pv_cpu_ops pv_cpu_ops __read_only = { + .cpuid = native_cpuid, + .get_debugreg = native_get_debugreg, + .set_debugreg = native_set_debugreg, +@@ -389,21 +396,26 @@ __visible struct pv_cpu_ops pv_cpu_ops = { + .end_context_switch = paravirt_nop, + }; + +-struct pv_apic_ops pv_apic_ops = { ++struct pv_apic_ops pv_apic_ops __read_only= { + #ifdef CONFIG_X86_LOCAL_APIC + .startup_ipi_hook = paravirt_nop, + #endif + }; + +-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE) ++#ifdef CONFIG_X86_32 ++#ifdef CONFIG_X86_PAE ++/* 64-bit pagetable entries */ ++#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64) ++#else + /* 32-bit pagetable entries */ + #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32) ++#endif + #else + /* 64-bit pagetable entries */ + #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64) + #endif + +-struct pv_mmu_ops pv_mmu_ops = { ++struct pv_mmu_ops pv_mmu_ops __read_only = { + + .read_cr2 = native_read_cr2, + .write_cr2 = native_write_cr2, +@@ -453,6 +465,7 @@ struct pv_mmu_ops pv_mmu_ops = { + .make_pud = PTE_IDENT, + + .set_pgd = native_set_pgd, ++ .set_pgd_batched = native_set_pgd_batched, + #endif + #endif /* PAGETABLE_LEVELS >= 3 */ + +@@ -473,6 +486,12 @@ struct pv_mmu_ops pv_mmu_ops = { + }, + + .set_fixmap = native_set_fixmap, ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ .pax_open_kernel = native_pax_open_kernel, ++ .pax_close_kernel = native_pax_close_kernel, ++#endif ++ + }; + + EXPORT_SYMBOL_GPL(pv_time_ops); +diff --git a/arch/x86/kernel/pci-calgary_64.c b/arch/x86/kernel/pci-calgary_64.c +index 299d493..2ccb0ee 100644 +--- a/arch/x86/kernel/pci-calgary_64.c ++++ b/arch/x86/kernel/pci-calgary_64.c +@@ -1339,7 +1339,7 @@ static void __init get_tce_space_from_tar(void) + tce_space = be64_to_cpu(readq(target)); + tce_space = tce_space & TAR_SW_BITS; + +- tce_space = tce_space & (~specified_table_size); ++ tce_space = tce_space & (~(unsigned long)specified_table_size); + info->tce_space = (u64 *)__va(tce_space); + } + } +diff --git a/arch/x86/kernel/pci-iommu_table.c b/arch/x86/kernel/pci-iommu_table.c +index 35ccf75..7a15747 100644 +--- a/arch/x86/kernel/pci-iommu_table.c ++++ b/arch/x86/kernel/pci-iommu_table.c +@@ -2,7 +2,7 @@ + #include + #include + #include +- ++#include + + #define DEBUG 1 + +diff --git a/arch/x86/kernel/pci-swiotlb.c b/arch/x86/kernel/pci-swiotlb.c +index 6c483ba..d10ce2f 100644 +--- a/arch/x86/kernel/pci-swiotlb.c ++++ b/arch/x86/kernel/pci-swiotlb.c +@@ -32,7 +32,7 @@ static void x86_swiotlb_free_coherent(struct device *dev, size_t size, + void *vaddr, dma_addr_t dma_addr, + struct dma_attrs *attrs) + { +- swiotlb_free_coherent(dev, size, vaddr, dma_addr); ++ swiotlb_free_coherent(dev, size, vaddr, dma_addr, attrs); + } + + static struct dma_map_ops swiotlb_dma_ops = { +diff --git a/arch/x86/kernel/preempt.S b/arch/x86/kernel/preempt.S +index ca7f0d5..8996469 100644 +--- a/arch/x86/kernel/preempt.S ++++ b/arch/x86/kernel/preempt.S +@@ -3,12 +3,14 @@ + #include + #include + #include ++#include + + ENTRY(___preempt_schedule) + CFI_STARTPROC + SAVE_ALL + call preempt_schedule + RESTORE_ALL ++ pax_force_retaddr + ret + CFI_ENDPROC + +@@ -19,6 +21,7 @@ ENTRY(___preempt_schedule_context) + SAVE_ALL + call preempt_schedule_context + RESTORE_ALL ++ pax_force_retaddr + ret + CFI_ENDPROC + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 3fb8d95..254dc51 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -36,7 +36,8 @@ + * section. Since TSS's are completely CPU-local, we want them + * on exact cacheline boundaries, to eliminate cacheline ping-pong. + */ +-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS; ++struct tss_struct init_tss[NR_CPUS] __visible ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS }; ++EXPORT_SYMBOL(init_tss); + + #ifdef CONFIG_X86_64 + static DEFINE_PER_CPU(unsigned char, is_idle); +@@ -92,7 +93,7 @@ void arch_task_cache_init(void) + task_xstate_cachep = + kmem_cache_create("task_xstate", xstate_size, + __alignof__(union thread_xstate), +- SLAB_PANIC | SLAB_NOTRACK, NULL); ++ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL); + } + + /* +@@ -105,7 +106,7 @@ void exit_thread(void) + unsigned long *bp = t->io_bitmap_ptr; + + if (bp) { +- struct tss_struct *tss = &per_cpu(init_tss, get_cpu()); ++ struct tss_struct *tss = init_tss + get_cpu(); + + t->io_bitmap_ptr = NULL; + clear_thread_flag(TIF_IO_BITMAP); +@@ -125,6 +126,9 @@ void flush_thread(void) + { + struct task_struct *tsk = current; + ++#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF) ++ loadsegment(gs, 0); ++#endif + flush_ptrace_hw_breakpoint(tsk); + memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array)); + drop_init_fpu(tsk); +@@ -271,7 +275,7 @@ static void __exit_idle(void) + void exit_idle(void) + { + /* idle loop has pid 0 */ +- if (current->pid) ++ if (task_pid_nr(current)) + return; + __exit_idle(); + } +@@ -327,7 +331,7 @@ bool xen_set_default_idle(void) + return ret; + } + #endif +-void stop_this_cpu(void *dummy) ++__noreturn void stop_this_cpu(void *dummy) + { + local_irq_disable(); + /* +@@ -456,16 +460,37 @@ static int __init idle_setup(char *str) + } + early_param("idle", idle_setup); + +-unsigned long arch_align_stack(unsigned long sp) ++#ifdef CONFIG_PAX_RANDKSTACK ++void pax_randomize_kstack(struct pt_regs *regs) + { +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) +- sp -= get_random_int() % 8192; +- return sp & ~0xf; +-} ++ struct thread_struct *thread = ¤t->thread; ++ unsigned long time; + +-unsigned long arch_randomize_brk(struct mm_struct *mm) +-{ +- unsigned long range_end = mm->brk + 0x02000000; +- return randomize_range(mm->brk, range_end, 0) ? : mm->brk; +-} ++ if (!randomize_va_space) ++ return; ++ ++ if (v8086_mode(regs)) ++ return; + ++ rdtscl(time); ++ ++ /* P4 seems to return a 0 LSB, ignore it */ ++#ifdef CONFIG_MPENTIUM4 ++ time &= 0x3EUL; ++ time <<= 2; ++#elif defined(CONFIG_X86_64) ++ time &= 0xFUL; ++ time <<= 4; ++#else ++ time &= 0x1FUL; ++ time <<= 3; ++#endif ++ ++ thread->sp0 ^= time; ++ load_sp0(init_tss + smp_processor_id(), thread); ++ ++#ifdef CONFIG_X86_64 ++ this_cpu_write(kernel_stack, thread->sp0); ++#endif ++} ++#endif +diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c +index 0de43e9..056b840 100644 +--- a/arch/x86/kernel/process_32.c ++++ b/arch/x86/kernel/process_32.c +@@ -64,6 +64,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread"); + unsigned long thread_saved_pc(struct task_struct *tsk) + { + return ((unsigned long *)tsk->thread.sp)[3]; ++//XXX return tsk->thread.eip; + } + + void __show_regs(struct pt_regs *regs, int all) +@@ -73,19 +74,18 @@ void __show_regs(struct pt_regs *regs, int all) + unsigned long sp; + unsigned short ss, gs; + +- if (user_mode_vm(regs)) { ++ if (user_mode(regs)) { + sp = regs->sp; + ss = regs->ss & 0xffff; +- gs = get_user_gs(regs); + } else { + sp = kernel_stack_pointer(regs); + savesegment(ss, ss); +- savesegment(gs, gs); + } ++ gs = get_user_gs(regs); + + printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n", + (u16)regs->cs, regs->ip, regs->flags, +- smp_processor_id()); ++ raw_smp_processor_id()); + print_symbol("EIP is at %s\n", regs->ip); + + printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n", +@@ -132,20 +132,21 @@ void release_thread(struct task_struct *dead_task) + int copy_thread(unsigned long clone_flags, unsigned long sp, + unsigned long arg, struct task_struct *p) + { +- struct pt_regs *childregs = task_pt_regs(p); ++ struct pt_regs *childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8; + struct task_struct *tsk; + int err; + + p->thread.sp = (unsigned long) childregs; + p->thread.sp0 = (unsigned long) (childregs+1); ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); + + if (unlikely(p->flags & PF_KTHREAD)) { + /* kernel thread */ + memset(childregs, 0, sizeof(struct pt_regs)); + p->thread.ip = (unsigned long) ret_from_kernel_thread; +- task_user_gs(p) = __KERNEL_STACK_CANARY; +- childregs->ds = __USER_DS; +- childregs->es = __USER_DS; ++ savesegment(gs, childregs->gs); ++ childregs->ds = __KERNEL_DS; ++ childregs->es = __KERNEL_DS; + childregs->fs = __KERNEL_PERCPU; + childregs->bx = sp; /* function */ + childregs->bp = arg; +@@ -252,7 +253,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + struct thread_struct *prev = &prev_p->thread, + *next = &next_p->thread; + int cpu = smp_processor_id(); +- struct tss_struct *tss = &per_cpu(init_tss, cpu); ++ struct tss_struct *tss = init_tss + cpu; + fpu_switch_t fpu; + + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */ +@@ -276,6 +277,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + */ + lazy_save_gs(prev->gs); + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(task_thread_info(next_p)->addr_limit); ++#endif ++ + /* + * Load the per-thread Thread-Local Storage descriptor. + */ +@@ -314,6 +319,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + */ + arch_end_context_switch(next_p); + ++ this_cpu_write(current_task, next_p); ++ this_cpu_write(current_tinfo, &next_p->tinfo); ++ + /* + * Restore %gs if needed (which is common) + */ +@@ -322,8 +330,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + + switch_fpu_finish(next_p, fpu); + +- this_cpu_write(current_task, next_p); +- + return prev_p; + } + +@@ -353,4 +359,3 @@ unsigned long get_wchan(struct task_struct *p) + } while (count++ < 16); + return 0; + } +- +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index 9c0280f..5bbb1c0 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -158,10 +158,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + struct pt_regs *childregs; + struct task_struct *me = current; + +- p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE; ++ p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE - 16; + childregs = task_pt_regs(p); + p->thread.sp = (unsigned long) childregs; + p->thread.usersp = me->thread.usersp; ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); + set_tsk_thread_flag(p, TIF_FORK); + p->thread.fpu_counter = 0; + p->thread.io_bitmap_ptr = NULL; +@@ -172,6 +173,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs; + savesegment(es, p->thread.es); + savesegment(ds, p->thread.ds); ++ savesegment(ss, p->thread.ss); ++ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS); + memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); + + if (unlikely(p->flags & PF_KTHREAD)) { +@@ -280,7 +283,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + struct thread_struct *prev = &prev_p->thread; + struct thread_struct *next = &next_p->thread; + int cpu = smp_processor_id(); +- struct tss_struct *tss = &per_cpu(init_tss, cpu); ++ struct tss_struct *tss = init_tss + cpu; + unsigned fsindex, gsindex; + fpu_switch_t fpu; + +@@ -303,6 +306,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + if (unlikely(next->ds | prev->ds)) + loadsegment(ds, next->ds); + ++ savesegment(ss, prev->ss); ++ if (unlikely(next->ss != prev->ss)) ++ loadsegment(ss, next->ss); + + /* We must save %fs and %gs before load_TLS() because + * %fs and %gs may be cleared by load_TLS(). +@@ -362,6 +368,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + prev->usersp = this_cpu_read(old_rsp); + this_cpu_write(old_rsp, next->usersp); + this_cpu_write(current_task, next_p); ++ this_cpu_write(current_tinfo, &next_p->tinfo); + + /* + * If it were not for PREEMPT_ACTIVE we could guarantee that the +@@ -371,9 +378,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + task_thread_info(prev_p)->saved_preempt_count = this_cpu_read(__preempt_count); + this_cpu_write(__preempt_count, task_thread_info(next_p)->saved_preempt_count); + +- this_cpu_write(kernel_stack, +- (unsigned long)task_stack_page(next_p) + +- THREAD_SIZE - KERNEL_STACK_OFFSET); ++ this_cpu_write(kernel_stack, next->sp0); + + /* + * Now maybe reload the debug registers and handle I/O bitmaps +@@ -442,12 +447,11 @@ unsigned long get_wchan(struct task_struct *p) + if (!p || p == current || p->state == TASK_RUNNING) + return 0; + stack = (unsigned long)task_stack_page(p); +- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE) ++ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64)) + return 0; + fp = *(u64 *)(p->thread.sp); + do { +- if (fp < (unsigned long)stack || +- fp >= (unsigned long)stack+THREAD_SIZE) ++ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64)) + return 0; + ip = *(u64 *)(fp+8); + if (!in_sched_functions(ip)) +diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c +index 7461f50..1334029 100644 +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -184,14 +184,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs) + { + unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1); + unsigned long sp = (unsigned long)®s->sp; +- struct thread_info *tinfo; + +- if (context == (sp & ~(THREAD_SIZE - 1))) ++ if (context == ((sp + 8) & ~(THREAD_SIZE - 1))) + return sp; + +- tinfo = (struct thread_info *)context; +- if (tinfo->previous_esp) +- return tinfo->previous_esp; ++ sp = *(unsigned long *)context; ++ if (sp) ++ return sp; + + return (unsigned long)regs; + } +@@ -588,7 +587,7 @@ static void ptrace_triggered(struct perf_event *bp, + static unsigned long ptrace_get_dr7(struct perf_event *bp[]) + { + int i; +- int dr7 = 0; ++ unsigned long dr7 = 0; + struct arch_hw_breakpoint *info; + + for (i = 0; i < HBP_NUM; i++) { +@@ -822,7 +821,7 @@ long arch_ptrace(struct task_struct *child, long request, + unsigned long addr, unsigned long data) + { + int ret; +- unsigned long __user *datap = (unsigned long __user *)data; ++ unsigned long __user *datap = (__force unsigned long __user *)data; + + switch (request) { + /* read the word at location addr in the USER area. */ +@@ -907,14 +906,14 @@ long arch_ptrace(struct task_struct *child, long request, + if ((int) addr < 0) + return -EIO; + ret = do_get_thread_area(child, addr, +- (struct user_desc __user *)data); ++ (__force struct user_desc __user *) data); + break; + + case PTRACE_SET_THREAD_AREA: + if ((int) addr < 0) + return -EIO; + ret = do_set_thread_area(child, addr, +- (struct user_desc __user *)data, 0); ++ (__force struct user_desc __user *) data, 0); + break; + #endif + +@@ -1292,7 +1291,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + + #ifdef CONFIG_X86_64 + +-static struct user_regset x86_64_regsets[] __read_mostly = { ++static user_regset_no_const x86_64_regsets[] __read_only = { + [REGSET_GENERAL] = { + .core_note_type = NT_PRSTATUS, + .n = sizeof(struct user_regs_struct) / sizeof(long), +@@ -1333,7 +1332,7 @@ static const struct user_regset_view user_x86_64_view = { + #endif /* CONFIG_X86_64 */ + + #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION +-static struct user_regset x86_32_regsets[] __read_mostly = { ++static user_regset_no_const x86_32_regsets[] __read_only = { + [REGSET_GENERAL] = { + .core_note_type = NT_PRSTATUS, + .n = sizeof(struct user_regs_struct32) / sizeof(u32), +@@ -1386,7 +1385,7 @@ static const struct user_regset_view user_x86_32_view = { + */ + u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS]; + +-void update_regset_xstate_info(unsigned int size, u64 xstate_mask) ++void __init update_regset_xstate_info(unsigned int size, u64 xstate_mask) + { + #ifdef CONFIG_X86_64 + x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64); +@@ -1421,7 +1420,7 @@ static void fill_sigtrap_info(struct task_struct *tsk, + memset(info, 0, sizeof(*info)); + info->si_signo = SIGTRAP; + info->si_code = si_code; +- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL; ++ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL; + } + + void user_single_step_siginfo(struct task_struct *tsk, +@@ -1450,6 +1449,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, + # define IS_IA32 0 + #endif + ++#ifdef CONFIG_GRKERNSEC_SETXID ++extern void gr_delayed_cred_worker(void); ++#endif ++ + /* + * We must return the syscall number to actually look up in the table. + * This can be -1L to skip running any syscall at all. +@@ -1460,6 +1463,11 @@ long syscall_trace_enter(struct pt_regs *regs) + + user_exit(); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + /* + * If we stepped into a sysenter/syscall insn, it trapped in + * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP. +@@ -1515,6 +1523,11 @@ void syscall_trace_leave(struct pt_regs *regs) + */ + user_exit(); + ++#ifdef CONFIG_GRKERNSEC_SETXID ++ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID))) ++ gr_delayed_cred_worker(); ++#endif ++ + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c +index 2f355d2..e75ed0a 100644 +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -51,11 +51,11 @@ void pvclock_touch_watchdogs(void) + reset_hung_task_detector(); + } + +-static atomic64_t last_value = ATOMIC64_INIT(0); ++static atomic64_unchecked_t last_value = ATOMIC64_INIT(0); + + void pvclock_resume(void) + { +- atomic64_set(&last_value, 0); ++ atomic64_set_unchecked(&last_value, 0); + } + + u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src) +@@ -105,11 +105,11 @@ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src) + * updating at the same time, and one of them could be slightly behind, + * making the assumption that last_value always go forward fail to hold. + */ +- last = atomic64_read(&last_value); ++ last = atomic64_read_unchecked(&last_value); + do { + if (ret < last) + return last; +- last = atomic64_cmpxchg(&last_value, last, ret); ++ last = atomic64_cmpxchg_unchecked(&last_value, last, ret); + } while (unlikely(last != ret)); + + return ret; +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index c752cb4..866c432 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -68,6 +68,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d) + + void __noreturn machine_real_restart(unsigned int type) + { ++ ++#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) ++ struct desc_struct *gdt; ++#endif ++ + local_irq_disable(); + + /* +@@ -95,7 +100,29 @@ void __noreturn machine_real_restart(unsigned int type) + + /* Jump to the identity-mapped low memory code */ + #ifdef CONFIG_X86_32 +- asm volatile("jmpl *%0" : : ++ ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ gdt = get_cpu_gdt_table(smp_processor_id()); ++ pax_open_kernel(); ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ gdt[GDT_ENTRY_KERNEL_DS].type = 3; ++ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; ++ loadsegment(ds, __KERNEL_DS); ++ loadsegment(es, __KERNEL_DS); ++ loadsegment(ss, __KERNEL_DS); ++#endif ++#ifdef CONFIG_PAX_KERNEXEC ++ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0; ++ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0; ++ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0; ++ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff; ++ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf; ++ gdt[GDT_ENTRY_KERNEL_CS].g = 1; ++#endif ++ pax_close_kernel(); ++#endif ++ ++ asm volatile("ljmpl *%0" : : + "rm" (real_mode_header->machine_real_restart_asm), + "a" (type)); + #else +@@ -470,7 +497,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) + * try to force a triple fault and then cycle between hitting the keyboard + * controller and doing that + */ +-static void native_machine_emergency_restart(void) ++static void __noreturn native_machine_emergency_restart(void) + { + int i; + int attempt = 0; +@@ -593,13 +620,13 @@ void native_machine_shutdown(void) + #endif + } + +-static void __machine_emergency_restart(int emergency) ++static void __noreturn __machine_emergency_restart(int emergency) + { + reboot_emergency = emergency; + machine_ops.emergency_restart(); + } + +-static void native_machine_restart(char *__unused) ++static void __noreturn native_machine_restart(char *__unused) + { + pr_notice("machine restart\n"); + +@@ -608,7 +635,7 @@ static void native_machine_restart(char *__unused) + __machine_emergency_restart(0); + } + +-static void native_machine_halt(void) ++static void __noreturn native_machine_halt(void) + { + /* Stop other cpus and apics */ + machine_shutdown(); +@@ -618,7 +645,7 @@ static void native_machine_halt(void) + stop_this_cpu(NULL); + } + +-static void native_machine_power_off(void) ++static void __noreturn native_machine_power_off(void) + { + if (pm_power_off) { + if (!reboot_force) +@@ -627,9 +654,10 @@ static void native_machine_power_off(void) + } + /* A fallback in case there is no PM info available */ + tboot_shutdown(TB_SHUTDOWN_HALT); ++ unreachable(); + } + +-struct machine_ops machine_ops = { ++struct machine_ops machine_ops __read_only = { + .power_off = native_machine_power_off, + .shutdown = native_machine_shutdown, + .emergency_restart = native_machine_emergency_restart, +diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c +index c8e41e9..64049ef 100644 +--- a/arch/x86/kernel/reboot_fixups_32.c ++++ b/arch/x86/kernel/reboot_fixups_32.c +@@ -57,7 +57,7 @@ struct device_fixup { + unsigned int vendor; + unsigned int device; + void (*reboot_fixup)(struct pci_dev *); +-}; ++} __do_const; + + /* + * PCI ids solely used for fixups_table go here +diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S +index 3fd2c69..a444264 100644 +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -96,8 +96,7 @@ relocate_kernel: + + /* jump to identity mapped page */ + addq $(identity_mapped - relocate_kernel), %r8 +- pushq %r8 +- ret ++ jmp *%r8 + + identity_mapped: + /* set return address to 0 if not preserving context */ +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index ce72964..be8aea7 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -110,6 +110,7 @@ + #include + #include + #include ++#include + + /* + * max_low_pfn_mapped: highest direct mapped pfn under 4GB +@@ -205,12 +206,50 @@ EXPORT_SYMBOL(boot_cpu_data); + #endif + + +-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64) +-__visible unsigned long mmu_cr4_features; ++#ifdef CONFIG_X86_64 ++__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE; ++#elif defined(CONFIG_X86_PAE) ++__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PAE; + #else +-__visible unsigned long mmu_cr4_features = X86_CR4_PAE; ++__visible unsigned long mmu_cr4_features __read_only; + #endif + ++void set_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if ((cr4 & mask) == mask && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features |= mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 |= mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(set_in_cr4); ++ ++void clear_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if (!(cr4 & mask) && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features &= ~mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 &= ~mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(clear_in_cr4); ++ + /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ + int bootloader_type, bootloader_version; + +@@ -772,7 +811,7 @@ static void __init trim_bios_range(void) + * area (640->1Mb) as ram even though it is not. + * take them out. + */ +- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); ++ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1); + + sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); + } +@@ -780,7 +819,7 @@ static void __init trim_bios_range(void) + /* called before trim_bios_range() to spare extra sanitize */ + static void __init e820_add_kernel_range(void) + { +- u64 start = __pa_symbol(_text); ++ u64 start = __pa_symbol(ktla_ktva(_text)); + u64 size = __pa_symbol(_end) - start; + + /* +@@ -856,8 +895,12 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p) + + void __init setup_arch(char **cmdline_p) + { ++#ifdef CONFIG_X86_32 ++ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR); ++#else + memblock_reserve(__pa_symbol(_text), + (unsigned long)__bss_stop - (unsigned long)_text); ++#endif + + early_reserve_initrd(); + +@@ -947,14 +990,14 @@ void __init setup_arch(char **cmdline_p) + + if (!boot_params.hdr.root_flags) + root_mountflags &= ~MS_RDONLY; +- init_mm.start_code = (unsigned long) _text; +- init_mm.end_code = (unsigned long) _etext; ++ init_mm.start_code = ktla_ktva((unsigned long) _text); ++ init_mm.end_code = ktla_ktva((unsigned long) _etext); + init_mm.end_data = (unsigned long) _edata; + init_mm.brk = _brk_end; + +- code_resource.start = __pa_symbol(_text); +- code_resource.end = __pa_symbol(_etext)-1; +- data_resource.start = __pa_symbol(_etext); ++ code_resource.start = __pa_symbol(ktla_ktva(_text)); ++ code_resource.end = __pa_symbol(ktla_ktva(_etext))-1; ++ data_resource.start = __pa_symbol(_sdata); + data_resource.end = __pa_symbol(_edata)-1; + bss_resource.start = __pa_symbol(__bss_start); + bss_resource.end = __pa_symbol(__bss_stop)-1; +diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c +index 5cdff03..80fa283 100644 +--- a/arch/x86/kernel/setup_percpu.c ++++ b/arch/x86/kernel/setup_percpu.c +@@ -21,19 +21,17 @@ + #include + #include + +-DEFINE_PER_CPU_READ_MOSTLY(int, cpu_number); ++#ifdef CONFIG_SMP ++DEFINE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number); + EXPORT_PER_CPU_SYMBOL(cpu_number); ++#endif + +-#ifdef CONFIG_X86_64 + #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load) +-#else +-#define BOOT_PERCPU_OFFSET 0 +-#endif + + DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET; + EXPORT_PER_CPU_SYMBOL(this_cpu_off); + +-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = { ++unsigned long __per_cpu_offset[NR_CPUS] __read_only = { + [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET, + }; + EXPORT_SYMBOL(__per_cpu_offset); +@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void) + { + #ifdef CONFIG_NEED_MULTIPLE_NODES + pg_data_t *last = NULL; +- unsigned int cpu; ++ int cpu; + + for_each_possible_cpu(cpu) { + int node = early_cpu_to_node(cpu); +@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu) + { + #ifdef CONFIG_X86_32 + struct desc_struct gdt; ++ unsigned long base = per_cpu_offset(cpu); + +- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF, +- 0x2 | DESCTYPE_S, 0x8); +- gdt.s = 1; ++ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT, ++ 0x83 | DESCTYPE_S, 0xC); + write_gdt_entry(get_cpu_gdt_table(cpu), + GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S); + #endif +@@ -219,6 +217,11 @@ void __init setup_per_cpu_areas(void) + /* alrighty, percpu areas up and running */ + delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; + for_each_possible_cpu(cpu) { ++#ifdef CONFIG_CC_STACKPROTECTOR ++#ifdef CONFIG_X86_32 ++ unsigned long canary = per_cpu(stack_canary.canary, cpu); ++#endif ++#endif + per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu]; + per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu); + per_cpu(cpu_number, cpu) = cpu; +@@ -259,6 +262,12 @@ void __init setup_per_cpu_areas(void) + */ + set_cpu_numa_node(cpu, early_cpu_to_node(cpu)); + #endif ++#ifdef CONFIG_CC_STACKPROTECTOR ++#ifdef CONFIG_X86_32 ++ if (!cpu) ++ per_cpu(stack_canary.canary, cpu) = canary; ++#endif ++#endif + /* + * Up to this point, the boot CPU has been using .init.data + * area. Reload any changed state for the boot CPU. +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c +index 9e5de68..16c53cb 100644 +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp) + * Align the stack pointer according to the i386 ABI, + * i.e. so that on function entry ((sp + 4) & 15) == 0. + */ +- sp = ((sp + 4) & -16ul) - 4; ++ sp = ((sp - 12) & -16ul) - 4; + #else /* !CONFIG_X86_32 */ + sp = round_down(sp, 16) - 8; + #endif +@@ -298,9 +298,9 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set, + } + + if (current->mm->context.vdso) +- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); ++ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); + else +- restorer = &frame->retcode; ++ restorer = (void __user *)&frame->retcode; + if (ksig->ka.sa.sa_flags & SA_RESTORER) + restorer = ksig->ka.sa.sa_restorer; + +@@ -314,7 +314,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set, + * reasons and because gdb uses it as a signature to notice + * signal handler stack frames. + */ +- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode); ++ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode); + + if (err) + return -EFAULT; +@@ -361,7 +361,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + save_altstack_ex(&frame->uc.uc_stack, regs->sp); + + /* Set up to return from userspace. */ +- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ if (current->mm->context.vdso) ++ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ else ++ restorer = (void __user *)&frame->retcode; + if (ksig->ka.sa.sa_flags & SA_RESTORER) + restorer = ksig->ka.sa.sa_restorer; + put_user_ex(restorer, &frame->pretcode); +@@ -373,7 +376,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + * reasons and because gdb uses it as a signature to notice + * signal handler stack frames. + */ +- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode); ++ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode); + } put_user_catch(err); + + err |= copy_siginfo_to_user(&frame->info, &ksig->info); +@@ -609,7 +612,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) + { + int usig = signr_convert(ksig->sig); + sigset_t *set = sigmask_to_save(); +- compat_sigset_t *cset = (compat_sigset_t *) set; ++ sigset_t sigcopy; ++ compat_sigset_t *cset; ++ ++ sigcopy = *set; ++ ++ cset = (compat_sigset_t *) &sigcopy; + + /* Set up the stack frame */ + if (is_ia32_frame()) { +@@ -620,7 +628,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) + } else if (is_x32_frame()) { + return x32_setup_rt_frame(ksig, cset, regs); + } else { +- return __setup_rt_frame(ksig->sig, ksig, set, regs); ++ return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs); + } + } + +diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c +index 7c3a5a6..f0a8961 100644 +--- a/arch/x86/kernel/smp.c ++++ b/arch/x86/kernel/smp.c +@@ -341,7 +341,7 @@ static int __init nonmi_ipi_setup(char *str) + + __setup("nonmi_ipi", nonmi_ipi_setup); + +-struct smp_ops smp_ops = { ++struct smp_ops smp_ops __read_only = { + .smp_prepare_boot_cpu = native_smp_prepare_boot_cpu, + .smp_prepare_cpus = native_smp_prepare_cpus, + .smp_cpus_done = native_smp_cpus_done, +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index a32da80..30c97f1 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -229,14 +229,18 @@ static void notrace start_secondary(void *unused) + + enable_start_cpu0 = 0; + +-#ifdef CONFIG_X86_32 +- /* switch away from the initial page table */ +- load_cr3(swapper_pg_dir); +- __flush_tlb_all(); +-#endif +- + /* otherwise gcc will move up smp_processor_id before the cpu_init */ + barrier(); ++ ++ /* switch away from the initial page table */ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); ++ __flush_tlb_all(); ++#elif defined(CONFIG_X86_32) ++ load_cr3(swapper_pg_dir); ++ __flush_tlb_all(); ++#endif ++ + /* + * Check TSC synchronization with the BP: + */ +@@ -749,8 +753,9 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) + alternatives_enable_smp(); + + idle->thread.sp = (unsigned long) (((struct pt_regs *) +- (THREAD_SIZE + task_stack_page(idle))) - 1); ++ (THREAD_SIZE - 16 + task_stack_page(idle))) - 1); + per_cpu(current_task, cpu) = idle; ++ per_cpu(current_tinfo, cpu) = &idle->tinfo; + + #ifdef CONFIG_X86_32 + /* Stack for startup_32 can be just as for start_secondary onwards */ +@@ -758,11 +763,13 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle) + #else + clear_tsk_thread_flag(idle, TIF_FORK); + initial_gs = per_cpu_offset(cpu); +- per_cpu(kernel_stack, cpu) = +- (unsigned long)task_stack_page(idle) - +- KERNEL_STACK_OFFSET + THREAD_SIZE; ++ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE; + #endif ++ ++ pax_open_kernel(); + early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu); ++ pax_close_kernel(); ++ + initial_code = (unsigned long)start_secondary; + stack_start = idle->thread.sp; + +@@ -911,6 +918,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle) + /* the FPU context is blank, nobody can own it */ + __cpu_disable_lazy_restore(cpu); + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++#endif ++ + err = do_boot_cpu(apicid, cpu, tidle); + if (err) { + pr_debug("do_boot_cpu failed %d\n", err); +diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c +index 9b4d51d..5d28b58 100644 +--- a/arch/x86/kernel/step.c ++++ b/arch/x86/kernel/step.c +@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re + struct desc_struct *desc; + unsigned long base; + +- seg &= ~7UL; ++ seg >>= 3; + + mutex_lock(&child->mm->context.lock); +- if (unlikely((seg >> 3) >= child->mm->context.size)) ++ if (unlikely(seg >= child->mm->context.size)) + addr = -1L; /* bogus selector, access would fault */ + else { + desc = child->mm->context.ldt + seg; +@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re + addr += base; + } + mutex_unlock(&child->mm->context.lock); +- } ++ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS) ++ addr = ktla_ktva(addr); + + return addr; + } +@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct task_struct *child, struct pt_regs *regs) + unsigned char opcode[15]; + unsigned long addr = convert_ip_to_linear(child, regs); + ++ if (addr == -EINVAL) ++ return 0; ++ + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0); + for (i = 0; i < copied; i++) { + switch (opcode[i]) { +diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c +new file mode 100644 +index 0000000..5877189 +--- /dev/null ++++ b/arch/x86/kernel/sys_i386_32.c +@@ -0,0 +1,189 @@ ++/* ++ * This file contains various random system calls that ++ * have a non-standard calling sequence on the Linux/i386 ++ * platform. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include ++ ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) ++{ ++ unsigned long pax_task_size = TASK_SIZE; ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) ++ pax_task_size = SEGMEXEC_TASK_SIZE; ++#endif ++ ++ if (flags & MAP_FIXED) ++ if (len > pax_task_size || addr > pax_task_size - len) ++ return -EINVAL; ++ ++ return 0; ++} ++ ++/* ++ * Align a virtual address to avoid aliasing in the I$ on AMD F15h. ++ */ ++static unsigned long get_align_mask(void) ++{ ++ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32)) ++ return 0; ++ ++ if (!(current->flags & PF_RANDOMIZE)) ++ return 0; ++ ++ return va_align.mask; ++} ++ ++unsigned long ++arch_get_unmapped_area(struct file *filp, unsigned long addr, ++ unsigned long len, unsigned long pgoff, unsigned long flags) ++{ ++ struct mm_struct *mm = current->mm; ++ struct vm_area_struct *vma; ++ unsigned long pax_task_size = TASK_SIZE; ++ struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) ++ pax_task_size = SEGMEXEC_TASK_SIZE; ++#endif ++ ++ pax_task_size -= PAGE_SIZE; ++ ++ if (len > pax_task_size) ++ return -ENOMEM; ++ ++ if (flags & MAP_FIXED) ++ return addr; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ ++ if (addr) { ++ addr = PAGE_ALIGN(addr); ++ if (pax_task_size - len >= addr) { ++ vma = find_vma(mm, addr); ++ if (check_heap_stack_gap(vma, addr, len, offset)) ++ return addr; ++ } ++ } ++ ++ info.flags = 0; ++ info.length = len; ++ info.align_mask = filp ? get_align_mask() : 0; ++ info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) { ++ info.low_limit = 0x00110000UL; ++ info.high_limit = mm->start_code; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += mm->delta_mmap & 0x03FFF000UL; ++#endif ++ ++ if (info.low_limit < info.high_limit) { ++ addr = vm_unmapped_area(&info); ++ if (!IS_ERR_VALUE(addr)) ++ return addr; ++ } ++ } else ++#endif ++ ++ info.low_limit = mm->mmap_base; ++ info.high_limit = pax_task_size; ++ ++ return vm_unmapped_area(&info); ++} ++ ++unsigned long ++arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, ++ const unsigned long len, const unsigned long pgoff, ++ const unsigned long flags) ++{ ++ struct vm_area_struct *vma; ++ struct mm_struct *mm = current->mm; ++ unsigned long addr = addr0, pax_task_size = TASK_SIZE; ++ struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) ++ pax_task_size = SEGMEXEC_TASK_SIZE; ++#endif ++ ++ pax_task_size -= PAGE_SIZE; ++ ++ /* requested length too big for entire address space */ ++ if (len > pax_task_size) ++ return -ENOMEM; ++ ++ if (flags & MAP_FIXED) ++ return addr; ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) ++ goto bottomup; ++#endif ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ ++ /* requesting a specific address */ ++ if (addr) { ++ addr = PAGE_ALIGN(addr); ++ if (pax_task_size - len >= addr) { ++ vma = find_vma(mm, addr); ++ if (check_heap_stack_gap(vma, addr, len, offset)) ++ return addr; ++ } ++ } ++ ++ info.flags = VM_UNMAPPED_AREA_TOPDOWN; ++ info.length = len; ++ info.low_limit = PAGE_SIZE; ++ info.high_limit = mm->mmap_base; ++ info.align_mask = filp ? get_align_mask() : 0; ++ info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; ++ ++ addr = vm_unmapped_area(&info); ++ if (!(addr & ~PAGE_MASK)) ++ return addr; ++ VM_BUG_ON(addr != -ENOMEM); ++ ++bottomup: ++ /* ++ * A failed mmap() very likely causes application failure, ++ * so fall back to the bottom-up function here. This scenario ++ * can happen with large stack limits and large mmap() ++ * allocations. ++ */ ++ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags); ++} +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 30277e2..5664a29 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -81,8 +81,8 @@ out: + return error; + } + +-static void find_start_end(unsigned long flags, unsigned long *begin, +- unsigned long *end) ++static void find_start_end(struct mm_struct *mm, unsigned long flags, ++ unsigned long *begin, unsigned long *end) + { + if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) { + unsigned long new_begin; +@@ -101,7 +101,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin, + *begin = new_begin; + } + } else { +- *begin = current->mm->mmap_legacy_base; ++ *begin = mm->mmap_legacy_base; + *end = TASK_SIZE; + } + } +@@ -114,20 +114,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + struct vm_unmapped_area_info info; + unsigned long begin, end; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) + return addr; + +- find_start_end(flags, &begin, &end); ++ find_start_end(mm, flags, &begin, &end); + + if (len > end) + return -ENOMEM; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + addr = PAGE_ALIGN(addr); + vma = find_vma(mm, addr); +- if (end - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -137,6 +141,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.high_limit = end; + info.align_mask = filp ? get_align_mask() : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + +@@ -149,6 +154,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; + struct vm_unmapped_area_info info; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* requested length too big for entire address space */ + if (len > TASK_SIZE) +@@ -161,12 +167,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) + goto bottomup; + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + /* requesting a specific address */ + if (addr) { + addr = PAGE_ALIGN(addr); + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + +@@ -176,6 +185,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = filp ? get_align_mask() : 0; + info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + if (!(addr & ~PAGE_MASK)) + return addr; +diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c +index 91a4496..bb87552 100644 +--- a/arch/x86/kernel/tboot.c ++++ b/arch/x86/kernel/tboot.c +@@ -221,7 +221,7 @@ static int tboot_setup_sleep(void) + + void tboot_shutdown(u32 shutdown_type) + { +- void (*shutdown)(void); ++ void (* __noreturn shutdown)(void); + + if (!tboot_enabled()) + return; +@@ -243,7 +243,7 @@ void tboot_shutdown(u32 shutdown_type) + + switch_to_tboot_pt(); + +- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry; ++ shutdown = (void *)(unsigned long)tboot->shutdown_entry; + shutdown(); + + /* should not reach here */ +@@ -310,7 +310,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b) + return -ENODEV; + } + +-static atomic_t ap_wfs_count; ++static atomic_unchecked_t ap_wfs_count; + + static int tboot_wait_for_aps(int num_aps) + { +@@ -334,9 +334,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action, + { + switch (action) { + case CPU_DYING: +- atomic_inc(&ap_wfs_count); ++ atomic_inc_unchecked(&ap_wfs_count); + if (num_online_cpus() == 1) +- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count))) ++ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count))) + return NOTIFY_BAD; + break; + } +@@ -422,7 +422,7 @@ static __init int tboot_late_init(void) + + tboot_create_trampoline(); + +- atomic_set(&ap_wfs_count, 0); ++ atomic_set_unchecked(&ap_wfs_count, 0); + register_hotcpu_notifier(&tboot_cpu_notifier); + + #ifdef CONFIG_DEBUG_FS +diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c +index 24d3c91..d06b473 100644 +--- a/arch/x86/kernel/time.c ++++ b/arch/x86/kernel/time.c +@@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs *regs) + { + unsigned long pc = instruction_pointer(regs); + +- if (!user_mode_vm(regs) && in_lock_functions(pc)) { ++ if (!user_mode(regs) && in_lock_functions(pc)) { + #ifdef CONFIG_FRAME_POINTER +- return *(unsigned long *)(regs->bp + sizeof(long)); ++ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long))); + #else + unsigned long *sp = + (unsigned long *)kernel_stack_pointer(regs); +@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs *regs) + * or above a saved flags. Eflags has bits 22-31 zero, + * kernel addresses don't. + */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ return ktla_ktva(sp[0]); ++#else + if (sp[0] >> 22) + return sp[0]; + if (sp[1] >> 22) + return sp[1]; + #endif ++ ++#endif + } + return pc; + } +diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c +index f7fec09..9991981 100644 +--- a/arch/x86/kernel/tls.c ++++ b/arch/x86/kernel/tls.c +@@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx, + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) + return -EINVAL; + ++#ifdef CONFIG_PAX_SEGMEXEC ++ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE)) ++ return -EINVAL; ++#endif ++ + set_tls_desc(p, idx, &info, 1); + + return 0; +@@ -200,7 +205,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, + + if (kbuf) + info = kbuf; +- else if (__copy_from_user(infobuf, ubuf, count)) ++ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count)) + return -EFAULT; + else + info = infobuf; +diff --git a/arch/x86/kernel/tracepoint.c b/arch/x86/kernel/tracepoint.c +index 1c113db..287b42e 100644 +--- a/arch/x86/kernel/tracepoint.c ++++ b/arch/x86/kernel/tracepoint.c +@@ -9,11 +9,11 @@ + #include + + atomic_t trace_idt_ctr = ATOMIC_INIT(0); +-struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1, ++const struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1, + (unsigned long) trace_idt_table }; + + /* No need to be aligned, but done to keep all IDTs defined the same way. */ +-gate_desc trace_idt_table[NR_VECTORS] __page_aligned_bss; ++gate_desc trace_idt_table[NR_VECTORS] __page_aligned_rodata; + + static int trace_irq_vector_refcount; + static DEFINE_MUTEX(irq_vector_mutex); +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 57409f6..8a7aa05 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -66,7 +66,7 @@ + #include + + /* No need to be aligned, but done to keep all IDTs defined the same way. */ +-gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss; ++gate_desc debug_idt_table[NR_VECTORS] __page_aligned_rodata; + #else + #include + #include +@@ -75,7 +75,7 @@ asmlinkage int system_call(void); + #endif + + /* Must be page-aligned because the real IDT is used in a fixmap. */ +-gate_desc idt_table[NR_VECTORS] __page_aligned_bss; ++gate_desc idt_table[NR_VECTORS] __page_aligned_rodata; + + DECLARE_BITMAP(used_vectors, NR_VECTORS); + EXPORT_SYMBOL_GPL(used_vectors); +@@ -107,11 +107,11 @@ static inline void preempt_conditional_cli(struct pt_regs *regs) + } + + static int __kprobes +-do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, ++do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str, + struct pt_regs *regs, long error_code) + { + #ifdef CONFIG_X86_32 +- if (regs->flags & X86_VM_MASK) { ++ if (v8086_mode(regs)) { + /* + * Traps 0, 1, 3, 4, and 5 should be forwarded to vm86. + * On nmi (interrupt 2), do_trap should not be called. +@@ -124,12 +124,24 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, + return -1; + } + #endif +- if (!user_mode(regs)) { ++ if (!user_mode_novm(regs)) { + if (!fixup_exception(regs)) { + tsk->thread.error_code = error_code; + tsk->thread.trap_nr = trapnr; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)) ++ str = "PAX: suspicious stack segment fault"; ++#endif ++ + die(str, regs, error_code); + } ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ if (trapnr == 4) ++ pax_report_refcount_overflow(regs); ++#endif ++ + return 0; + } + +@@ -137,7 +149,7 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, + } + + static void __kprobes +-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs, ++do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs, + long error_code, siginfo_t *info) + { + struct task_struct *tsk = current; +@@ -161,7 +173,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs, + if (show_unhandled_signals && unhandled_signal(tsk, signr) && + printk_ratelimit()) { + pr_info("%s[%d] trap %s ip:%lx sp:%lx error:%lx", +- tsk->comm, tsk->pid, str, ++ tsk->comm, task_pid_nr(tsk), str, + regs->ip, regs->sp, error_code); + print_vma_addr(" in ", regs->ip); + pr_cont("\n"); +@@ -273,7 +285,7 @@ do_general_protection(struct pt_regs *regs, long error_code) + conditional_sti(regs); + + #ifdef CONFIG_X86_32 +- if (regs->flags & X86_VM_MASK) { ++ if (v8086_mode(regs)) { + local_irq_enable(); + handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code); + goto exit; +@@ -281,18 +293,42 @@ do_general_protection(struct pt_regs *regs, long error_code) + #endif + + tsk = current; +- if (!user_mode(regs)) { ++ if (!user_mode_novm(regs)) { + if (fixup_exception(regs)) + goto exit; + + tsk->thread.error_code = error_code; + tsk->thread.trap_nr = X86_TRAP_GP; + if (notify_die(DIE_GPF, "general protection fault", regs, error_code, +- X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) ++ X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) { ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS) ++ die("PAX: suspicious general protection fault", regs, error_code); ++ else ++#endif ++ + die("general protection fault", regs, error_code); ++ } + goto exit; + } + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) ++ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) { ++ struct mm_struct *mm = tsk->mm; ++ unsigned long limit; ++ ++ down_write(&mm->mmap_sem); ++ limit = mm->context.user_cs_limit; ++ if (limit < TASK_SIZE) { ++ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC); ++ up_write(&mm->mmap_sem); ++ return; ++ } ++ up_write(&mm->mmap_sem); ++ } ++#endif ++ + tsk->thread.error_code = error_code; + tsk->thread.trap_nr = X86_TRAP_GP; + +@@ -453,7 +489,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + /* It's safe to allow irq's after DR6 has been saved */ + preempt_conditional_sti(regs); + +- if (regs->flags & X86_VM_MASK) { ++ if (v8086_mode(regs)) { + handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, + X86_TRAP_DB); + preempt_conditional_cli(regs); +@@ -468,7 +504,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) + * We already checked v86 mode above, so we can check for kernel mode + * by just checking the CPL of CS. + */ +- if ((dr6 & DR_STEP) && !user_mode(regs)) { ++ if ((dr6 & DR_STEP) && !user_mode_novm(regs)) { + tsk->thread.debugreg6 &= ~DR_STEP; + set_tsk_thread_flag(tsk, TIF_SINGLESTEP); + regs->flags &= ~X86_EFLAGS_TF; +@@ -500,7 +536,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) + return; + conditional_sti(regs); + +- if (!user_mode_vm(regs)) ++ if (!user_mode(regs)) + { + if (!fixup_exception(regs)) { + task->thread.error_code = error_code; +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index cfbe99f..a6e8fa7 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -150,7 +150,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data) + */ + smp_wmb(); + +- ACCESS_ONCE(c2n->head) = data; ++ ACCESS_ONCE_RW(c2n->head) = data; + } + + /* +diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c +index 2ed8459..7cf329f 100644 +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -629,7 +629,7 @@ int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, + int ret = NOTIFY_DONE; + + /* We are only interested in userspace traps */ +- if (regs && !user_mode_vm(regs)) ++ if (regs && !user_mode(regs)) + return NOTIFY_DONE; + + switch (val) { +@@ -719,7 +719,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs + + if (ncopied != rasize) { + pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, " +- "%%ip=%#lx\n", current->pid, regs->sp, regs->ip); ++ "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip); + + force_sig_info(SIGSEGV, SEND_SIG_FORCED, current); + } +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S +index b9242ba..50c5edd 100644 +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -20,6 +20,7 @@ + * arch/x86/boot/compressed/head_64.S: Boot cpu verification + * arch/x86/kernel/trampoline_64.S: secondary processor verification + * arch/x86/kernel/head_32.S: processor startup ++ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume + * + * verify_cpu, returns the status of longmode and SSE in register %eax. + * 0: Success 1: Failure +diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c +index e8edcf5..27f9344 100644 +--- a/arch/x86/kernel/vm86_32.c ++++ b/arch/x86/kernel/vm86_32.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -150,7 +151,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs) + do_exit(SIGSEGV); + } + +- tss = &per_cpu(init_tss, get_cpu()); ++ tss = init_tss + get_cpu(); + current->thread.sp0 = current->thread.saved_sp0; + current->thread.sysenter_cs = __KERNEL_CS; + load_sp0(tss, ¤t->thread); +@@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86) + + if (tsk->thread.saved_sp0) + return -EPERM; ++ ++#ifdef CONFIG_GRKERNSEC_VM86 ++ if (!capable(CAP_SYS_RAWIO)) { ++ gr_handle_vm86(); ++ return -EPERM; ++ } ++#endif ++ + tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs, + offsetof(struct kernel_vm86_struct, vm86plus) - + sizeof(info.regs)); +@@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg) + int tmp; + struct vm86plus_struct __user *v86; + ++#ifdef CONFIG_GRKERNSEC_VM86 ++ if (!capable(CAP_SYS_RAWIO)) { ++ gr_handle_vm86(); ++ return -EPERM; ++ } ++#endif ++ + tsk = current; + switch (cmd) { + case VM86_REQUEST_IRQ: +@@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk + tsk->thread.saved_fs = info->regs32->fs; + tsk->thread.saved_gs = get_user_gs(info->regs32); + +- tss = &per_cpu(init_tss, get_cpu()); ++ tss = init_tss + get_cpu(); + tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0; + if (cpu_has_sep) + tsk->thread.sysenter_cs = 0; +@@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i, + goto cannot_handle; + if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored)) + goto cannot_handle; +- intr_ptr = (unsigned long __user *) (i << 2); ++ intr_ptr = (__force unsigned long __user *) (i << 2); + if (get_user(segoffs, intr_ptr)) + goto cannot_handle; + if ((segoffs >> 16) == BIOSSEG) +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index da6b35a..977e9cf 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -26,6 +26,13 @@ + #include + #include + #include ++#include ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR) ++#else ++#define __KERNEL_TEXT_OFFSET 0 ++#endif + + #undef i386 /* in case the preprocessor is a 32bit one */ + +@@ -69,30 +76,43 @@ jiffies_64 = jiffies; + + PHDRS { + text PT_LOAD FLAGS(5); /* R_E */ ++#ifdef CONFIG_X86_32 ++ module PT_LOAD FLAGS(5); /* R_E */ ++#endif ++#ifdef CONFIG_XEN ++ rodata PT_LOAD FLAGS(5); /* R_E */ ++#else ++ rodata PT_LOAD FLAGS(4); /* R__ */ ++#endif + data PT_LOAD FLAGS(6); /* RW_ */ +-#ifdef CONFIG_X86_64 ++ init.begin PT_LOAD FLAGS(6); /* RW_ */ + #ifdef CONFIG_SMP + percpu PT_LOAD FLAGS(6); /* RW_ */ + #endif ++ text.init PT_LOAD FLAGS(5); /* R_E */ ++ text.exit PT_LOAD FLAGS(5); /* R_E */ + init PT_LOAD FLAGS(7); /* RWE */ +-#endif + note PT_NOTE FLAGS(0); /* ___ */ + } + + SECTIONS + { + #ifdef CONFIG_X86_32 +- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR; +- phys_startup_32 = startup_32 - LOAD_OFFSET; ++ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR; + #else +- . = __START_KERNEL; +- phys_startup_64 = startup_64 - LOAD_OFFSET; ++ . = __START_KERNEL; + #endif + + /* Text and read-only data */ +- .text : AT(ADDR(.text) - LOAD_OFFSET) { +- _text = .; ++ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { + /* bootstrapping code */ ++#ifdef CONFIG_X86_32 ++ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET; ++#else ++ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET; ++#endif ++ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET; ++ _text = .; + HEAD_TEXT + . = ALIGN(8); + _stext = .; +@@ -104,13 +124,47 @@ SECTIONS + IRQENTRY_TEXT + *(.fixup) + *(.gnu.warning) +- /* End of text section */ +- _etext = .; + } :text = 0x9090 + +- NOTES :text :note ++ . += __KERNEL_TEXT_OFFSET; + +- EXCEPTION_TABLE(16) :text = 0x9090 ++#ifdef CONFIG_X86_32 ++ . = ALIGN(PAGE_SIZE); ++ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) { ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ MODULES_EXEC_VADDR = .; ++ BYTE(0) ++ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024); ++ . = ALIGN(HPAGE_SIZE) - 1; ++ MODULES_EXEC_END = .; ++#endif ++ ++ } :module ++#endif ++ ++ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) { ++ /* End of text section */ ++ BYTE(0) ++ _etext = . - __KERNEL_TEXT_OFFSET; ++ } ++ ++#ifdef CONFIG_X86_32 ++ . = ALIGN(PAGE_SIZE); ++ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) { ++ . = ALIGN(PAGE_SIZE); ++ *(.empty_zero_page) ++ *(.initial_pg_fixmap) ++ *(.initial_pg_pmd) ++ *(.initial_page_table) ++ *(.swapper_pg_dir) ++ } :rodata ++#endif ++ ++ . = ALIGN(PAGE_SIZE); ++ NOTES :rodata :note ++ ++ EXCEPTION_TABLE(16) :rodata + + #if defined(CONFIG_DEBUG_RODATA) + /* .text should occupy whole number of pages */ +@@ -122,16 +176,20 @@ SECTIONS + + /* Data */ + .data : AT(ADDR(.data) - LOAD_OFFSET) { ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ . = ALIGN(HPAGE_SIZE); ++#else ++ . = ALIGN(PAGE_SIZE); ++#endif ++ + /* Start of data section */ + _sdata = .; + + /* init_task */ + INIT_TASK_DATA(THREAD_SIZE) + +-#ifdef CONFIG_X86_32 +- /* 32 bit has nosave before _edata */ + NOSAVE_DATA +-#endif + + PAGE_ALIGNED_DATA(PAGE_SIZE) + +@@ -172,12 +230,19 @@ SECTIONS + #endif /* CONFIG_X86_64 */ + + /* Init code and data - will be freed after init */ +- . = ALIGN(PAGE_SIZE); + .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) { ++ BYTE(0) ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ . = ALIGN(HPAGE_SIZE); ++#else ++ . = ALIGN(PAGE_SIZE); ++#endif ++ + __init_begin = .; /* paired with __init_end */ +- } ++ } :init.begin + +-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP) ++#ifdef CONFIG_SMP + /* + * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the + * output PHDR, so the next output section - .init.text - should +@@ -186,12 +251,27 @@ SECTIONS + PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu) + #endif + +- INIT_TEXT_SECTION(PAGE_SIZE) +-#ifdef CONFIG_X86_64 +- :init +-#endif ++ . = ALIGN(PAGE_SIZE); ++ init_begin = .; ++ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) { ++ VMLINUX_SYMBOL(_sinittext) = .; ++ INIT_TEXT ++ VMLINUX_SYMBOL(_einittext) = .; ++ . = ALIGN(PAGE_SIZE); ++ } :text.init + +- INIT_DATA_SECTION(16) ++ /* ++ * .exit.text is discard at runtime, not link time, to deal with ++ * references from .altinstructions and .eh_frame ++ */ ++ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { ++ EXIT_TEXT ++ . = ALIGN(16); ++ } :text.exit ++ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text); ++ ++ . = ALIGN(PAGE_SIZE); ++ INIT_DATA_SECTION(16) :init + + .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) { + __x86_cpu_dev_start = .; +@@ -262,19 +342,12 @@ SECTIONS + } + + . = ALIGN(8); +- /* +- * .exit.text is discard at runtime, not link time, to deal with +- * references from .altinstructions and .eh_frame +- */ +- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { +- EXIT_TEXT +- } + + .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { + EXIT_DATA + } + +-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP) ++#ifndef CONFIG_SMP + PERCPU_SECTION(INTERNODE_CACHE_BYTES) + #endif + +@@ -293,16 +366,10 @@ SECTIONS + .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { + __smp_locks = .; + *(.smp_locks) +- . = ALIGN(PAGE_SIZE); + __smp_locks_end = .; ++ . = ALIGN(PAGE_SIZE); + } + +-#ifdef CONFIG_X86_64 +- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { +- NOSAVE_DATA +- } +-#endif +- + /* BSS */ + . = ALIGN(PAGE_SIZE); + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { +@@ -318,6 +385,7 @@ SECTIONS + __brk_base = .; + . += 64 * 1024; /* 64k alignment slop space */ + *(.brk_reservation) /* areas brk users have reserved */ ++ . = ALIGN(HPAGE_SIZE); + __brk_limit = .; + } + +@@ -344,13 +412,12 @@ SECTIONS + * for the boot processor. + */ + #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load +-INIT_PER_CPU(gdt_page); + INIT_PER_CPU(irq_stack_union); + + /* + * Build-time check on the image size: + */ +-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE), ++. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE), + "kernel image bigger than KERNEL_IMAGE_SIZE"); + + #ifdef CONFIG_SMP +diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c +index 1f96f93..d5c8f7a 100644 +--- a/arch/x86/kernel/vsyscall_64.c ++++ b/arch/x86/kernel/vsyscall_64.c +@@ -56,15 +56,13 @@ + DEFINE_VVAR(int, vgetcpu_mode); + DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data); + +-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE; ++static enum { EMULATE, NONE } vsyscall_mode = EMULATE; + + static int __init vsyscall_setup(char *str) + { + if (str) { + if (!strcmp("emulate", str)) + vsyscall_mode = EMULATE; +- else if (!strcmp("native", str)) +- vsyscall_mode = NATIVE; + else if (!strcmp("none", str)) + vsyscall_mode = NONE; + else +@@ -323,8 +321,7 @@ do_ret: + return true; + + sigsegv: +- force_sig(SIGSEGV, current); +- return true; ++ do_group_exit(SIGKILL); + } + + /* +@@ -377,10 +374,7 @@ void __init map_vsyscall(void) + extern char __vvar_page; + unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page); + +- __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall, +- vsyscall_mode == NATIVE +- ? PAGE_KERNEL_VSYSCALL +- : PAGE_KERNEL_VVAR); ++ __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR); + BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) != + (unsigned long)VSYSCALL_START); + +diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c +index 04068192..4d75aa6 100644 +--- a/arch/x86/kernel/x8664_ksyms_64.c ++++ b/arch/x86/kernel/x8664_ksyms_64.c +@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string); + EXPORT_SYMBOL(copy_user_generic_unrolled); + EXPORT_SYMBOL(copy_user_enhanced_fast_string); + EXPORT_SYMBOL(__copy_user_nocache); +-EXPORT_SYMBOL(_copy_from_user); +-EXPORT_SYMBOL(_copy_to_user); + + EXPORT_SYMBOL(copy_page); + EXPORT_SYMBOL(clear_page); +@@ -73,3 +71,7 @@ EXPORT_SYMBOL(___preempt_schedule); + EXPORT_SYMBOL(___preempt_schedule_context); + #endif + #endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif +diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c +index e48b674..a451dd9 100644 +--- a/arch/x86/kernel/x86_init.c ++++ b/arch/x86/kernel/x86_init.c +@@ -93,7 +93,7 @@ struct x86_cpuinit_ops x86_cpuinit = { + static void default_nmi_init(void) { }; + static int default_i8042_detect(void) { return 1; }; + +-struct x86_platform_ops x86_platform = { ++struct x86_platform_ops x86_platform __read_only = { + .calibrate_tsc = native_calibrate_tsc, + .get_wallclock = mach_get_cmos_time, + .set_wallclock = mach_set_rtc_mmss, +@@ -109,7 +109,7 @@ struct x86_platform_ops x86_platform = { + EXPORT_SYMBOL_GPL(x86_platform); + + #if defined(CONFIG_PCI_MSI) +-struct x86_msi_ops x86_msi = { ++struct x86_msi_ops x86_msi __read_only = { + .setup_msi_irqs = native_setup_msi_irqs, + .compose_msi_msg = native_compose_msi_msg, + .teardown_msi_irq = native_teardown_msi_irq, +@@ -150,7 +150,7 @@ u32 arch_msix_mask_irq(struct msi_desc *desc, u32 flag) + } + #endif + +-struct x86_io_apic_ops x86_io_apic_ops = { ++struct x86_io_apic_ops x86_io_apic_ops __read_only = { + .init = native_io_apic_init_mappings, + .read = native_io_apic_read, + .write = native_io_apic_write, +diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c +index a4b451c..8dfe1ad 100644 +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -164,18 +164,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame) + + /* Setup the bytes not touched by the [f]xsave and reserved for SW. */ + sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved; +- err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes)); ++ err = __copy_to_user(x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes)); + + if (!use_xsave()) + return err; + +- err |= __put_user(FP_XSTATE_MAGIC2, (__u32 *)(buf + xstate_size)); ++ err |= __put_user(FP_XSTATE_MAGIC2, (__u32 __user *)(buf + xstate_size)); + + /* + * Read the xstate_bv which we copied (directly from the cpu or + * from the state in task struct) to the user buffers. + */ +- err |= __get_user(xstate_bv, (__u32 *)&x->xsave_hdr.xstate_bv); ++ err |= __get_user(xstate_bv, (__u32 __user *)&x->xsave_hdr.xstate_bv); + + /* + * For legacy compatible, we always set FP/SSE bits in the bit +@@ -190,7 +190,7 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame) + */ + xstate_bv |= XSTATE_FPSSE; + +- err |= __put_user(xstate_bv, (__u32 *)&x->xsave_hdr.xstate_bv); ++ err |= __put_user(xstate_bv, (__u32 __user *)&x->xsave_hdr.xstate_bv); + + return err; + } +@@ -199,6 +199,7 @@ static inline int save_user_xstate(struct xsave_struct __user *buf) + { + int err; + ++ buf = (struct xsave_struct __user *)____m(buf); + if (use_xsave()) + err = xsave_user(buf); + else if (use_fxsr()) +@@ -311,6 +312,7 @@ sanitize_restored_xstate(struct task_struct *tsk, + */ + static inline int restore_user_xstate(void __user *buf, u64 xbv, int fx_only) + { ++ buf = (void __user *)____m(buf); + if (use_xsave()) { + if ((unsigned long)buf % 64 || fx_only) { + u64 init_bv = pcntxt_mask & ~XSTATE_FPSSE; +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index c697625..a032162 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -156,15 +156,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, + struct kvm_cpuid2 *cpuid, + struct kvm_cpuid_entry2 __user *entries) + { +- int r; ++ int r, i; + + r = -E2BIG; + if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) + goto out; + r = -EFAULT; +- if (copy_from_user(&vcpu->arch.cpuid_entries, entries, +- cpuid->nent * sizeof(struct kvm_cpuid_entry2))) ++ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2))) + goto out; ++ for (i = 0; i < cpuid->nent; ++i) { ++ struct kvm_cpuid_entry2 cpuid_entry; ++ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry))) ++ goto out; ++ vcpu->arch.cpuid_entries[i] = cpuid_entry; ++ } + vcpu->arch.cpuid_nent = cpuid->nent; + kvm_apic_set_version(vcpu); + kvm_x86_ops->cpuid_update(vcpu); +@@ -179,15 +184,19 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, + struct kvm_cpuid2 *cpuid, + struct kvm_cpuid_entry2 __user *entries) + { +- int r; ++ int r, i; + + r = -E2BIG; + if (cpuid->nent < vcpu->arch.cpuid_nent) + goto out; + r = -EFAULT; +- if (copy_to_user(entries, &vcpu->arch.cpuid_entries, +- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2))) ++ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2))) + goto out; ++ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) { ++ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i]; ++ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry))) ++ goto out; ++ } + return 0; + + out: +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 9736529..ab4f54c 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -55,7 +55,7 @@ + #define APIC_BUS_CYCLE_NS 1 + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + #define APIC_LVT_NUM 6 + /* 14 is the version for Xeon and Pentium 8.4.8*/ +diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h +index cba218a..1cc1bed 100644 +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -331,7 +331,7 @@ retry_walk: + if (unlikely(kvm_is_error_hva(host_addr))) + goto error; + +- ptep_user = (pt_element_t __user *)((void *)host_addr + offset); ++ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset); + if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte)))) + goto error; + walker->ptep_user[walker->level - 1] = ptep_user; +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2de1bc0..22251ee 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3508,7 +3508,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) + int cpu = raw_smp_processor_id(); + + struct svm_cpu_data *sd = per_cpu(svm_data, cpu); ++ ++ pax_open_kernel(); + sd->tss_desc->type = 9; /* available 32/64-bit TSS */ ++ pax_close_kernel(); ++ + load_TR_desc(); + } + +@@ -3911,6 +3915,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) + #endif + #endif + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ __set_fs(current_thread_info()->addr_limit); ++#endif ++ + reload_tss(vcpu); + + local_irq_disable(); +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 3927528..fc19971 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1320,12 +1320,12 @@ static void vmcs_write64(unsigned long field, u64 value) + #endif + } + +-static void vmcs_clear_bits(unsigned long field, u32 mask) ++static void vmcs_clear_bits(unsigned long field, unsigned long mask) + { + vmcs_writel(field, vmcs_readl(field) & ~mask); + } + +-static void vmcs_set_bits(unsigned long field, u32 mask) ++static void vmcs_set_bits(unsigned long field, unsigned long mask) + { + vmcs_writel(field, vmcs_readl(field) | mask); + } +@@ -1585,7 +1585,11 @@ static void reload_tss(void) + struct desc_struct *descs; + + descs = (void *)gdt->address; ++ ++ pax_open_kernel(); + descs[GDT_ENTRY_TSS].type = 9; /* available TSS */ ++ pax_close_kernel(); ++ + load_TR_desc(); + } + +@@ -1809,6 +1813,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) + vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */ + vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */ + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ ++#endif ++ + rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp); + vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */ + vmx->loaded_vmcs->cpu = cpu; +@@ -2098,7 +2106,7 @@ static void setup_msrs(struct vcpu_vmx *vmx) + * reads and returns guest's timestamp counter "register" + * guest_tsc = host_tsc + tsc_offset -- 21.3 + */ +-static u64 guest_read_tsc(void) ++static u64 __intentional_overflow(-1) guest_read_tsc(void) + { + u64 host_tsc, tsc_offset; + +@@ -3024,8 +3032,11 @@ static __init int hardware_setup(void) + if (!cpu_has_vmx_flexpriority()) + flexpriority_enabled = 0; + +- if (!cpu_has_vmx_tpr_shadow()) +- kvm_x86_ops->update_cr8_intercept = NULL; ++ if (!cpu_has_vmx_tpr_shadow()) { ++ pax_open_kernel(); ++ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL; ++ pax_close_kernel(); ++ } + + if (enable_ept && !cpu_has_vmx_ept_2m_page()) + kvm_disable_largepages(); +@@ -3036,13 +3047,15 @@ static __init int hardware_setup(void) + if (!cpu_has_vmx_apicv()) + enable_apicv = 0; + ++ pax_open_kernel(); + if (enable_apicv) +- kvm_x86_ops->update_cr8_intercept = NULL; ++ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL; + else { +- kvm_x86_ops->hwapic_irr_update = NULL; +- kvm_x86_ops->deliver_posted_interrupt = NULL; +- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; ++ *(void **)&kvm_x86_ops->hwapic_irr_update = NULL; ++ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL; ++ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy; + } ++ pax_close_kernel(); + + if (nested) + nested_vmx_setup_ctls_msrs(); +@@ -4165,7 +4178,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) + + vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */ + vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ ++ ++#ifndef CONFIG_PAX_PER_CPU_PGD + vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */ ++#endif + + vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ + #ifdef CONFIG_X86_64 +@@ -4187,7 +4203,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) + vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ + vmx->host_idt_base = dt.address; + +- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */ ++ vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */ + + rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); + vmcs_write32(HOST_IA32_SYSENTER_CS, low32); +@@ -7265,6 +7281,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + "jmp 2f \n\t" + "1: " __ex(ASM_VMX_VMRESUME) "\n\t" + "2: " ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ "ljmp %[cs],$3f\n\t" ++ "3: " ++#endif ++ + /* Save guest registers, load host registers, keep flags */ + "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" + "pop %0 \n\t" +@@ -7317,6 +7339,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + #endif + [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), + [wordsize]"i"(sizeof(ulong)) ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ ,[cs]"i"(__KERNEL_CS) ++#endif ++ + : "cc", "memory" + #ifdef CONFIG_X86_64 + , "rax", "rbx", "rdi", "rsi" +@@ -7330,7 +7357,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + if (debugctlmsr) + update_debugctlmsr(debugctlmsr); + +-#ifndef CONFIG_X86_64 ++#ifdef CONFIG_X86_32 + /* + * The sysexit path does not restore ds/es, so we must set them to + * a reasonable value ourselves. +@@ -7339,8 +7366,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) + * may be executed in interrupt context, which saves and restore segments + * around it, nullifying its effect. + */ +- loadsegment(ds, __USER_DS); +- loadsegment(es, __USER_DS); ++ loadsegment(ds, __KERNEL_DS); ++ loadsegment(es, __KERNEL_DS); ++ loadsegment(ss, __KERNEL_DS); ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ loadsegment(fs, __KERNEL_PERCPU); ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ __set_fs(current_thread_info()->addr_limit); ++#endif ++ + #endif + + vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 2b85784..ad70e19 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1777,8 +1777,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) + { + struct kvm *kvm = vcpu->kvm; + int lm = is_long_mode(vcpu); +- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64 +- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32; ++ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64 ++ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32; + u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 + : kvm->arch.xen_hvm_config.blob_size_32; + u32 page_num = data & ~PAGE_MASK; +@@ -2689,6 +2689,8 @@ long kvm_arch_dev_ioctl(struct file *filp, + if (n < msr_list.nmsrs) + goto out; + r = -EFAULT; ++ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save)) ++ goto out; + if (copy_to_user(user_msr_list->indices, &msrs_to_save, + num_msrs_to_save * sizeof(u32))) + goto out; +@@ -5503,7 +5505,7 @@ static struct notifier_block pvclock_gtod_notifier = { + }; + #endif + +-int kvm_arch_init(void *opaque) ++int kvm_arch_init(const void *opaque) + { + int r; + struct kvm_x86_ops *ops = opaque; +diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c +index ad1fb5f..fe30b66 100644 +--- a/arch/x86/lguest/boot.c ++++ b/arch/x86/lguest/boot.c +@@ -1206,9 +1206,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count) + * Rebooting also tells the Host we're finished, but the RESTART flag tells the + * Launcher to reboot us. + */ +-static void lguest_restart(char *reason) ++static __noreturn void lguest_restart(char *reason) + { + hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0); ++ BUG(); + } + + /*G:050 +diff --git a/arch/x86/lib/atomic64_386_32.S b/arch/x86/lib/atomic64_386_32.S +index 00933d5..3a64af9 100644 +--- a/arch/x86/lib/atomic64_386_32.S ++++ b/arch/x86/lib/atomic64_386_32.S +@@ -48,6 +48,10 @@ BEGIN(read) + movl (v), %eax + movl 4(v), %edx + RET_ENDP ++BEGIN(read_unchecked) ++ movl (v), %eax ++ movl 4(v), %edx ++RET_ENDP + #undef v + + #define v %esi +@@ -55,6 +59,10 @@ BEGIN(set) + movl %ebx, (v) + movl %ecx, 4(v) + RET_ENDP ++BEGIN(set_unchecked) ++ movl %ebx, (v) ++ movl %ecx, 4(v) ++RET_ENDP + #undef v + + #define v %esi +@@ -70,6 +78,20 @@ RET_ENDP + BEGIN(add) + addl %eax, (v) + adcl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 0f ++ subl %eax, (v) ++ sbbl %edx, 4(v) ++ int $4 ++0: ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++RET_ENDP ++BEGIN(add_unchecked) ++ addl %eax, (v) ++ adcl %edx, 4(v) + RET_ENDP + #undef v + +@@ -77,6 +99,24 @@ RET_ENDP + BEGIN(add_return) + addl (v), %eax + adcl 4(v), %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ ++ movl %eax, (v) ++ movl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++2: ++#endif ++ ++RET_ENDP ++BEGIN(add_return_unchecked) ++ addl (v), %eax ++ adcl 4(v), %edx + movl %eax, (v) + movl %edx, 4(v) + RET_ENDP +@@ -86,6 +126,20 @@ RET_ENDP + BEGIN(sub) + subl %eax, (v) + sbbl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 0f ++ addl %eax, (v) ++ adcl %edx, 4(v) ++ int $4 ++0: ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++RET_ENDP ++BEGIN(sub_unchecked) ++ subl %eax, (v) ++ sbbl %edx, 4(v) + RET_ENDP + #undef v + +@@ -96,6 +150,27 @@ BEGIN(sub_return) + sbbl $0, %edx + addl (v), %eax + adcl 4(v), %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ ++ movl %eax, (v) ++ movl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++2: ++#endif ++ ++RET_ENDP ++BEGIN(sub_return_unchecked) ++ negl %edx ++ negl %eax ++ sbbl $0, %edx ++ addl (v), %eax ++ adcl 4(v), %edx + movl %eax, (v) + movl %edx, 4(v) + RET_ENDP +@@ -105,6 +180,20 @@ RET_ENDP + BEGIN(inc) + addl $1, (v) + adcl $0, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 0f ++ subl $1, (v) ++ sbbl $0, 4(v) ++ int $4 ++0: ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++RET_ENDP ++BEGIN(inc_unchecked) ++ addl $1, (v) ++ adcl $0, 4(v) + RET_ENDP + #undef v + +@@ -114,6 +203,26 @@ BEGIN(inc_return) + movl 4(v), %edx + addl $1, %eax + adcl $0, %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ ++ movl %eax, (v) ++ movl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++2: ++#endif ++ ++RET_ENDP ++BEGIN(inc_return_unchecked) ++ movl (v), %eax ++ movl 4(v), %edx ++ addl $1, %eax ++ adcl $0, %edx + movl %eax, (v) + movl %edx, 4(v) + RET_ENDP +@@ -123,6 +232,20 @@ RET_ENDP + BEGIN(dec) + subl $1, (v) + sbbl $0, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 0f ++ addl $1, (v) ++ adcl $0, 4(v) ++ int $4 ++0: ++ _ASM_EXTABLE(0b, 0b) ++#endif ++ ++RET_ENDP ++BEGIN(dec_unchecked) ++ subl $1, (v) ++ sbbl $0, 4(v) + RET_ENDP + #undef v + +@@ -132,6 +255,26 @@ BEGIN(dec_return) + movl 4(v), %edx + subl $1, %eax + sbbl $0, %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ ++ movl %eax, (v) ++ movl %edx, 4(v) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++2: ++#endif ++ ++RET_ENDP ++BEGIN(dec_return_unchecked) ++ movl (v), %eax ++ movl 4(v), %edx ++ subl $1, %eax ++ sbbl $0, %edx + movl %eax, (v) + movl %edx, 4(v) + RET_ENDP +@@ -143,6 +286,13 @@ BEGIN(add_unless) + adcl %edx, %edi + addl (v), %eax + adcl 4(v), %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ + cmpl %eax, %ecx + je 3f + 1: +@@ -168,6 +318,13 @@ BEGIN(inc_not_zero) + 1: + addl $1, %eax + adcl $0, %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ + movl %eax, (v) + movl %edx, 4(v) + movl $1, %eax +@@ -186,6 +343,13 @@ BEGIN(dec_if_positive) + movl 4(v), %edx + subl $1, %eax + sbbl $0, %edx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 1f) ++#endif ++ + js 1f + movl %eax, (v) + movl %edx, 4(v) +diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S +index f5cc9eb..51fa319 100644 +--- a/arch/x86/lib/atomic64_cx8_32.S ++++ b/arch/x86/lib/atomic64_cx8_32.S +@@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8) + CFI_STARTPROC + + read64 %ecx ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(atomic64_read_cx8) + ++ENTRY(atomic64_read_unchecked_cx8) ++ CFI_STARTPROC ++ ++ read64 %ecx ++ pax_force_retaddr ++ ret ++ CFI_ENDPROC ++ENDPROC(atomic64_read_unchecked_cx8) ++ + ENTRY(atomic64_set_cx8) + CFI_STARTPROC + +@@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8) + cmpxchg8b (%esi) + jne 1b + ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(atomic64_set_cx8) + ++ENTRY(atomic64_set_unchecked_cx8) ++ CFI_STARTPROC ++ ++1: ++/* we don't need LOCK_PREFIX since aligned 64-bit writes ++ * are atomic on 586 and newer */ ++ cmpxchg8b (%esi) ++ jne 1b ++ ++ pax_force_retaddr ++ ret ++ CFI_ENDPROC ++ENDPROC(atomic64_set_unchecked_cx8) ++ + ENTRY(atomic64_xchg_cx8) + CFI_STARTPROC + +@@ -60,12 +85,13 @@ ENTRY(atomic64_xchg_cx8) + cmpxchg8b (%esi) + jne 1b + ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(atomic64_xchg_cx8) + +-.macro addsub_return func ins insc +-ENTRY(atomic64_\func\()_return_cx8) ++.macro addsub_return func ins insc unchecked="" ++ENTRY(atomic64_\func\()_return\unchecked\()_cx8) + CFI_STARTPROC + SAVE ebp + SAVE ebx +@@ -82,27 +108,44 @@ ENTRY(atomic64_\func\()_return_cx8) + movl %edx, %ecx + \ins\()l %esi, %ebx + \insc\()l %edi, %ecx ++ ++.ifb \unchecked ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++2: ++ _ASM_EXTABLE(2b, 3f) ++#endif ++.endif ++ + LOCK_PREFIX + cmpxchg8b (%ebp) + jne 1b +- +-10: + movl %ebx, %eax + movl %ecx, %edx ++ ++.ifb \unchecked ++#ifdef CONFIG_PAX_REFCOUNT ++3: ++#endif ++.endif ++ + RESTORE edi + RESTORE esi + RESTORE ebx + RESTORE ebp ++ pax_force_retaddr + ret + CFI_ENDPROC +-ENDPROC(atomic64_\func\()_return_cx8) ++ENDPROC(atomic64_\func\()_return\unchecked\()_cx8) + .endm + + addsub_return add add adc + addsub_return sub sub sbb ++addsub_return add add adc _unchecked ++addsub_return sub sub sbb _unchecked + +-.macro incdec_return func ins insc +-ENTRY(atomic64_\func\()_return_cx8) ++.macro incdec_return func ins insc unchecked="" ++ENTRY(atomic64_\func\()_return\unchecked\()_cx8) + CFI_STARTPROC + SAVE ebx + +@@ -112,21 +155,39 @@ ENTRY(atomic64_\func\()_return_cx8) + movl %edx, %ecx + \ins\()l $1, %ebx + \insc\()l $0, %ecx ++ ++.ifb \unchecked ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++2: ++ _ASM_EXTABLE(2b, 3f) ++#endif ++.endif ++ + LOCK_PREFIX + cmpxchg8b (%esi) + jne 1b + +-10: + movl %ebx, %eax + movl %ecx, %edx ++ ++.ifb \unchecked ++#ifdef CONFIG_PAX_REFCOUNT ++3: ++#endif ++.endif ++ + RESTORE ebx ++ pax_force_retaddr + ret + CFI_ENDPROC +-ENDPROC(atomic64_\func\()_return_cx8) ++ENDPROC(atomic64_\func\()_return\unchecked\()_cx8) + .endm + + incdec_return inc add adc + incdec_return dec sub sbb ++incdec_return inc add adc _unchecked ++incdec_return dec sub sbb _unchecked + + ENTRY(atomic64_dec_if_positive_cx8) + CFI_STARTPROC +@@ -138,6 +199,13 @@ ENTRY(atomic64_dec_if_positive_cx8) + movl %edx, %ecx + subl $1, %ebx + sbb $0, %ecx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 2f) ++#endif ++ + js 2f + LOCK_PREFIX + cmpxchg8b (%esi) +@@ -147,6 +215,7 @@ ENTRY(atomic64_dec_if_positive_cx8) + movl %ebx, %eax + movl %ecx, %edx + RESTORE ebx ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(atomic64_dec_if_positive_cx8) +@@ -171,6 +240,13 @@ ENTRY(atomic64_add_unless_cx8) + movl %edx, %ecx + addl %ebp, %ebx + adcl %edi, %ecx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 3f) ++#endif ++ + LOCK_PREFIX + cmpxchg8b (%esi) + jne 1b +@@ -181,6 +257,7 @@ ENTRY(atomic64_add_unless_cx8) + CFI_ADJUST_CFA_OFFSET -8 + RESTORE ebx + RESTORE ebp ++ pax_force_retaddr + ret + 4: + cmpl %edx, 4(%esp) +@@ -203,6 +280,13 @@ ENTRY(atomic64_inc_not_zero_cx8) + xorl %ecx, %ecx + addl $1, %ebx + adcl %edx, %ecx ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ into ++1234: ++ _ASM_EXTABLE(1234b, 3f) ++#endif ++ + LOCK_PREFIX + cmpxchg8b (%esi) + jne 1b +@@ -210,6 +294,7 @@ ENTRY(atomic64_inc_not_zero_cx8) + movl $1, %eax + 3: + RESTORE ebx ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(atomic64_inc_not_zero_cx8) +diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S +index e78b8ee..7e173a8 100644 +--- a/arch/x86/lib/checksum_32.S ++++ b/arch/x86/lib/checksum_32.S +@@ -29,7 +29,8 @@ + #include + #include + #include +- ++#include ++ + /* + * computes a partial checksum, e.g. for TCP/UDP fragments + */ +@@ -293,9 +294,24 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst, + + #define ARGBASE 16 + #define FP 12 +- +-ENTRY(csum_partial_copy_generic) ++ ++ENTRY(csum_partial_copy_generic_to_user) + CFI_STARTPROC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pushl_cfi %gs ++ popl_cfi %es ++ jmp csum_partial_copy_generic ++#endif ++ ++ENTRY(csum_partial_copy_generic_from_user) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pushl_cfi %gs ++ popl_cfi %ds ++#endif ++ ++ENTRY(csum_partial_copy_generic) + subl $4,%esp + CFI_ADJUST_CFA_OFFSET 4 + pushl_cfi %edi +@@ -317,7 +333,7 @@ ENTRY(csum_partial_copy_generic) + jmp 4f + SRC(1: movw (%esi), %bx ) + addl $2, %esi +-DST( movw %bx, (%edi) ) ++DST( movw %bx, %es:(%edi) ) + addl $2, %edi + addw %bx, %ax + adcl $0, %eax +@@ -329,30 +345,30 @@ DST( movw %bx, (%edi) ) + SRC(1: movl (%esi), %ebx ) + SRC( movl 4(%esi), %edx ) + adcl %ebx, %eax +-DST( movl %ebx, (%edi) ) ++DST( movl %ebx, %es:(%edi) ) + adcl %edx, %eax +-DST( movl %edx, 4(%edi) ) ++DST( movl %edx, %es:4(%edi) ) + + SRC( movl 8(%esi), %ebx ) + SRC( movl 12(%esi), %edx ) + adcl %ebx, %eax +-DST( movl %ebx, 8(%edi) ) ++DST( movl %ebx, %es:8(%edi) ) + adcl %edx, %eax +-DST( movl %edx, 12(%edi) ) ++DST( movl %edx, %es:12(%edi) ) + + SRC( movl 16(%esi), %ebx ) + SRC( movl 20(%esi), %edx ) + adcl %ebx, %eax +-DST( movl %ebx, 16(%edi) ) ++DST( movl %ebx, %es:16(%edi) ) + adcl %edx, %eax +-DST( movl %edx, 20(%edi) ) ++DST( movl %edx, %es:20(%edi) ) + + SRC( movl 24(%esi), %ebx ) + SRC( movl 28(%esi), %edx ) + adcl %ebx, %eax +-DST( movl %ebx, 24(%edi) ) ++DST( movl %ebx, %es:24(%edi) ) + adcl %edx, %eax +-DST( movl %edx, 28(%edi) ) ++DST( movl %edx, %es:28(%edi) ) + + lea 32(%esi), %esi + lea 32(%edi), %edi +@@ -366,7 +382,7 @@ DST( movl %edx, 28(%edi) ) + shrl $2, %edx # This clears CF + SRC(3: movl (%esi), %ebx ) + adcl %ebx, %eax +-DST( movl %ebx, (%edi) ) ++DST( movl %ebx, %es:(%edi) ) + lea 4(%esi), %esi + lea 4(%edi), %edi + dec %edx +@@ -378,12 +394,12 @@ DST( movl %ebx, (%edi) ) + jb 5f + SRC( movw (%esi), %cx ) + leal 2(%esi), %esi +-DST( movw %cx, (%edi) ) ++DST( movw %cx, %es:(%edi) ) + leal 2(%edi), %edi + je 6f + shll $16,%ecx + SRC(5: movb (%esi), %cl ) +-DST( movb %cl, (%edi) ) ++DST( movb %cl, %es:(%edi) ) + 6: addl %ecx, %eax + adcl $0, %eax + 7: +@@ -394,7 +410,7 @@ DST( movb %cl, (%edi) ) + + 6001: + movl ARGBASE+20(%esp), %ebx # src_err_ptr +- movl $-EFAULT, (%ebx) ++ movl $-EFAULT, %ss:(%ebx) + + # zero the complete destination - computing the rest + # is too much work +@@ -407,11 +423,15 @@ DST( movb %cl, (%edi) ) + + 6002: + movl ARGBASE+24(%esp), %ebx # dst_err_ptr +- movl $-EFAULT,(%ebx) ++ movl $-EFAULT,%ss:(%ebx) + jmp 5000b + + .previous + ++ pushl_cfi %ss ++ popl_cfi %ds ++ pushl_cfi %ss ++ popl_cfi %es + popl_cfi %ebx + CFI_RESTORE ebx + popl_cfi %esi +@@ -421,26 +441,43 @@ DST( movb %cl, (%edi) ) + popl_cfi %ecx # equivalent to addl $4,%esp + ret + CFI_ENDPROC +-ENDPROC(csum_partial_copy_generic) ++ENDPROC(csum_partial_copy_generic_to_user) + + #else + + /* Version for PentiumII/PPro */ + + #define ROUND1(x) \ ++ nop; nop; nop; \ + SRC(movl x(%esi), %ebx ) ; \ + addl %ebx, %eax ; \ +- DST(movl %ebx, x(%edi) ) ; ++ DST(movl %ebx, %es:x(%edi)) ; + + #define ROUND(x) \ ++ nop; nop; nop; \ + SRC(movl x(%esi), %ebx ) ; \ + adcl %ebx, %eax ; \ +- DST(movl %ebx, x(%edi) ) ; ++ DST(movl %ebx, %es:x(%edi)) ; + + #define ARGBASE 12 +- +-ENTRY(csum_partial_copy_generic) ++ ++ENTRY(csum_partial_copy_generic_to_user) + CFI_STARTPROC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pushl_cfi %gs ++ popl_cfi %es ++ jmp csum_partial_copy_generic ++#endif ++ ++ENTRY(csum_partial_copy_generic_from_user) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pushl_cfi %gs ++ popl_cfi %ds ++#endif ++ ++ENTRY(csum_partial_copy_generic) + pushl_cfi %ebx + CFI_REL_OFFSET ebx, 0 + pushl_cfi %edi +@@ -461,7 +498,7 @@ ENTRY(csum_partial_copy_generic) + subl %ebx, %edi + lea -1(%esi),%edx + andl $-32,%edx +- lea 3f(%ebx,%ebx), %ebx ++ lea 3f(%ebx,%ebx,2), %ebx + testl %esi, %esi + jmp *%ebx + 1: addl $64,%esi +@@ -482,19 +519,19 @@ ENTRY(csum_partial_copy_generic) + jb 5f + SRC( movw (%esi), %dx ) + leal 2(%esi), %esi +-DST( movw %dx, (%edi) ) ++DST( movw %dx, %es:(%edi) ) + leal 2(%edi), %edi + je 6f + shll $16,%edx + 5: + SRC( movb (%esi), %dl ) +-DST( movb %dl, (%edi) ) ++DST( movb %dl, %es:(%edi) ) + 6: addl %edx, %eax + adcl $0, %eax + 7: + .section .fixup, "ax" + 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr +- movl $-EFAULT, (%ebx) ++ movl $-EFAULT, %ss:(%ebx) + # zero the complete destination (computing the rest is too much work) + movl ARGBASE+8(%esp),%edi # dst + movl ARGBASE+12(%esp),%ecx # len +@@ -502,10 +539,17 @@ DST( movb %dl, (%edi) ) + rep; stosb + jmp 7b + 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr +- movl $-EFAULT, (%ebx) ++ movl $-EFAULT, %ss:(%ebx) + jmp 7b + .previous + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pushl_cfi %ss ++ popl_cfi %ds ++ pushl_cfi %ss ++ popl_cfi %es ++#endif ++ + popl_cfi %esi + CFI_RESTORE esi + popl_cfi %edi +@@ -514,7 +558,7 @@ DST( movb %dl, (%edi) ) + CFI_RESTORE ebx + ret + CFI_ENDPROC +-ENDPROC(csum_partial_copy_generic) ++ENDPROC(csum_partial_copy_generic_to_user) + + #undef ROUND + #undef ROUND1 +diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S +index f2145cf..cea889d 100644 +--- a/arch/x86/lib/clear_page_64.S ++++ b/arch/x86/lib/clear_page_64.S +@@ -11,6 +11,7 @@ ENTRY(clear_page_c) + movl $4096/8,%ecx + xorl %eax,%eax + rep stosq ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(clear_page_c) +@@ -20,6 +21,7 @@ ENTRY(clear_page_c_e) + movl $4096,%ecx + xorl %eax,%eax + rep stosb ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(clear_page_c_e) +@@ -43,6 +45,7 @@ ENTRY(clear_page) + leaq 64(%rdi),%rdi + jnz .Lloop + nop ++ pax_force_retaddr + ret + CFI_ENDPROC + .Lclear_page_end: +@@ -58,7 +61,7 @@ ENDPROC(clear_page) + + #include + +- .section .altinstr_replacement,"ax" ++ .section .altinstr_replacement,"a" + 1: .byte 0xeb /* jmp */ + .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */ + 2: .byte 0xeb /* jmp */ +diff --git a/arch/x86/lib/cmpxchg16b_emu.S b/arch/x86/lib/cmpxchg16b_emu.S +index 1e572c5..2a162cd 100644 +--- a/arch/x86/lib/cmpxchg16b_emu.S ++++ b/arch/x86/lib/cmpxchg16b_emu.S +@@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu: + + popf + mov $1, %al ++ pax_force_retaddr + ret + + not_same: + popf + xor %al,%al ++ pax_force_retaddr + ret + + CFI_ENDPROC +diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S +index 176cca6..e0d658e 100644 +--- a/arch/x86/lib/copy_page_64.S ++++ b/arch/x86/lib/copy_page_64.S +@@ -9,6 +9,7 @@ copy_page_rep: + CFI_STARTPROC + movl $4096/8, %ecx + rep movsq ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(copy_page_rep) +@@ -24,8 +25,8 @@ ENTRY(copy_page) + CFI_ADJUST_CFA_OFFSET 2*8 + movq %rbx, (%rsp) + CFI_REL_OFFSET rbx, 0 +- movq %r12, 1*8(%rsp) +- CFI_REL_OFFSET r12, 1*8 ++ movq %r13, 1*8(%rsp) ++ CFI_REL_OFFSET r13, 1*8 + + movl $(4096/64)-5, %ecx + .p2align 4 +@@ -38,7 +39,7 @@ ENTRY(copy_page) + movq 0x8*4(%rsi), %r9 + movq 0x8*5(%rsi), %r10 + movq 0x8*6(%rsi), %r11 +- movq 0x8*7(%rsi), %r12 ++ movq 0x8*7(%rsi), %r13 + + prefetcht0 5*64(%rsi) + +@@ -49,7 +50,7 @@ ENTRY(copy_page) + movq %r9, 0x8*4(%rdi) + movq %r10, 0x8*5(%rdi) + movq %r11, 0x8*6(%rdi) +- movq %r12, 0x8*7(%rdi) ++ movq %r13, 0x8*7(%rdi) + + leaq 64 (%rsi), %rsi + leaq 64 (%rdi), %rdi +@@ -68,7 +69,7 @@ ENTRY(copy_page) + movq 0x8*4(%rsi), %r9 + movq 0x8*5(%rsi), %r10 + movq 0x8*6(%rsi), %r11 +- movq 0x8*7(%rsi), %r12 ++ movq 0x8*7(%rsi), %r13 + + movq %rax, 0x8*0(%rdi) + movq %rbx, 0x8*1(%rdi) +@@ -77,7 +78,7 @@ ENTRY(copy_page) + movq %r9, 0x8*4(%rdi) + movq %r10, 0x8*5(%rdi) + movq %r11, 0x8*6(%rdi) +- movq %r12, 0x8*7(%rdi) ++ movq %r13, 0x8*7(%rdi) + + leaq 64(%rdi), %rdi + leaq 64(%rsi), %rsi +@@ -85,10 +86,11 @@ ENTRY(copy_page) + + movq (%rsp), %rbx + CFI_RESTORE rbx +- movq 1*8(%rsp), %r12 +- CFI_RESTORE r12 ++ movq 1*8(%rsp), %r13 ++ CFI_RESTORE r13 + addq $2*8, %rsp + CFI_ADJUST_CFA_OFFSET -2*8 ++ pax_force_retaddr + ret + .Lcopy_page_end: + CFI_ENDPROC +@@ -99,7 +101,7 @@ ENDPROC(copy_page) + + #include + +- .section .altinstr_replacement,"ax" ++ .section .altinstr_replacement,"a" + 1: .byte 0xeb /* jmp */ + .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */ + 2: +diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S +index dee945d..a84067b 100644 +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -18,31 +18,7 @@ + #include + #include + #include +- +-/* +- * By placing feature2 after feature1 in altinstructions section, we logically +- * implement: +- * If CPU has feature2, jmp to alt2 is used +- * else if CPU has feature1, jmp to alt1 is used +- * else jmp to orig is used. +- */ +- .macro ALTERNATIVE_JUMP feature1,feature2,orig,alt1,alt2 +-0: +- .byte 0xe9 /* 32bit jump */ +- .long \orig-1f /* by default jump to orig */ +-1: +- .section .altinstr_replacement,"ax" +-2: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt1-1b /* offset */ /* or alternatively to alt1 */ +-3: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt2-1b /* offset */ /* or alternatively to alt2 */ +- .previous +- +- .section .altinstructions,"a" +- altinstruction_entry 0b,2b,\feature1,5,5 +- altinstruction_entry 0b,3b,\feature2,5,5 +- .previous +- .endm ++#include + + .macro ALIGN_DESTINATION + #ifdef FIX_ALIGNMENT +@@ -70,52 +46,6 @@ + #endif + .endm + +-/* Standard copy_to_user with segment limit checking */ +-ENTRY(_copy_to_user) +- CFI_STARTPROC +- GET_THREAD_INFO(%rax) +- movq %rdi,%rcx +- addq %rdx,%rcx +- jc bad_to_user +- cmpq TI_addr_limit(%rax),%rcx +- ja bad_to_user +- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \ +- copy_user_generic_unrolled,copy_user_generic_string, \ +- copy_user_enhanced_fast_string +- CFI_ENDPROC +-ENDPROC(_copy_to_user) +- +-/* Standard copy_from_user with segment limit checking */ +-ENTRY(_copy_from_user) +- CFI_STARTPROC +- GET_THREAD_INFO(%rax) +- movq %rsi,%rcx +- addq %rdx,%rcx +- jc bad_from_user +- cmpq TI_addr_limit(%rax),%rcx +- ja bad_from_user +- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \ +- copy_user_generic_unrolled,copy_user_generic_string, \ +- copy_user_enhanced_fast_string +- CFI_ENDPROC +-ENDPROC(_copy_from_user) +- +- .section .fixup,"ax" +- /* must zero dest */ +-ENTRY(bad_from_user) +-bad_from_user: +- CFI_STARTPROC +- movl %edx,%ecx +- xorl %eax,%eax +- rep +- stosb +-bad_to_user: +- movl %edx,%eax +- ret +- CFI_ENDPROC +-ENDPROC(bad_from_user) +- .previous +- + /* + * copy_user_generic_unrolled - memory copy with exception handling. + * This version is for CPUs like P4 that don't have efficient micro +@@ -131,6 +61,7 @@ ENDPROC(bad_from_user) + */ + ENTRY(copy_user_generic_unrolled) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + cmpl $8,%edx + jb 20f /* less then 8 bytes, go to byte copy loop */ +@@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled) + jnz 21b + 23: xor %eax,%eax + ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND ++ pax_force_retaddr + ret + + .section .fixup,"ax" +@@ -235,6 +168,7 @@ ENDPROC(copy_user_generic_unrolled) + */ + ENTRY(copy_user_generic_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + cmpl $8,%edx + jb 2f /* less than 8 bytes, go to byte copy loop */ +@@ -249,6 +183,8 @@ ENTRY(copy_user_generic_string) + movsb + xorl %eax,%eax + ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND ++ pax_force_retaddr + ret + + .section .fixup,"ax" +@@ -276,12 +212,15 @@ ENDPROC(copy_user_generic_string) + */ + ENTRY(copy_user_enhanced_fast_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + movl %edx,%ecx + 1: rep + movsb + xorl %eax,%eax + ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND ++ pax_force_retaddr + ret + + .section .fixup,"ax" +diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S +index 6a4f43c..c70fb52 100644 +--- a/arch/x86/lib/copy_user_nocache_64.S ++++ b/arch/x86/lib/copy_user_nocache_64.S +@@ -8,6 +8,7 @@ + + #include + #include ++#include + + #define FIX_ALIGNMENT 1 + +@@ -16,6 +17,7 @@ + #include + #include + #include ++#include + + .macro ALIGN_DESTINATION + #ifdef FIX_ALIGNMENT +@@ -49,6 +51,16 @@ + */ + ENTRY(__copy_user_nocache) + CFI_STARTPROC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ mov pax_user_shadow_base,%rcx ++ cmp %rcx,%rsi ++ jae 1f ++ add %rcx,%rsi ++1: ++#endif ++ ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + cmpl $8,%edx + jb 20f /* less then 8 bytes, go to byte copy loop */ +@@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache) + jnz 21b + 23: xorl %eax,%eax + ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + sfence ++ pax_force_retaddr + ret + + .section .fixup,"ax" +diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S +index 2419d5f..fe52d0e 100644 +--- a/arch/x86/lib/csum-copy_64.S ++++ b/arch/x86/lib/csum-copy_64.S +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + /* + * Checksum copy with exception handling. +@@ -56,8 +57,8 @@ ENTRY(csum_partial_copy_generic) + CFI_ADJUST_CFA_OFFSET 7*8 + movq %rbx, 2*8(%rsp) + CFI_REL_OFFSET rbx, 2*8 +- movq %r12, 3*8(%rsp) +- CFI_REL_OFFSET r12, 3*8 ++ movq %r15, 3*8(%rsp) ++ CFI_REL_OFFSET r15, 3*8 + movq %r14, 4*8(%rsp) + CFI_REL_OFFSET r14, 4*8 + movq %r13, 5*8(%rsp) +@@ -72,16 +73,16 @@ ENTRY(csum_partial_copy_generic) + movl %edx, %ecx + + xorl %r9d, %r9d +- movq %rcx, %r12 ++ movq %rcx, %r15 + +- shrq $6, %r12 ++ shrq $6, %r15 + jz .Lhandle_tail /* < 64 */ + + clc + + /* main loop. clear in 64 byte blocks */ + /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */ +- /* r11: temp3, rdx: temp4, r12 loopcnt */ ++ /* r11: temp3, rdx: temp4, r15 loopcnt */ + /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */ + .p2align 4 + .Lloop: +@@ -115,7 +116,7 @@ ENTRY(csum_partial_copy_generic) + adcq %r14, %rax + adcq %r13, %rax + +- decl %r12d ++ decl %r15d + + dest + movq %rbx, (%rsi) +@@ -210,8 +211,8 @@ ENTRY(csum_partial_copy_generic) + .Lende: + movq 2*8(%rsp), %rbx + CFI_RESTORE rbx +- movq 3*8(%rsp), %r12 +- CFI_RESTORE r12 ++ movq 3*8(%rsp), %r15 ++ CFI_RESTORE r15 + movq 4*8(%rsp), %r14 + CFI_RESTORE r14 + movq 5*8(%rsp), %r13 +@@ -220,6 +221,7 @@ ENTRY(csum_partial_copy_generic) + CFI_RESTORE rbp + addq $7*8, %rsp + CFI_ADJUST_CFA_OFFSET -7*8 ++ pax_force_retaddr + ret + CFI_RESTORE_STATE + +diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c +index 7609e0e..b449b98 100644 +--- a/arch/x86/lib/csum-wrappers_64.c ++++ b/arch/x86/lib/csum-wrappers_64.c +@@ -53,10 +53,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst, + len -= 2; + } + } ++ pax_open_userland(); + stac(); +- isum = csum_partial_copy_generic((__force const void *)src, ++ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), + dst, len, isum, errp, NULL); + clac(); ++ pax_close_userland(); + if (unlikely(*errp)) + goto out_err; + +@@ -110,10 +112,12 @@ csum_partial_copy_to_user(const void *src, void __user *dst, + } + + *errp = 0; ++ pax_open_userland(); + stac(); +- ret = csum_partial_copy_generic(src, (void __force *)dst, ++ ret = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), + len, isum, NULL, errp); + clac(); ++ pax_close_userland(); + return ret; + } + EXPORT_SYMBOL(csum_partial_copy_to_user); +diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S +index a451235..1daa956 100644 +--- a/arch/x86/lib/getuser.S ++++ b/arch/x86/lib/getuser.S +@@ -33,17 +33,40 @@ + #include + #include + #include ++#include ++#include ++#include ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define __copyuser_seg gs; ++#else ++#define __copyuser_seg ++#endif + + .text + ENTRY(__get_user_1) + CFI_STARTPROC ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user + ASM_STAC +-1: movzbl (%_ASM_AX),%edx ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_DX ++ cmp %_ASM_DX,%_ASM_AX ++ jae 1234f ++ add %_ASM_DX,%_ASM_AX ++1234: ++#endif ++ ++#endif ++ ++1: __copyuser_seg movzbl (%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(__get_user_1) +@@ -51,14 +74,28 @@ ENDPROC(__get_user_1) + ENTRY(__get_user_2) + CFI_STARTPROC + add $1,%_ASM_AX ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) + jc bad_get_user + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user + ASM_STAC +-2: movzwl -1(%_ASM_AX),%edx ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_DX ++ cmp %_ASM_DX,%_ASM_AX ++ jae 1234f ++ add %_ASM_DX,%_ASM_AX ++1234: ++#endif ++ ++#endif ++ ++2: __copyuser_seg movzwl -1(%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(__get_user_2) +@@ -66,14 +103,28 @@ ENDPROC(__get_user_2) + ENTRY(__get_user_4) + CFI_STARTPROC + add $3,%_ASM_AX ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) + jc bad_get_user + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user + ASM_STAC +-3: movl -3(%_ASM_AX),%edx ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_DX ++ cmp %_ASM_DX,%_ASM_AX ++ jae 1234f ++ add %_ASM_DX,%_ASM_AX ++1234: ++#endif ++ ++#endif ++ ++3: __copyuser_seg movl -3(%_ASM_AX),%edx + xor %eax,%eax + ASM_CLAC ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(__get_user_4) +@@ -86,10 +137,20 @@ ENTRY(__get_user_8) + GET_THREAD_INFO(%_ASM_DX) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ mov pax_user_shadow_base,%_ASM_DX ++ cmp %_ASM_DX,%_ASM_AX ++ jae 1234f ++ add %_ASM_DX,%_ASM_AX ++1234: ++#endif ++ + ASM_STAC + 4: movq -7(%_ASM_AX),%rdx + xor %eax,%eax + ASM_CLAC ++ pax_force_retaddr + ret + #else + add $7,%_ASM_AX +@@ -98,10 +159,11 @@ ENTRY(__get_user_8) + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX + jae bad_get_user_8 + ASM_STAC +-4: movl -7(%_ASM_AX),%edx +-5: movl -3(%_ASM_AX),%ecx ++4: __copyuser_seg movl -7(%_ASM_AX),%edx ++5: __copyuser_seg movl -3(%_ASM_AX),%ecx + xor %eax,%eax + ASM_CLAC ++ pax_force_retaddr + ret + #endif + CFI_ENDPROC +@@ -113,6 +175,7 @@ bad_get_user: + xor %edx,%edx + mov $(-EFAULT),%_ASM_AX + ASM_CLAC ++ pax_force_retaddr + ret + CFI_ENDPROC + END(bad_get_user) +@@ -124,6 +187,7 @@ bad_get_user_8: + xor %ecx,%ecx + mov $(-EFAULT),%_ASM_AX + ASM_CLAC ++ pax_force_retaddr + ret + CFI_ENDPROC + END(bad_get_user_8) +diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c +index 54fcffe..7be149e 100644 +--- a/arch/x86/lib/insn.c ++++ b/arch/x86/lib/insn.c +@@ -20,8 +20,10 @@ + + #ifdef __KERNEL__ + #include ++#include + #else + #include ++#define ktla_ktva(addr) addr + #endif + #include + #include +@@ -53,8 +55,8 @@ + void insn_init(struct insn *insn, const void *kaddr, int x86_64) + { + memset(insn, 0, sizeof(*insn)); +- insn->kaddr = kaddr; +- insn->next_byte = kaddr; ++ insn->kaddr = ktla_ktva(kaddr); ++ insn->next_byte = ktla_ktva(kaddr); + insn->x86_64 = x86_64 ? 1 : 0; + insn->opnd_bytes = 4; + if (x86_64) +diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S +index 05a95e7..326f2fa 100644 +--- a/arch/x86/lib/iomap_copy_64.S ++++ b/arch/x86/lib/iomap_copy_64.S +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + /* + * override generic version in lib/iomap_copy.c +@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy) + CFI_STARTPROC + movl %edx,%ecx + rep movsd ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(__iowrite32_copy) +diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S +index 56313a3..0db417e 100644 +--- a/arch/x86/lib/memcpy_64.S ++++ b/arch/x86/lib/memcpy_64.S +@@ -24,7 +24,7 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c: + movq %rdi, %rax + movq %rdx, %rcx +@@ -33,6 +33,7 @@ + rep movsq + movl %edx, %ecx + rep movsb ++ pax_force_retaddr + ret + .Lmemcpy_e: + .previous +@@ -44,11 +45,12 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c_e: + movq %rdi, %rax + movq %rdx, %rcx + rep movsb ++ pax_force_retaddr + ret + .Lmemcpy_e_e: + .previous +@@ -136,6 +138,7 @@ ENTRY(memcpy) + movq %r9, 1*8(%rdi) + movq %r10, -2*8(%rdi, %rdx) + movq %r11, -1*8(%rdi, %rdx) ++ pax_force_retaddr + retq + .p2align 4 + .Lless_16bytes: +@@ -148,6 +151,7 @@ ENTRY(memcpy) + movq -1*8(%rsi, %rdx), %r9 + movq %r8, 0*8(%rdi) + movq %r9, -1*8(%rdi, %rdx) ++ pax_force_retaddr + retq + .p2align 4 + .Lless_8bytes: +@@ -161,6 +165,7 @@ ENTRY(memcpy) + movl -4(%rsi, %rdx), %r8d + movl %ecx, (%rdi) + movl %r8d, -4(%rdi, %rdx) ++ pax_force_retaddr + retq + .p2align 4 + .Lless_3bytes: +@@ -179,6 +184,7 @@ ENTRY(memcpy) + movb %cl, (%rdi) + + .Lend: ++ pax_force_retaddr + retq + CFI_ENDPROC + ENDPROC(memcpy) +diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S +index 65268a6..dd1de11 100644 +--- a/arch/x86/lib/memmove_64.S ++++ b/arch/x86/lib/memmove_64.S +@@ -202,14 +202,16 @@ ENTRY(memmove) + movb (%rsi), %r11b + movb %r11b, (%rdi) + 13: ++ pax_force_retaddr + retq + CFI_ENDPROC + +- .section .altinstr_replacement,"ax" ++ .section .altinstr_replacement,"a" + .Lmemmove_begin_forward_efs: + /* Forward moving data. */ + movq %rdx, %rcx + rep movsb ++ pax_force_retaddr + retq + .Lmemmove_end_forward_efs: + .previous +diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S +index 2dcb380..2eb79fe 100644 +--- a/arch/x86/lib/memset_64.S ++++ b/arch/x86/lib/memset_64.S +@@ -16,7 +16,7 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c: + movq %rdi,%r9 + movq %rdx,%rcx +@@ -30,6 +30,7 @@ + movl %edx,%ecx + rep stosb + movq %r9,%rax ++ pax_force_retaddr + ret + .Lmemset_e: + .previous +@@ -45,13 +46,14 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c_e: + movq %rdi,%r9 + movb %sil,%al + movq %rdx,%rcx + rep stosb + movq %r9,%rax ++ pax_force_retaddr + ret + .Lmemset_e_e: + .previous +@@ -118,6 +120,7 @@ ENTRY(__memset) + + .Lende: + movq %r10,%rax ++ pax_force_retaddr + ret + + CFI_RESTORE_STATE +diff --git a/arch/x86/lib/mmx_32.c b/arch/x86/lib/mmx_32.c +index c9f2d9b..e7fd2c0 100644 +--- a/arch/x86/lib/mmx_32.c ++++ b/arch/x86/lib/mmx_32.c +@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *from, size_t len) + { + void *p; + int i; ++ unsigned long cr0; + + if (unlikely(in_interrupt())) + return __memcpy(to, from, len); +@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *from, size_t len) + kernel_fpu_begin(); + + __asm__ __volatile__ ( +- "1: prefetch (%0)\n" /* This set is 28 bytes */ +- " prefetch 64(%0)\n" +- " prefetch 128(%0)\n" +- " prefetch 192(%0)\n" +- " prefetch 256(%0)\n" ++ "1: prefetch (%1)\n" /* This set is 28 bytes */ ++ " prefetch 64(%1)\n" ++ " prefetch 128(%1)\n" ++ " prefetch 192(%1)\n" ++ " prefetch 256(%1)\n" + "2: \n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ "3: \n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" + _ASM_EXTABLE(1b, 3b) +- : : "r" (from)); ++ : "=&r" (cr0) : "r" (from) : "ax"); + + for ( ; i > 5; i--) { + __asm__ __volatile__ ( +- "1: prefetch 320(%0)\n" +- "2: movq (%0), %%mm0\n" +- " movq 8(%0), %%mm1\n" +- " movq 16(%0), %%mm2\n" +- " movq 24(%0), %%mm3\n" +- " movq %%mm0, (%1)\n" +- " movq %%mm1, 8(%1)\n" +- " movq %%mm2, 16(%1)\n" +- " movq %%mm3, 24(%1)\n" +- " movq 32(%0), %%mm0\n" +- " movq 40(%0), %%mm1\n" +- " movq 48(%0), %%mm2\n" +- " movq 56(%0), %%mm3\n" +- " movq %%mm0, 32(%1)\n" +- " movq %%mm1, 40(%1)\n" +- " movq %%mm2, 48(%1)\n" +- " movq %%mm3, 56(%1)\n" ++ "1: prefetch 320(%1)\n" ++ "2: movq (%1), %%mm0\n" ++ " movq 8(%1), %%mm1\n" ++ " movq 16(%1), %%mm2\n" ++ " movq 24(%1), %%mm3\n" ++ " movq %%mm0, (%2)\n" ++ " movq %%mm1, 8(%2)\n" ++ " movq %%mm2, 16(%2)\n" ++ " movq %%mm3, 24(%2)\n" ++ " movq 32(%1), %%mm0\n" ++ " movq 40(%1), %%mm1\n" ++ " movq 48(%1), %%mm2\n" ++ " movq 56(%1), %%mm3\n" ++ " movq %%mm0, 32(%2)\n" ++ " movq %%mm1, 40(%2)\n" ++ " movq %%mm2, 48(%2)\n" ++ " movq %%mm3, 56(%2)\n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ "3:\n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" + _ASM_EXTABLE(1b, 3b) +- : : "r" (from), "r" (to) : "memory"); ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax"); + + from += 64; + to += 64; +@@ -158,6 +187,7 @@ static void fast_clear_page(void *page) + static void fast_copy_page(void *to, void *from) + { + int i; ++ unsigned long cr0; + + kernel_fpu_begin(); + +@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, void *from) + * but that is for later. -AV + */ + __asm__ __volatile__( +- "1: prefetch (%0)\n" +- " prefetch 64(%0)\n" +- " prefetch 128(%0)\n" +- " prefetch 192(%0)\n" +- " prefetch 256(%0)\n" ++ "1: prefetch (%1)\n" ++ " prefetch 64(%1)\n" ++ " prefetch 128(%1)\n" ++ " prefetch 192(%1)\n" ++ " prefetch 256(%1)\n" + "2: \n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ "3: \n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" +- _ASM_EXTABLE(1b, 3b) : : "r" (from)); ++ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax"); + + for (i = 0; i < (4096-320)/64; i++) { + __asm__ __volatile__ ( +- "1: prefetch 320(%0)\n" +- "2: movq (%0), %%mm0\n" +- " movntq %%mm0, (%1)\n" +- " movq 8(%0), %%mm1\n" +- " movntq %%mm1, 8(%1)\n" +- " movq 16(%0), %%mm2\n" +- " movntq %%mm2, 16(%1)\n" +- " movq 24(%0), %%mm3\n" +- " movntq %%mm3, 24(%1)\n" +- " movq 32(%0), %%mm4\n" +- " movntq %%mm4, 32(%1)\n" +- " movq 40(%0), %%mm5\n" +- " movntq %%mm5, 40(%1)\n" +- " movq 48(%0), %%mm6\n" +- " movntq %%mm6, 48(%1)\n" +- " movq 56(%0), %%mm7\n" +- " movntq %%mm7, 56(%1)\n" ++ "1: prefetch 320(%1)\n" ++ "2: movq (%1), %%mm0\n" ++ " movntq %%mm0, (%2)\n" ++ " movq 8(%1), %%mm1\n" ++ " movntq %%mm1, 8(%2)\n" ++ " movq 16(%1), %%mm2\n" ++ " movntq %%mm2, 16(%2)\n" ++ " movq 24(%1), %%mm3\n" ++ " movntq %%mm3, 24(%2)\n" ++ " movq 32(%1), %%mm4\n" ++ " movntq %%mm4, 32(%2)\n" ++ " movq 40(%1), %%mm5\n" ++ " movntq %%mm5, 40(%2)\n" ++ " movq 48(%1), %%mm6\n" ++ " movntq %%mm6, 48(%2)\n" ++ " movq 56(%1), %%mm7\n" ++ " movntq %%mm7, 56(%2)\n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ "3:\n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" +- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory"); ++ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax"); + + from += 64; + to += 64; +@@ -280,47 +338,76 @@ static void fast_clear_page(void *page) + static void fast_copy_page(void *to, void *from) + { + int i; ++ unsigned long cr0; + + kernel_fpu_begin(); + + __asm__ __volatile__ ( +- "1: prefetch (%0)\n" +- " prefetch 64(%0)\n" +- " prefetch 128(%0)\n" +- " prefetch 192(%0)\n" +- " prefetch 256(%0)\n" ++ "1: prefetch (%1)\n" ++ " prefetch 64(%1)\n" ++ " prefetch 128(%1)\n" ++ " prefetch 192(%1)\n" ++ " prefetch 256(%1)\n" + "2: \n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ "3: \n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" +- _ASM_EXTABLE(1b, 3b) : : "r" (from)); ++ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax"); + + for (i = 0; i < 4096/64; i++) { + __asm__ __volatile__ ( +- "1: prefetch 320(%0)\n" +- "2: movq (%0), %%mm0\n" +- " movq 8(%0), %%mm1\n" +- " movq 16(%0), %%mm2\n" +- " movq 24(%0), %%mm3\n" +- " movq %%mm0, (%1)\n" +- " movq %%mm1, 8(%1)\n" +- " movq %%mm2, 16(%1)\n" +- " movq %%mm3, 24(%1)\n" +- " movq 32(%0), %%mm0\n" +- " movq 40(%0), %%mm1\n" +- " movq 48(%0), %%mm2\n" +- " movq 56(%0), %%mm3\n" +- " movq %%mm0, 32(%1)\n" +- " movq %%mm1, 40(%1)\n" +- " movq %%mm2, 48(%1)\n" +- " movq %%mm3, 56(%1)\n" ++ "1: prefetch 320(%1)\n" ++ "2: movq (%1), %%mm0\n" ++ " movq 8(%1), %%mm1\n" ++ " movq 16(%1), %%mm2\n" ++ " movq 24(%1), %%mm3\n" ++ " movq %%mm0, (%2)\n" ++ " movq %%mm1, 8(%2)\n" ++ " movq %%mm2, 16(%2)\n" ++ " movq %%mm3, 24(%2)\n" ++ " movq 32(%1), %%mm0\n" ++ " movq 40(%1), %%mm1\n" ++ " movq 48(%1), %%mm2\n" ++ " movq 56(%1), %%mm3\n" ++ " movq %%mm0, 32(%2)\n" ++ " movq %%mm1, 40(%2)\n" ++ " movq %%mm2, 48(%2)\n" ++ " movq %%mm3, 56(%2)\n" + ".section .fixup, \"ax\"\n" +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ "3:\n" ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %%cr0, %0\n" ++ " movl %0, %%eax\n" ++ " andl $0xFFFEFFFF, %%eax\n" ++ " movl %%eax, %%cr0\n" ++#endif ++ ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */ ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ " movl %0, %%cr0\n" ++#endif ++ + " jmp 2b\n" + ".previous\n" + _ASM_EXTABLE(1b, 3b) +- : : "r" (from), "r" (to) : "memory"); ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax"); + + from += 64; + to += 64; +diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S +index f6d13ee..d789440 100644 +--- a/arch/x86/lib/msr-reg.S ++++ b/arch/x86/lib/msr-reg.S +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_X86_64 + /* +@@ -37,6 +38,7 @@ ENTRY(\op\()_safe_regs) + movl %edi, 28(%r10) + popq_cfi %rbp + popq_cfi %rbx ++ pax_force_retaddr + ret + 3: + CFI_RESTORE_STATE +diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S +index fc6ba17..d4d989d 100644 +--- a/arch/x86/lib/putuser.S ++++ b/arch/x86/lib/putuser.S +@@ -16,7 +16,9 @@ + #include + #include + #include +- ++#include ++#include ++#include + + /* + * __put_user_X +@@ -30,57 +32,125 @@ + * as they get called from within inline assembly. + */ + +-#define ENTER CFI_STARTPROC ; \ +- GET_THREAD_INFO(%_ASM_BX) +-#define EXIT ASM_CLAC ; \ +- ret ; \ ++#define ENTER CFI_STARTPROC ++#define EXIT ASM_CLAC ; \ ++ pax_force_retaddr ; \ ++ ret ; \ + CFI_ENDPROC + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define _DEST %_ASM_CX,%_ASM_BX ++#else ++#define _DEST %_ASM_CX ++#endif ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define __copyuser_seg gs; ++#else ++#define __copyuser_seg ++#endif ++ + .text + ENTRY(__put_user_1) + ENTER ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) ++ GET_THREAD_INFO(%_ASM_BX) + cmp TI_addr_limit(%_ASM_BX),%_ASM_CX + jae bad_put_user + ASM_STAC +-1: movb %al,(%_ASM_CX) ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_BX ++ cmp %_ASM_BX,%_ASM_CX ++ jb 1234f ++ xor %ebx,%ebx ++1234: ++#endif ++ ++#endif ++ ++1: __copyuser_seg movb %al,(_DEST) + xor %eax,%eax + EXIT + ENDPROC(__put_user_1) + + ENTRY(__put_user_2) + ENTER ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) ++ GET_THREAD_INFO(%_ASM_BX) + mov TI_addr_limit(%_ASM_BX),%_ASM_BX + sub $1,%_ASM_BX + cmp %_ASM_BX,%_ASM_CX + jae bad_put_user + ASM_STAC +-2: movw %ax,(%_ASM_CX) ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_BX ++ cmp %_ASM_BX,%_ASM_CX ++ jb 1234f ++ xor %ebx,%ebx ++1234: ++#endif ++ ++#endif ++ ++2: __copyuser_seg movw %ax,(_DEST) + xor %eax,%eax + EXIT + ENDPROC(__put_user_2) + + ENTRY(__put_user_4) + ENTER ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) ++ GET_THREAD_INFO(%_ASM_BX) + mov TI_addr_limit(%_ASM_BX),%_ASM_BX + sub $3,%_ASM_BX + cmp %_ASM_BX,%_ASM_CX + jae bad_put_user + ASM_STAC +-3: movl %eax,(%_ASM_CX) ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_BX ++ cmp %_ASM_BX,%_ASM_CX ++ jb 1234f ++ xor %ebx,%ebx ++1234: ++#endif ++ ++#endif ++ ++3: __copyuser_seg movl %eax,(_DEST) + xor %eax,%eax + EXIT + ENDPROC(__put_user_4) + + ENTRY(__put_user_8) + ENTER ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF) ++ GET_THREAD_INFO(%_ASM_BX) + mov TI_addr_limit(%_ASM_BX),%_ASM_BX + sub $7,%_ASM_BX + cmp %_ASM_BX,%_ASM_CX + jae bad_put_user + ASM_STAC +-4: mov %_ASM_AX,(%_ASM_CX) ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ mov pax_user_shadow_base,%_ASM_BX ++ cmp %_ASM_BX,%_ASM_CX ++ jb 1234f ++ xor %ebx,%ebx ++1234: ++#endif ++ ++#endif ++ ++4: __copyuser_seg mov %_ASM_AX,(_DEST) + #ifdef CONFIG_X86_32 +-5: movl %edx,4(%_ASM_CX) ++5: __copyuser_seg movl %edx,4(_DEST) + #endif + xor %eax,%eax + EXIT +diff --git a/arch/x86/lib/rwlock.S b/arch/x86/lib/rwlock.S +index 1cad221..de671ee 100644 +--- a/arch/x86/lib/rwlock.S ++++ b/arch/x86/lib/rwlock.S +@@ -16,13 +16,34 @@ ENTRY(__write_lock_failed) + FRAME + 0: LOCK_PREFIX + WRITE_LOCK_ADD($RW_LOCK_BIAS) (%__lock_ptr) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 1234f ++ LOCK_PREFIX ++ WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr) ++ int $4 ++1234: ++ _ASM_EXTABLE(1234b, 1234b) ++#endif ++ + 1: rep; nop + cmpl $WRITE_LOCK_CMP, (%__lock_ptr) + jne 1b + LOCK_PREFIX + WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 1234f ++ LOCK_PREFIX ++ WRITE_LOCK_ADD($RW_LOCK_BIAS) (%__lock_ptr) ++ int $4 ++1234: ++ _ASM_EXTABLE(1234b, 1234b) ++#endif ++ + jnz 0b + ENDFRAME ++ pax_force_retaddr + ret + CFI_ENDPROC + END(__write_lock_failed) +@@ -32,13 +53,34 @@ ENTRY(__read_lock_failed) + FRAME + 0: LOCK_PREFIX + READ_LOCK_SIZE(inc) (%__lock_ptr) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 1234f ++ LOCK_PREFIX ++ READ_LOCK_SIZE(dec) (%__lock_ptr) ++ int $4 ++1234: ++ _ASM_EXTABLE(1234b, 1234b) ++#endif ++ + 1: rep; nop + READ_LOCK_SIZE(cmp) $1, (%__lock_ptr) + js 1b + LOCK_PREFIX + READ_LOCK_SIZE(dec) (%__lock_ptr) ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ jno 1234f ++ LOCK_PREFIX ++ READ_LOCK_SIZE(inc) (%__lock_ptr) ++ int $4 ++1234: ++ _ASM_EXTABLE(1234b, 1234b) ++#endif ++ + js 0b + ENDFRAME ++ pax_force_retaddr + ret + CFI_ENDPROC + END(__read_lock_failed) +diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S +index 5dff5f0..cadebf4 100644 +--- a/arch/x86/lib/rwsem.S ++++ b/arch/x86/lib/rwsem.S +@@ -94,6 +94,7 @@ ENTRY(call_rwsem_down_read_failed) + __ASM_SIZE(pop,_cfi) %__ASM_REG(dx) + CFI_RESTORE __ASM_REG(dx) + restore_common_regs ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(call_rwsem_down_read_failed) +@@ -104,6 +105,7 @@ ENTRY(call_rwsem_down_write_failed) + movq %rax,%rdi + call rwsem_down_write_failed + restore_common_regs ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(call_rwsem_down_write_failed) +@@ -117,7 +119,8 @@ ENTRY(call_rwsem_wake) + movq %rax,%rdi + call rwsem_wake + restore_common_regs +-1: ret ++1: pax_force_retaddr ++ ret + CFI_ENDPROC + ENDPROC(call_rwsem_wake) + +@@ -131,6 +134,7 @@ ENTRY(call_rwsem_downgrade_wake) + __ASM_SIZE(pop,_cfi) %__ASM_REG(dx) + CFI_RESTORE __ASM_REG(dx) + restore_common_regs ++ pax_force_retaddr + ret + CFI_ENDPROC + ENDPROC(call_rwsem_downgrade_wake) +diff --git a/arch/x86/lib/thunk_64.S b/arch/x86/lib/thunk_64.S +index a63efd6..8149fbe 100644 +--- a/arch/x86/lib/thunk_64.S ++++ b/arch/x86/lib/thunk_64.S +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + /* rdi: arg1 ... normal C conventions. rax is saved/restored. */ + .macro THUNK name, func, put_ret_addr_in_rdi=0 +@@ -15,11 +16,11 @@ + \name: + CFI_STARTPROC + +- /* this one pushes 9 elems, the next one would be %rIP */ +- SAVE_ARGS ++ /* this one pushes 15+1 elems, the next one would be %rIP */ ++ SAVE_ARGS 8 + + .if \put_ret_addr_in_rdi +- movq_cfi_restore 9*8, rdi ++ movq_cfi_restore RIP, rdi + .endif + + call \func +@@ -38,8 +39,9 @@ + + /* SAVE_ARGS below is used only for the .cfi directives it contains. */ + CFI_STARTPROC +- SAVE_ARGS ++ SAVE_ARGS 8 + restore: +- RESTORE_ARGS ++ RESTORE_ARGS 1,8 ++ pax_force_retaddr + ret + CFI_ENDPROC +diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c +index e2f5e21..4b22130 100644 +--- a/arch/x86/lib/usercopy_32.c ++++ b/arch/x86/lib/usercopy_32.c +@@ -42,11 +42,13 @@ do { \ + int __d0; \ + might_fault(); \ + __asm__ __volatile__( \ ++ __COPYUSER_SET_ES \ + ASM_STAC "\n" \ + "0: rep; stosl\n" \ + " movl %2,%0\n" \ + "1: rep; stosb\n" \ + "2: " ASM_CLAC "\n" \ ++ __COPYUSER_RESTORE_ES \ + ".section .fixup,\"ax\"\n" \ + "3: lea 0(%2,%0,4),%0\n" \ + " jmp 2b\n" \ +@@ -98,7 +100,7 @@ EXPORT_SYMBOL(__clear_user); + + #ifdef CONFIG_X86_INTEL_USERCOPY + static unsigned long +-__copy_user_intel(void __user *to, const void *from, unsigned long size) ++__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size) + { + int d0, d1; + __asm__ __volatile__( +@@ -110,36 +112,36 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size) + " .align 2,0x90\n" + "3: movl 0(%4), %%eax\n" + "4: movl 4(%4), %%edx\n" +- "5: movl %%eax, 0(%3)\n" +- "6: movl %%edx, 4(%3)\n" ++ "5: "__copyuser_seg" movl %%eax, 0(%3)\n" ++ "6: "__copyuser_seg" movl %%edx, 4(%3)\n" + "7: movl 8(%4), %%eax\n" + "8: movl 12(%4),%%edx\n" +- "9: movl %%eax, 8(%3)\n" +- "10: movl %%edx, 12(%3)\n" ++ "9: "__copyuser_seg" movl %%eax, 8(%3)\n" ++ "10: "__copyuser_seg" movl %%edx, 12(%3)\n" + "11: movl 16(%4), %%eax\n" + "12: movl 20(%4), %%edx\n" +- "13: movl %%eax, 16(%3)\n" +- "14: movl %%edx, 20(%3)\n" ++ "13: "__copyuser_seg" movl %%eax, 16(%3)\n" ++ "14: "__copyuser_seg" movl %%edx, 20(%3)\n" + "15: movl 24(%4), %%eax\n" + "16: movl 28(%4), %%edx\n" +- "17: movl %%eax, 24(%3)\n" +- "18: movl %%edx, 28(%3)\n" ++ "17: "__copyuser_seg" movl %%eax, 24(%3)\n" ++ "18: "__copyuser_seg" movl %%edx, 28(%3)\n" + "19: movl 32(%4), %%eax\n" + "20: movl 36(%4), %%edx\n" +- "21: movl %%eax, 32(%3)\n" +- "22: movl %%edx, 36(%3)\n" ++ "21: "__copyuser_seg" movl %%eax, 32(%3)\n" ++ "22: "__copyuser_seg" movl %%edx, 36(%3)\n" + "23: movl 40(%4), %%eax\n" + "24: movl 44(%4), %%edx\n" +- "25: movl %%eax, 40(%3)\n" +- "26: movl %%edx, 44(%3)\n" ++ "25: "__copyuser_seg" movl %%eax, 40(%3)\n" ++ "26: "__copyuser_seg" movl %%edx, 44(%3)\n" + "27: movl 48(%4), %%eax\n" + "28: movl 52(%4), %%edx\n" +- "29: movl %%eax, 48(%3)\n" +- "30: movl %%edx, 52(%3)\n" ++ "29: "__copyuser_seg" movl %%eax, 48(%3)\n" ++ "30: "__copyuser_seg" movl %%edx, 52(%3)\n" + "31: movl 56(%4), %%eax\n" + "32: movl 60(%4), %%edx\n" +- "33: movl %%eax, 56(%3)\n" +- "34: movl %%edx, 60(%3)\n" ++ "33: "__copyuser_seg" movl %%eax, 56(%3)\n" ++ "34: "__copyuser_seg" movl %%edx, 60(%3)\n" + " addl $-64, %0\n" + " addl $64, %4\n" + " addl $64, %3\n" +@@ -149,10 +151,116 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size) + " shrl $2, %0\n" + " andl $3, %%eax\n" + " cld\n" ++ __COPYUSER_SET_ES + "99: rep; movsl\n" + "36: movl %%eax, %0\n" + "37: rep; movsb\n" + "100:\n" ++ __COPYUSER_RESTORE_ES ++ ".section .fixup,\"ax\"\n" ++ "101: lea 0(%%eax,%0,4),%0\n" ++ " jmp 100b\n" ++ ".previous\n" ++ _ASM_EXTABLE(1b,100b) ++ _ASM_EXTABLE(2b,100b) ++ _ASM_EXTABLE(3b,100b) ++ _ASM_EXTABLE(4b,100b) ++ _ASM_EXTABLE(5b,100b) ++ _ASM_EXTABLE(6b,100b) ++ _ASM_EXTABLE(7b,100b) ++ _ASM_EXTABLE(8b,100b) ++ _ASM_EXTABLE(9b,100b) ++ _ASM_EXTABLE(10b,100b) ++ _ASM_EXTABLE(11b,100b) ++ _ASM_EXTABLE(12b,100b) ++ _ASM_EXTABLE(13b,100b) ++ _ASM_EXTABLE(14b,100b) ++ _ASM_EXTABLE(15b,100b) ++ _ASM_EXTABLE(16b,100b) ++ _ASM_EXTABLE(17b,100b) ++ _ASM_EXTABLE(18b,100b) ++ _ASM_EXTABLE(19b,100b) ++ _ASM_EXTABLE(20b,100b) ++ _ASM_EXTABLE(21b,100b) ++ _ASM_EXTABLE(22b,100b) ++ _ASM_EXTABLE(23b,100b) ++ _ASM_EXTABLE(24b,100b) ++ _ASM_EXTABLE(25b,100b) ++ _ASM_EXTABLE(26b,100b) ++ _ASM_EXTABLE(27b,100b) ++ _ASM_EXTABLE(28b,100b) ++ _ASM_EXTABLE(29b,100b) ++ _ASM_EXTABLE(30b,100b) ++ _ASM_EXTABLE(31b,100b) ++ _ASM_EXTABLE(32b,100b) ++ _ASM_EXTABLE(33b,100b) ++ _ASM_EXTABLE(34b,100b) ++ _ASM_EXTABLE(35b,100b) ++ _ASM_EXTABLE(36b,100b) ++ _ASM_EXTABLE(37b,100b) ++ _ASM_EXTABLE(99b,101b) ++ : "=&c"(size), "=&D" (d0), "=&S" (d1) ++ : "1"(to), "2"(from), "0"(size) ++ : "eax", "edx", "memory"); ++ return size; ++} ++ ++static unsigned long ++__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size) ++{ ++ int d0, d1; ++ __asm__ __volatile__( ++ " .align 2,0x90\n" ++ "1: "__copyuser_seg" movl 32(%4), %%eax\n" ++ " cmpl $67, %0\n" ++ " jbe 3f\n" ++ "2: "__copyuser_seg" movl 64(%4), %%eax\n" ++ " .align 2,0x90\n" ++ "3: "__copyuser_seg" movl 0(%4), %%eax\n" ++ "4: "__copyuser_seg" movl 4(%4), %%edx\n" ++ "5: movl %%eax, 0(%3)\n" ++ "6: movl %%edx, 4(%3)\n" ++ "7: "__copyuser_seg" movl 8(%4), %%eax\n" ++ "8: "__copyuser_seg" movl 12(%4),%%edx\n" ++ "9: movl %%eax, 8(%3)\n" ++ "10: movl %%edx, 12(%3)\n" ++ "11: "__copyuser_seg" movl 16(%4), %%eax\n" ++ "12: "__copyuser_seg" movl 20(%4), %%edx\n" ++ "13: movl %%eax, 16(%3)\n" ++ "14: movl %%edx, 20(%3)\n" ++ "15: "__copyuser_seg" movl 24(%4), %%eax\n" ++ "16: "__copyuser_seg" movl 28(%4), %%edx\n" ++ "17: movl %%eax, 24(%3)\n" ++ "18: movl %%edx, 28(%3)\n" ++ "19: "__copyuser_seg" movl 32(%4), %%eax\n" ++ "20: "__copyuser_seg" movl 36(%4), %%edx\n" ++ "21: movl %%eax, 32(%3)\n" ++ "22: movl %%edx, 36(%3)\n" ++ "23: "__copyuser_seg" movl 40(%4), %%eax\n" ++ "24: "__copyuser_seg" movl 44(%4), %%edx\n" ++ "25: movl %%eax, 40(%3)\n" ++ "26: movl %%edx, 44(%3)\n" ++ "27: "__copyuser_seg" movl 48(%4), %%eax\n" ++ "28: "__copyuser_seg" movl 52(%4), %%edx\n" ++ "29: movl %%eax, 48(%3)\n" ++ "30: movl %%edx, 52(%3)\n" ++ "31: "__copyuser_seg" movl 56(%4), %%eax\n" ++ "32: "__copyuser_seg" movl 60(%4), %%edx\n" ++ "33: movl %%eax, 56(%3)\n" ++ "34: movl %%edx, 60(%3)\n" ++ " addl $-64, %0\n" ++ " addl $64, %4\n" ++ " addl $64, %3\n" ++ " cmpl $63, %0\n" ++ " ja 1b\n" ++ "35: movl %0, %%eax\n" ++ " shrl $2, %0\n" ++ " andl $3, %%eax\n" ++ " cld\n" ++ "99: rep; "__copyuser_seg" movsl\n" ++ "36: movl %%eax, %0\n" ++ "37: rep; "__copyuser_seg" movsb\n" ++ "100:\n" + ".section .fixup,\"ax\"\n" + "101: lea 0(%%eax,%0,4),%0\n" + " jmp 100b\n" +@@ -207,41 +315,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) + int d0, d1; + __asm__ __volatile__( + " .align 2,0x90\n" +- "0: movl 32(%4), %%eax\n" ++ "0: "__copyuser_seg" movl 32(%4), %%eax\n" + " cmpl $67, %0\n" + " jbe 2f\n" +- "1: movl 64(%4), %%eax\n" ++ "1: "__copyuser_seg" movl 64(%4), %%eax\n" + " .align 2,0x90\n" +- "2: movl 0(%4), %%eax\n" +- "21: movl 4(%4), %%edx\n" ++ "2: "__copyuser_seg" movl 0(%4), %%eax\n" ++ "21: "__copyuser_seg" movl 4(%4), %%edx\n" + " movl %%eax, 0(%3)\n" + " movl %%edx, 4(%3)\n" +- "3: movl 8(%4), %%eax\n" +- "31: movl 12(%4),%%edx\n" ++ "3: "__copyuser_seg" movl 8(%4), %%eax\n" ++ "31: "__copyuser_seg" movl 12(%4),%%edx\n" + " movl %%eax, 8(%3)\n" + " movl %%edx, 12(%3)\n" +- "4: movl 16(%4), %%eax\n" +- "41: movl 20(%4), %%edx\n" ++ "4: "__copyuser_seg" movl 16(%4), %%eax\n" ++ "41: "__copyuser_seg" movl 20(%4), %%edx\n" + " movl %%eax, 16(%3)\n" + " movl %%edx, 20(%3)\n" +- "10: movl 24(%4), %%eax\n" +- "51: movl 28(%4), %%edx\n" ++ "10: "__copyuser_seg" movl 24(%4), %%eax\n" ++ "51: "__copyuser_seg" movl 28(%4), %%edx\n" + " movl %%eax, 24(%3)\n" + " movl %%edx, 28(%3)\n" +- "11: movl 32(%4), %%eax\n" +- "61: movl 36(%4), %%edx\n" ++ "11: "__copyuser_seg" movl 32(%4), %%eax\n" ++ "61: "__copyuser_seg" movl 36(%4), %%edx\n" + " movl %%eax, 32(%3)\n" + " movl %%edx, 36(%3)\n" +- "12: movl 40(%4), %%eax\n" +- "71: movl 44(%4), %%edx\n" ++ "12: "__copyuser_seg" movl 40(%4), %%eax\n" ++ "71: "__copyuser_seg" movl 44(%4), %%edx\n" + " movl %%eax, 40(%3)\n" + " movl %%edx, 44(%3)\n" +- "13: movl 48(%4), %%eax\n" +- "81: movl 52(%4), %%edx\n" ++ "13: "__copyuser_seg" movl 48(%4), %%eax\n" ++ "81: "__copyuser_seg" movl 52(%4), %%edx\n" + " movl %%eax, 48(%3)\n" + " movl %%edx, 52(%3)\n" +- "14: movl 56(%4), %%eax\n" +- "91: movl 60(%4), %%edx\n" ++ "14: "__copyuser_seg" movl 56(%4), %%eax\n" ++ "91: "__copyuser_seg" movl 60(%4), %%edx\n" + " movl %%eax, 56(%3)\n" + " movl %%edx, 60(%3)\n" + " addl $-64, %0\n" +@@ -253,9 +361,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) + " shrl $2, %0\n" + " andl $3, %%eax\n" + " cld\n" +- "6: rep; movsl\n" ++ "6: rep; "__copyuser_seg" movsl\n" + " movl %%eax,%0\n" +- "7: rep; movsb\n" ++ "7: rep; "__copyuser_seg" movsb\n" + "8:\n" + ".section .fixup,\"ax\"\n" + "9: lea 0(%%eax,%0,4),%0\n" +@@ -305,41 +413,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, + + __asm__ __volatile__( + " .align 2,0x90\n" +- "0: movl 32(%4), %%eax\n" ++ "0: "__copyuser_seg" movl 32(%4), %%eax\n" + " cmpl $67, %0\n" + " jbe 2f\n" +- "1: movl 64(%4), %%eax\n" ++ "1: "__copyuser_seg" movl 64(%4), %%eax\n" + " .align 2,0x90\n" +- "2: movl 0(%4), %%eax\n" +- "21: movl 4(%4), %%edx\n" ++ "2: "__copyuser_seg" movl 0(%4), %%eax\n" ++ "21: "__copyuser_seg" movl 4(%4), %%edx\n" + " movnti %%eax, 0(%3)\n" + " movnti %%edx, 4(%3)\n" +- "3: movl 8(%4), %%eax\n" +- "31: movl 12(%4),%%edx\n" ++ "3: "__copyuser_seg" movl 8(%4), %%eax\n" ++ "31: "__copyuser_seg" movl 12(%4),%%edx\n" + " movnti %%eax, 8(%3)\n" + " movnti %%edx, 12(%3)\n" +- "4: movl 16(%4), %%eax\n" +- "41: movl 20(%4), %%edx\n" ++ "4: "__copyuser_seg" movl 16(%4), %%eax\n" ++ "41: "__copyuser_seg" movl 20(%4), %%edx\n" + " movnti %%eax, 16(%3)\n" + " movnti %%edx, 20(%3)\n" +- "10: movl 24(%4), %%eax\n" +- "51: movl 28(%4), %%edx\n" ++ "10: "__copyuser_seg" movl 24(%4), %%eax\n" ++ "51: "__copyuser_seg" movl 28(%4), %%edx\n" + " movnti %%eax, 24(%3)\n" + " movnti %%edx, 28(%3)\n" +- "11: movl 32(%4), %%eax\n" +- "61: movl 36(%4), %%edx\n" ++ "11: "__copyuser_seg" movl 32(%4), %%eax\n" ++ "61: "__copyuser_seg" movl 36(%4), %%edx\n" + " movnti %%eax, 32(%3)\n" + " movnti %%edx, 36(%3)\n" +- "12: movl 40(%4), %%eax\n" +- "71: movl 44(%4), %%edx\n" ++ "12: "__copyuser_seg" movl 40(%4), %%eax\n" ++ "71: "__copyuser_seg" movl 44(%4), %%edx\n" + " movnti %%eax, 40(%3)\n" + " movnti %%edx, 44(%3)\n" +- "13: movl 48(%4), %%eax\n" +- "81: movl 52(%4), %%edx\n" ++ "13: "__copyuser_seg" movl 48(%4), %%eax\n" ++ "81: "__copyuser_seg" movl 52(%4), %%edx\n" + " movnti %%eax, 48(%3)\n" + " movnti %%edx, 52(%3)\n" +- "14: movl 56(%4), %%eax\n" +- "91: movl 60(%4), %%edx\n" ++ "14: "__copyuser_seg" movl 56(%4), %%eax\n" ++ "91: "__copyuser_seg" movl 60(%4), %%edx\n" + " movnti %%eax, 56(%3)\n" + " movnti %%edx, 60(%3)\n" + " addl $-64, %0\n" +@@ -352,9 +460,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, + " shrl $2, %0\n" + " andl $3, %%eax\n" + " cld\n" +- "6: rep; movsl\n" ++ "6: rep; "__copyuser_seg" movsl\n" + " movl %%eax,%0\n" +- "7: rep; movsb\n" ++ "7: rep; "__copyuser_seg" movsb\n" + "8:\n" + ".section .fixup,\"ax\"\n" + "9: lea 0(%%eax,%0,4),%0\n" +@@ -399,41 +507,41 @@ static unsigned long __copy_user_intel_nocache(void *to, + + __asm__ __volatile__( + " .align 2,0x90\n" +- "0: movl 32(%4), %%eax\n" ++ "0: "__copyuser_seg" movl 32(%4), %%eax\n" + " cmpl $67, %0\n" + " jbe 2f\n" +- "1: movl 64(%4), %%eax\n" ++ "1: "__copyuser_seg" movl 64(%4), %%eax\n" + " .align 2,0x90\n" +- "2: movl 0(%4), %%eax\n" +- "21: movl 4(%4), %%edx\n" ++ "2: "__copyuser_seg" movl 0(%4), %%eax\n" ++ "21: "__copyuser_seg" movl 4(%4), %%edx\n" + " movnti %%eax, 0(%3)\n" + " movnti %%edx, 4(%3)\n" +- "3: movl 8(%4), %%eax\n" +- "31: movl 12(%4),%%edx\n" ++ "3: "__copyuser_seg" movl 8(%4), %%eax\n" ++ "31: "__copyuser_seg" movl 12(%4),%%edx\n" + " movnti %%eax, 8(%3)\n" + " movnti %%edx, 12(%3)\n" +- "4: movl 16(%4), %%eax\n" +- "41: movl 20(%4), %%edx\n" ++ "4: "__copyuser_seg" movl 16(%4), %%eax\n" ++ "41: "__copyuser_seg" movl 20(%4), %%edx\n" + " movnti %%eax, 16(%3)\n" + " movnti %%edx, 20(%3)\n" +- "10: movl 24(%4), %%eax\n" +- "51: movl 28(%4), %%edx\n" ++ "10: "__copyuser_seg" movl 24(%4), %%eax\n" ++ "51: "__copyuser_seg" movl 28(%4), %%edx\n" + " movnti %%eax, 24(%3)\n" + " movnti %%edx, 28(%3)\n" +- "11: movl 32(%4), %%eax\n" +- "61: movl 36(%4), %%edx\n" ++ "11: "__copyuser_seg" movl 32(%4), %%eax\n" ++ "61: "__copyuser_seg" movl 36(%4), %%edx\n" + " movnti %%eax, 32(%3)\n" + " movnti %%edx, 36(%3)\n" +- "12: movl 40(%4), %%eax\n" +- "71: movl 44(%4), %%edx\n" ++ "12: "__copyuser_seg" movl 40(%4), %%eax\n" ++ "71: "__copyuser_seg" movl 44(%4), %%edx\n" + " movnti %%eax, 40(%3)\n" + " movnti %%edx, 44(%3)\n" +- "13: movl 48(%4), %%eax\n" +- "81: movl 52(%4), %%edx\n" ++ "13: "__copyuser_seg" movl 48(%4), %%eax\n" ++ "81: "__copyuser_seg" movl 52(%4), %%edx\n" + " movnti %%eax, 48(%3)\n" + " movnti %%edx, 52(%3)\n" +- "14: movl 56(%4), %%eax\n" +- "91: movl 60(%4), %%edx\n" ++ "14: "__copyuser_seg" movl 56(%4), %%eax\n" ++ "91: "__copyuser_seg" movl 60(%4), %%edx\n" + " movnti %%eax, 56(%3)\n" + " movnti %%edx, 60(%3)\n" + " addl $-64, %0\n" +@@ -446,9 +554,9 @@ static unsigned long __copy_user_intel_nocache(void *to, + " shrl $2, %0\n" + " andl $3, %%eax\n" + " cld\n" +- "6: rep; movsl\n" ++ "6: rep; "__copyuser_seg" movsl\n" + " movl %%eax,%0\n" +- "7: rep; movsb\n" ++ "7: rep; "__copyuser_seg" movsb\n" + "8:\n" + ".section .fixup,\"ax\"\n" + "9: lea 0(%%eax,%0,4),%0\n" +@@ -488,32 +596,36 @@ static unsigned long __copy_user_intel_nocache(void *to, + */ + unsigned long __copy_user_zeroing_intel(void *to, const void __user *from, + unsigned long size); +-unsigned long __copy_user_intel(void __user *to, const void *from, ++unsigned long __generic_copy_to_user_intel(void __user *to, const void *from, ++ unsigned long size); ++unsigned long __generic_copy_from_user_intel(void *to, const void __user *from, + unsigned long size); + unsigned long __copy_user_zeroing_intel_nocache(void *to, + const void __user *from, unsigned long size); + #endif /* CONFIG_X86_INTEL_USERCOPY */ + + /* Generic arbitrary sized copy. */ +-#define __copy_user(to, from, size) \ ++#define __copy_user(to, from, size, prefix, set, restore) \ + do { \ + int __d0, __d1, __d2; \ + __asm__ __volatile__( \ ++ set \ + " cmp $7,%0\n" \ + " jbe 1f\n" \ + " movl %1,%0\n" \ + " negl %0\n" \ + " andl $7,%0\n" \ + " subl %0,%3\n" \ +- "4: rep; movsb\n" \ ++ "4: rep; "prefix"movsb\n" \ + " movl %3,%0\n" \ + " shrl $2,%0\n" \ + " andl $3,%3\n" \ + " .align 2,0x90\n" \ +- "0: rep; movsl\n" \ ++ "0: rep; "prefix"movsl\n" \ + " movl %3,%0\n" \ +- "1: rep; movsb\n" \ ++ "1: rep; "prefix"movsb\n" \ + "2:\n" \ ++ restore \ + ".section .fixup,\"ax\"\n" \ + "5: addl %3,%0\n" \ + " jmp 2b\n" \ +@@ -538,14 +650,14 @@ do { \ + " negl %0\n" \ + " andl $7,%0\n" \ + " subl %0,%3\n" \ +- "4: rep; movsb\n" \ ++ "4: rep; "__copyuser_seg"movsb\n" \ + " movl %3,%0\n" \ + " shrl $2,%0\n" \ + " andl $3,%3\n" \ + " .align 2,0x90\n" \ +- "0: rep; movsl\n" \ ++ "0: rep; "__copyuser_seg"movsl\n" \ + " movl %3,%0\n" \ +- "1: rep; movsb\n" \ ++ "1: rep; "__copyuser_seg"movsb\n" \ + "2:\n" \ + ".section .fixup,\"ax\"\n" \ + "5: addl %3,%0\n" \ +@@ -572,9 +684,9 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from, + { + stac(); + if (movsl_is_ok(to, from, n)) +- __copy_user(to, from, n); ++ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES); + else +- n = __copy_user_intel(to, from, n); ++ n = __generic_copy_to_user_intel(to, from, n); + clac(); + return n; + } +@@ -598,10 +710,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from, + { + stac(); + if (movsl_is_ok(to, from, n)) +- __copy_user(to, from, n); ++ __copy_user(to, from, n, __copyuser_seg, "", ""); + else +- n = __copy_user_intel((void __user *)to, +- (const void *)from, n); ++ n = __generic_copy_from_user_intel(to, from, n); + clac(); + return n; + } +@@ -632,58 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr + if (n > 64 && cpu_has_xmm2) + n = __copy_user_intel_nocache(to, from, n); + else +- __copy_user(to, from, n); ++ __copy_user(to, from, n, __copyuser_seg, "", ""); + #else +- __copy_user(to, from, n); ++ __copy_user(to, from, n, __copyuser_seg, "", ""); + #endif + clac(); + return n; + } + EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero); + +-/** +- * copy_to_user: - Copy a block of data into user space. +- * @to: Destination address, in user space. +- * @from: Source address, in kernel space. +- * @n: Number of bytes to copy. +- * +- * Context: User context only. This function may sleep. +- * +- * Copy data from kernel space to user space. +- * +- * Returns number of bytes that could not be copied. +- * On success, this will be zero. +- */ +-unsigned long _copy_to_user(void __user *to, const void *from, unsigned n) ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++void __set_fs(mm_segment_t x) + { +- if (access_ok(VERIFY_WRITE, to, n)) +- n = __copy_to_user(to, from, n); +- return n; ++ switch (x.seg) { ++ case 0: ++ loadsegment(gs, 0); ++ break; ++ case TASK_SIZE_MAX: ++ loadsegment(gs, __USER_DS); ++ break; ++ case -1UL: ++ loadsegment(gs, __KERNEL_DS); ++ break; ++ default: ++ BUG(); ++ } + } +-EXPORT_SYMBOL(_copy_to_user); ++EXPORT_SYMBOL(__set_fs); + +-/** +- * copy_from_user: - Copy a block of data from user space. +- * @to: Destination address, in kernel space. +- * @from: Source address, in user space. +- * @n: Number of bytes to copy. +- * +- * Context: User context only. This function may sleep. +- * +- * Copy data from user space to kernel space. +- * +- * Returns number of bytes that could not be copied. +- * On success, this will be zero. +- * +- * If some data could not be copied, this function will pad the copied +- * data to the requested size using zero bytes. +- */ +-unsigned long _copy_from_user(void *to, const void __user *from, unsigned n) ++void set_fs(mm_segment_t x) + { +- if (access_ok(VERIFY_READ, from, n)) +- n = __copy_from_user(to, from, n); +- else +- memset(to, 0, n); +- return n; ++ current_thread_info()->addr_limit = x; ++ __set_fs(x); + } +-EXPORT_SYMBOL(_copy_from_user); ++EXPORT_SYMBOL(set_fs); ++#endif +diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c +index c905e89..01ab928 100644 +--- a/arch/x86/lib/usercopy_64.c ++++ b/arch/x86/lib/usercopy_64.c +@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + might_fault(); + /* no memory constraint because it doesn't change any memory gcc knows + about */ ++ pax_open_userland(); + stac(); + asm volatile( + " testq %[size8],%[size8]\n" +@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) +- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), ++ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), + [zero] "r" (0UL), [eight] "r" (8UL)); + clac(); ++ pax_close_userland(); + return size; + } + EXPORT_SYMBOL(__clear_user); +@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n) + } + EXPORT_SYMBOL(clear_user); + +-unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len) ++unsigned long copy_in_user(void __user *to, const void __user *from, unsigned long len) + { +- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) { +- return copy_user_generic((__force void *)to, (__force void *)from, len); +- } +- return len; ++ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) ++ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len); ++ return len; + } + EXPORT_SYMBOL(copy_in_user); + +@@ -69,11 +70,13 @@ EXPORT_SYMBOL(copy_in_user); + * it is not necessary to optimize tail handling. + */ + __visible unsigned long +-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) ++copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest) + { + char c; + unsigned zero_len; + ++ clac(); ++ pax_close_userland(); + for (; len; --len, to++) { + if (__get_user_nocheck(c, from++, sizeof(char))) + break; +@@ -84,6 +87,5 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) + for (c = 0, zero_len = len; zerorest && zero_len; --zero_len) + if (__put_user_nocheck(c, to++, sizeof(char))) + break; +- clac(); + return len; + } +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile +index 6a19ad9..1c48f9a 100644 +--- a/arch/x86/mm/Makefile ++++ b/arch/x86/mm/Makefile +@@ -30,3 +30,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o + obj-$(CONFIG_NUMA_EMU) += numa_emulation.o + + obj-$(CONFIG_MEMTEST) += memtest.o ++ ++quote:=" ++obj-$(CONFIG_X86_64) += uderef_64.o ++CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) +diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c +index 903ec1e..c4166b2 100644 +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -6,12 +6,24 @@ + static inline unsigned long + ex_insn_addr(const struct exception_table_entry *x) + { +- return (unsigned long)&x->insn + x->insn; ++ unsigned long reloc = 0; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ ++ return (unsigned long)&x->insn + x->insn + reloc; + } + static inline unsigned long + ex_fixup_addr(const struct exception_table_entry *x) + { +- return (unsigned long)&x->fixup + x->fixup; ++ unsigned long reloc = 0; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ ++ return (unsigned long)&x->fixup + x->fixup + reloc; + } + + int fixup_exception(struct pt_regs *regs) +@@ -20,7 +32,7 @@ int fixup_exception(struct pt_regs *regs) + unsigned long new_ip; + + #ifdef CONFIG_PNPBIOS +- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) { ++ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) { + extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp; + extern u32 pnp_bios_is_utter_crap; + pnp_bios_is_utter_crap = 1; +@@ -145,6 +157,13 @@ void sort_extable(struct exception_table_entry *start, + i += 4; + p->fixup -= i; + i += 4; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT)); ++ p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++ p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ + } + } + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index a10c8c7..35a5abb 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -14,11 +14,18 @@ + #include /* hstate_index_to_shift */ + #include /* prefetchw */ + #include /* exception_enter(), ... */ ++#include ++#include + + #include /* dotraplinkage, ... */ + #include /* pgd_*(), ... */ + #include /* kmemcheck_*(), ... */ + #include /* VSYSCALL_START */ ++#include ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#include ++#endif + + #define CREATE_TRACE_POINTS + #include +@@ -59,7 +66,7 @@ static inline int __kprobes kprobes_fault(struct pt_regs *regs) + int ret = 0; + + /* kprobe_running() needs smp_processor_id() */ +- if (kprobes_built_in() && !user_mode_vm(regs)) { ++ if (kprobes_built_in() && !user_mode(regs)) { + preempt_disable(); + if (kprobe_running() && kprobe_fault_handler(regs, 14)) + ret = 1; +@@ -120,7 +127,10 @@ check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr, + return !instr_lo || (instr_lo>>1) == 1; + case 0x00: + /* Prefetch instruction is 0x0F0D or 0x0F18 */ +- if (probe_kernel_address(instr, opcode)) ++ if (user_mode(regs)) { ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) ++ return 0; ++ } else if (probe_kernel_address(instr, opcode)) + return 0; + + *prefetch = (instr_lo == 0xF) && +@@ -154,7 +164,10 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr) + while (instr < max_instr) { + unsigned char opcode; + +- if (probe_kernel_address(instr, opcode)) ++ if (user_mode(regs)) { ++ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1)) ++ break; ++ } else if (probe_kernel_address(instr, opcode)) + break; + + instr++; +@@ -185,6 +198,34 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address, + force_sig_info(si_signo, &info, tsk); + } + ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address); ++#endif ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++static int pax_handle_fetch_fault(struct pt_regs *regs); ++#endif ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address) ++{ ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; ++ ++ pgd = pgd_offset(mm, address); ++ if (!pgd_present(*pgd)) ++ return NULL; ++ pud = pud_offset(pgd, address); ++ if (!pud_present(*pud)) ++ return NULL; ++ pmd = pmd_offset(pud, address); ++ if (!pmd_present(*pmd)) ++ return NULL; ++ return pmd; ++} ++#endif ++ + DEFINE_SPINLOCK(pgd_lock); + LIST_HEAD(pgd_list); + +@@ -235,10 +276,27 @@ void vmalloc_sync_all(void) + for (address = VMALLOC_START & PMD_MASK; + address >= TASK_SIZE && address < FIXADDR_TOP; + address += PMD_SIZE) { ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ unsigned long cpu; ++#else + struct page *page; ++#endif + + spin_lock(&pgd_lock); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { ++ pgd_t *pgd = get_cpu_pgd(cpu, user); ++ pmd_t *ret; ++ ++ ret = vmalloc_sync_one(pgd, address); ++ if (!ret) ++ break; ++ pgd = get_cpu_pgd(cpu, kernel); ++#else + list_for_each_entry(page, &pgd_list, lru) { ++ pgd_t *pgd; + spinlock_t *pgt_lock; + pmd_t *ret; + +@@ -246,8 +304,14 @@ void vmalloc_sync_all(void) + pgt_lock = &pgd_page_get_mm(page)->page_table_lock; + + spin_lock(pgt_lock); +- ret = vmalloc_sync_one(page_address(page), address); ++ pgd = page_address(page); ++#endif ++ ++ ret = vmalloc_sync_one(pgd, address); ++ ++#ifndef CONFIG_PAX_PER_CPU_PGD + spin_unlock(pgt_lock); ++#endif + + if (!ret) + break; +@@ -281,6 +345,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) + * an interrupt in the middle of a task switch.. + */ + pgd_paddr = read_cr3(); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK)); ++ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address); ++#endif ++ + pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); + if (!pmd_k) + return -1; +@@ -376,11 +446,25 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) + * happen within a race in page table update. In the later + * case just flush: + */ +- pgd = pgd_offset(current->active_mm, address); ++ + pgd_ref = pgd_offset_k(address); + if (pgd_none(*pgd_ref)) + return -1; + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK)); ++ pgd = pgd_offset_cpu(smp_processor_id(), user, address); ++ if (pgd_none(*pgd)) { ++ set_pgd(pgd, *pgd_ref); ++ arch_flush_lazy_mmu_mode(); ++ } else { ++ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); ++ } ++ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address); ++#else ++ pgd = pgd_offset(current->active_mm, address); ++#endif ++ + if (pgd_none(*pgd)) { + set_pgd(pgd, *pgd_ref); + arch_flush_lazy_mmu_mode(); +@@ -546,7 +630,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) + static int is_errata100(struct pt_regs *regs, unsigned long address) + { + #ifdef CONFIG_X86_64 +- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32)) ++ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32)) + return 1; + #endif + return 0; +@@ -573,7 +657,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) + } + + static const char nx_warning[] = KERN_CRIT +-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n"; ++"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n"; + + static void + show_fault_oops(struct pt_regs *regs, unsigned long error_code, +@@ -582,15 +666,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, + if (!oops_may_print()) + return; + +- if (error_code & PF_INSTR) { ++ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) { + unsigned int level; + + pte_t *pte = lookup_address(address, &level); + + if (pte && pte_present(*pte) && !pte_exec(*pte)) +- printk(nx_warning, from_kuid(&init_user_ns, current_uid())); ++ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current)); + } + ++#ifdef CONFIG_PAX_KERNEXEC ++ if (init_mm.start_code <= address && address < init_mm.end_code) { ++ if (current->signal->curr_ip) ++ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", ++ ¤t->signal->curr_ip, current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); ++ else ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), ++ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); ++ } ++#endif ++ + printk(KERN_ALERT "BUG: unable to handle kernel "); + if (address < PAGE_SIZE) + printk(KERN_CONT "NULL pointer dereference"); +@@ -771,6 +867,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + return; + } + #endif ++ ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++ if (pax_is_fetch_fault(regs, error_code, address)) { ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++ switch (pax_handle_fetch_fault(regs)) { ++ case 2: ++ return; ++ } ++#endif ++ ++ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + /* Kernel addresses are always protection faults: */ + if (address >= TASK_SIZE) + error_code |= PF_PROT; +@@ -856,7 +968,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, + if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { + printk(KERN_ERR + "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", +- tsk->comm, tsk->pid, address); ++ tsk->comm, task_pid_nr(tsk), address); + code = BUS_MCEERR_AR; + } + #endif +@@ -910,6 +1022,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) + return 1; + } + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) ++static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code) ++{ ++ pte_t *pte; ++ pmd_t *pmd; ++ spinlock_t *ptl; ++ unsigned char pte_mask; ++ ++ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) || ++ !(mm->pax_flags & MF_PAX_PAGEEXEC)) ++ return 0; ++ ++ /* PaX: it's our fault, let's handle it if we can */ ++ ++ /* PaX: take a look at read faults before acquiring any locks */ ++ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) { ++ /* instruction fetch attempt from a protected page in user mode */ ++ up_read(&mm->mmap_sem); ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++ switch (pax_handle_fetch_fault(regs)) { ++ case 2: ++ return 1; ++ } ++#endif ++ ++ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp); ++ do_group_exit(SIGKILL); ++ } ++ ++ pmd = pax_get_pmd(mm, address); ++ if (unlikely(!pmd)) ++ return 0; ++ ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl); ++ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) { ++ pte_unmap_unlock(pte, ptl); ++ return 0; ++ } ++ ++ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) { ++ /* write attempt to a protected page in user mode */ ++ pte_unmap_unlock(pte, ptl); ++ return 0; ++ } ++ ++#ifdef CONFIG_SMP ++ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask))) ++#else ++ if (likely(address > get_limit(regs->cs))) ++#endif ++ { ++ set_pte(pte, pte_mkread(*pte)); ++ __flush_tlb_one(address); ++ pte_unmap_unlock(pte, ptl); ++ up_read(&mm->mmap_sem); ++ return 1; ++ } ++ ++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1)); ++ ++ /* ++ * PaX: fill DTLB with user rights and retry ++ */ ++ __asm__ __volatile__ ( ++ "orb %2,(%1)\n" ++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC) ++/* ++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's ++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any* ++ * page fault when examined during a TLB load attempt. this is true not only ++ * for PTEs holding a non-present entry but also present entries that will ++ * raise a page fault (such as those set up by PaX, or the copy-on-write ++ * mechanism). in effect it means that we do *not* need to flush the TLBs ++ * for our target pages since their PTEs are simply not in the TLBs at all. ++ ++ * the best thing in omitting it is that we gain around 15-20% speed in the ++ * fast path of the page fault handler and can get rid of tracing since we ++ * can no longer flush unintended entries. ++ */ ++ "invlpg (%0)\n" ++#endif ++ __copyuser_seg"testb $0,(%0)\n" ++ "xorb %3,(%1)\n" ++ : ++ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER) ++ : "memory", "cc"); ++ pte_unmap_unlock(pte, ptl); ++ up_read(&mm->mmap_sem); ++ return 1; ++} ++#endif ++ + /* + * Handle a spurious fault caused by a stale TLB entry. + * +@@ -976,6 +1181,9 @@ int show_unhandled_signals = 1; + static inline int + access_error(unsigned long error_code, struct vm_area_struct *vma) + { ++ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC)) ++ return 1; ++ + if (error_code & PF_WRITE) { + /* write, present and write, not present: */ + if (unlikely(!(vma->vm_flags & VM_WRITE))) +@@ -1010,7 +1218,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) + if (error_code & PF_USER) + return false; + +- if (!user_mode_vm(regs) && (regs->flags & X86_EFLAGS_AC)) ++ if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC)) + return false; + + return true; +@@ -1038,6 +1246,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code, + tsk = current; + mm = tsk->mm; + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (!user_mode(regs) && address < 2 * pax_user_shadow_base) { ++ if (!search_exception_tables(regs->ip)) { ++ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n"); ++ bad_area_nosemaphore(regs, error_code, address); ++ return; ++ } ++ if (address < pax_user_shadow_base) { ++ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n"); ++ printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip); ++ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR); ++ } else ++ address -= pax_user_shadow_base; ++ } ++#endif ++ + /* + * Detect and handle instructions that would cause a page fault for + * both a tracked kernel page and a userspace page. +@@ -1115,7 +1339,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code, + * User-mode registers count as a user access even for any + * potential system fault or CPU buglet: + */ +- if (user_mode_vm(regs)) { ++ if (user_mode(regs)) { + local_irq_enable(); + error_code |= PF_USER; + flags |= FAULT_FLAG_USER; +@@ -1162,6 +1386,11 @@ retry: + might_sleep(); + } + ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) ++ if (pax_handle_pageexec_fault(regs, mm, address, error_code)) ++ return; ++#endif ++ + vma = find_vma(mm, address); + if (unlikely(!vma)) { + bad_area(regs, error_code, address); +@@ -1173,18 +1402,24 @@ retry: + bad_area(regs, error_code, address); + return; + } +- if (error_code & PF_USER) { +- /* +- * Accessing the stack below %sp is always a bug. +- * The large cushion allows instructions like enter +- * and pusha to work. ("enter $65535, $31" pushes +- * 32 pointers and then decrements %sp by 65535.) +- */ +- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) { +- bad_area(regs, error_code, address); +- return; +- } ++ /* ++ * Accessing the stack below %sp is always a bug. ++ * The large cushion allows instructions like enter ++ * and pusha to work. ("enter $65535, $31" pushes ++ * 32 pointers and then decrements %sp by 65535.) ++ */ ++ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) { ++ bad_area(regs, error_code, address); ++ return; + } ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) { ++ bad_area(regs, error_code, address); ++ return; ++ } ++#endif ++ + if (unlikely(expand_stack(vma, address))) { + bad_area(regs, error_code, address); + return; +@@ -1296,3 +1531,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code) + exception_exit(prev_state); + } + #endif /* CONFIG_TRACING */ ++ ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address) ++{ ++ struct mm_struct *mm = current->mm; ++ unsigned long ip = regs->ip; ++ ++ if (v8086_mode(regs)) ++ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff); ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) { ++ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) ++ return true; ++ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address) ++ return true; ++ return false; ++ } ++#endif ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) { ++ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) ++ return true; ++ return false; ++ } ++#endif ++ ++ return false; ++} ++#endif ++ ++#ifdef CONFIG_PAX_EMUTRAMP ++static int pax_handle_fetch_fault_32(struct pt_regs *regs) ++{ ++ int err; ++ ++ do { /* PaX: libffi trampoline emulation */ ++ unsigned char mov, jmp; ++ unsigned int addr1, addr2; ++ ++#ifdef CONFIG_X86_64 ++ if ((regs->ip + 9) >> 32) ++ break; ++#endif ++ ++ err = get_user(mov, (unsigned char __user *)regs->ip); ++ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1)); ++ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5)); ++ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6)); ++ ++ if (err) ++ break; ++ ++ if (mov == 0xB8 && jmp == 0xE9) { ++ regs->ax = addr1; ++ regs->ip = (unsigned int)(regs->ip + addr2 + 10); ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: gcc trampoline emulation #1 */ ++ unsigned char mov1, mov2; ++ unsigned short jmp; ++ unsigned int addr1, addr2; ++ ++#ifdef CONFIG_X86_64 ++ if ((regs->ip + 11) >> 32) ++ break; ++#endif ++ ++ err = get_user(mov1, (unsigned char __user *)regs->ip); ++ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1)); ++ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5)); ++ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6)); ++ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10)); ++ ++ if (err) ++ break; ++ ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) { ++ regs->cx = addr1; ++ regs->ax = addr2; ++ regs->ip = addr2; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: gcc trampoline emulation #2 */ ++ unsigned char mov, jmp; ++ unsigned int addr1, addr2; ++ ++#ifdef CONFIG_X86_64 ++ if ((regs->ip + 9) >> 32) ++ break; ++#endif ++ ++ err = get_user(mov, (unsigned char __user *)regs->ip); ++ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1)); ++ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5)); ++ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6)); ++ ++ if (err) ++ break; ++ ++ if (mov == 0xB9 && jmp == 0xE9) { ++ regs->cx = addr1; ++ regs->ip = (unsigned int)(regs->ip + addr2 + 10); ++ return 2; ++ } ++ } while (0); ++ ++ return 1; /* PaX in action */ ++} ++ ++#ifdef CONFIG_X86_64 ++static int pax_handle_fetch_fault_64(struct pt_regs *regs) ++{ ++ int err; ++ ++ do { /* PaX: libffi trampoline emulation */ ++ unsigned short mov1, mov2, jmp1; ++ unsigned char stcclc, jmp2; ++ unsigned long addr1, addr2; ++ ++ err = get_user(mov1, (unsigned short __user *)regs->ip); ++ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2)); ++ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10)); ++ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12)); ++ err |= get_user(stcclc, (unsigned char __user *)(regs->ip + 20)); ++ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 21)); ++ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 23)); ++ ++ if (err) ++ break; ++ ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) { ++ regs->r11 = addr1; ++ regs->r10 = addr2; ++ if (stcclc == 0xF8) ++ regs->flags &= ~X86_EFLAGS_CF; ++ else ++ regs->flags |= X86_EFLAGS_CF; ++ regs->ip = addr1; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: gcc trampoline emulation #1 */ ++ unsigned short mov1, mov2, jmp1; ++ unsigned char jmp2; ++ unsigned int addr1; ++ unsigned long addr2; ++ ++ err = get_user(mov1, (unsigned short __user *)regs->ip); ++ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2)); ++ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6)); ++ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8)); ++ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16)); ++ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18)); ++ ++ if (err) ++ break; ++ ++ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) { ++ regs->r11 = addr1; ++ regs->r10 = addr2; ++ regs->ip = addr1; ++ return 2; ++ } ++ } while (0); ++ ++ do { /* PaX: gcc trampoline emulation #2 */ ++ unsigned short mov1, mov2, jmp1; ++ unsigned char jmp2; ++ unsigned long addr1, addr2; ++ ++ err = get_user(mov1, (unsigned short __user *)regs->ip); ++ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2)); ++ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10)); ++ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12)); ++ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20)); ++ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22)); ++ ++ if (err) ++ break; ++ ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) { ++ regs->r11 = addr1; ++ regs->r10 = addr2; ++ regs->ip = addr1; ++ return 2; ++ } ++ } while (0); ++ ++ return 1; /* PaX in action */ ++} ++#endif ++ ++/* ++ * PaX: decide what to do with offenders (regs->ip = fault address) ++ * ++ * returns 1 when task should be killed ++ * 2 when gcc trampoline was detected ++ */ ++static int pax_handle_fetch_fault(struct pt_regs *regs) ++{ ++ if (v8086_mode(regs)) ++ return 1; ++ ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP)) ++ return 1; ++ ++#ifdef CONFIG_X86_32 ++ return pax_handle_fetch_fault_32(regs); ++#else ++ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) ++ return pax_handle_fetch_fault_32(regs); ++ else ++ return pax_handle_fetch_fault_64(regs); ++#endif ++} ++#endif ++ ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) ++{ ++ long i; ++ ++ printk(KERN_ERR "PAX: bytes at PC: "); ++ for (i = 0; i < 20; i++) { ++ unsigned char c; ++ if (get_user(c, (unsigned char __force_user *)pc+i)) ++ printk(KERN_CONT "?? "); ++ else ++ printk(KERN_CONT "%02x ", c); ++ } ++ printk("\n"); ++ ++ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long)); ++ for (i = -1; i < 80 / (long)sizeof(long); i++) { ++ unsigned long c; ++ if (get_user(c, (unsigned long __force_user *)sp+i)) { ++#ifdef CONFIG_X86_32 ++ printk(KERN_CONT "???????? "); ++#else ++ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) ++ printk(KERN_CONT "???????? ???????? "); ++ else ++ printk(KERN_CONT "???????????????? "); ++#endif ++ } else { ++#ifdef CONFIG_X86_64 ++ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) { ++ printk(KERN_CONT "%08x ", (unsigned int)c); ++ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32)); ++ } else ++#endif ++ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c); ++ } ++ } ++ printk("\n"); ++} ++#endif ++ ++/** ++ * probe_kernel_write(): safely attempt to write to a location ++ * @dst: address to write to ++ * @src: pointer to the data that shall be written ++ * @size: size of the data chunk ++ * ++ * Safely write to address @dst from the buffer at @src. If a kernel fault ++ * happens, handle that and return -EFAULT. ++ */ ++long notrace probe_kernel_write(void *dst, const void *src, size_t size) ++{ ++ long ret; ++ mm_segment_t old_fs = get_fs(); ++ ++ set_fs(KERNEL_DS); ++ pagefault_disable(); ++ pax_open_kernel(); ++ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size); ++ pax_close_kernel(); ++ pagefault_enable(); ++ set_fs(old_fs); ++ ++ return ret ? -EFAULT : 0; ++} +diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c +index 207d9aef..69030980 100644 +--- a/arch/x86/mm/gup.c ++++ b/arch/x86/mm/gup.c +@@ -268,7 +268,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write, + addr = start; + len = (unsigned long) nr_pages << PAGE_SHIFT; + end = start + len; +- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, ++ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ, + (void __user *)start, len))) + return 0; + +@@ -344,6 +344,10 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, + goto slow_irqon; + #endif + ++ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ, ++ (void __user *)start, len))) ++ return 0; ++ + /* + * XXX: batch / limit 'nr', to avoid large irq off latency + * needs some instrumenting to determine the common sizes used by +diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c +index 4500142..53a363c 100644 +--- a/arch/x86/mm/highmem_32.c ++++ b/arch/x86/mm/highmem_32.c +@@ -45,7 +45,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot) + idx = type + KM_TYPE_NR*smp_processor_id(); + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx); + BUG_ON(!pte_none(*(kmap_pte-idx))); ++ ++ pax_open_kernel(); + set_pte(kmap_pte-idx, mk_pte(page, prot)); ++ pax_close_kernel(); ++ + arch_flush_lazy_mmu_mode(); + + return (void *)vaddr; +diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c +index 8c9f647..57cb402 100644 +--- a/arch/x86/mm/hugetlbpage.c ++++ b/arch/x86/mm/hugetlbpage.c +@@ -90,23 +90,24 @@ int pmd_huge_support(void) + #ifdef CONFIG_HUGETLB_PAGE + static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, + unsigned long addr, unsigned long len, +- unsigned long pgoff, unsigned long flags) ++ unsigned long pgoff, unsigned long flags, unsigned long offset) + { + struct hstate *h = hstate_file(file); + struct vm_unmapped_area_info info; +- ++ + info.flags = 0; + info.length = len; + info.low_limit = current->mm->mmap_legacy_base; + info.high_limit = TASK_SIZE; + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; ++ info.threadstack_offset = offset; + return vm_unmapped_area(&info); + } + + static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, + unsigned long addr0, unsigned long len, +- unsigned long pgoff, unsigned long flags) ++ unsigned long pgoff, unsigned long flags, unsigned long offset) + { + struct hstate *h = hstate_file(file); + struct vm_unmapped_area_info info; +@@ -118,6 +119,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, + info.high_limit = current->mm->mmap_base; + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -130,6 +132,12 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, + VM_BUG_ON(addr != -ENOMEM); + info.flags = 0; + info.low_limit = TASK_UNMAPPED_BASE; ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP) ++ info.low_limit += current->mm->delta_mmap; ++#endif ++ + info.high_limit = TASK_SIZE; + addr = vm_unmapped_area(&info); + } +@@ -144,10 +152,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + struct hstate *h = hstate_file(file); + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; ++ unsigned long pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); + + if (len & ~huge_page_mask(h)) + return -EINVAL; +- if (len > TASK_SIZE) ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) ++ pax_task_size = SEGMEXEC_TASK_SIZE; ++#endif ++ ++ pax_task_size -= PAGE_SIZE; ++ ++ if (len > pax_task_size) + return -ENOMEM; + + if (flags & MAP_FIXED) { +@@ -156,19 +174,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + return addr; + } + ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + if (addr) { + addr = ALIGN(addr, huge_page_size(h)); + vma = find_vma(mm, addr); +- if (TASK_SIZE - len >= addr && +- (!vma || addr + len <= vma->vm_start)) ++ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + if (mm->get_unmapped_area == arch_get_unmapped_area) + return hugetlb_get_unmapped_area_bottomup(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + else + return hugetlb_get_unmapped_area_topdown(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + } + #endif /* CONFIG_HUGETLB_PAGE */ + +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c +index f971306..e83e0f6 100644 +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -4,6 +4,7 @@ + #include + #include + #include /* for max_low_pfn */ ++#include + + #include + #include +@@ -17,6 +18,8 @@ + #include + #include /* for MAX_DMA_PFN */ + #include ++#include ++#include + + #include "mm_internal.h" + +@@ -563,7 +566,18 @@ void __init init_mem_mapping(void) + early_ioremap_page_table_range_init(); + #endif + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ load_cr3(get_cpu_pgd(0, kernel)); ++#else + load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + + early_memtest(0, max_pfn_mapped << PAGE_SHIFT); +@@ -579,10 +593,40 @@ void __init init_mem_mapping(void) + * Access has to be given to non-kernel-ram areas as well, these contain the PCI + * mmio resources as well as potential bios/acpi data regions. + */ ++ ++#ifdef CONFIG_GRKERNSEC_KMEM ++static unsigned int ebda_start __read_only; ++static unsigned int ebda_end __read_only; ++#endif ++ + int devmem_is_allowed(unsigned long pagenr) + { +- if (pagenr < 256) ++#ifdef CONFIG_GRKERNSEC_KMEM ++ /* allow BDA */ ++ if (!pagenr) + return 1; ++ /* allow EBDA */ ++ if (pagenr >= ebda_start && pagenr < ebda_end) ++ return 1; ++ /* if tboot is in use, allow access to its hardcoded serial log range */ ++ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT))) ++ return 1; ++#else ++ if (!pagenr) ++ return 1; ++#ifdef CONFIG_VM86 ++ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT)) ++ return 1; ++#endif ++#endif ++ ++ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT)) ++ return 1; ++#ifdef CONFIG_GRKERNSEC_KMEM ++ /* throw out everything else below 1MB */ ++ if (pagenr <= 256) ++ return 0; ++#endif + if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) + return 0; + if (!page_is_ram(pagenr)) +@@ -628,8 +672,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) + #endif + } + ++#ifdef CONFIG_GRKERNSEC_KMEM ++static inline void gr_init_ebda(void) ++{ ++ unsigned int ebda_addr; ++ unsigned int ebda_size = 0; ++ ++ ebda_addr = get_bios_ebda(); ++ if (ebda_addr) { ++ ebda_size = *(unsigned char *)phys_to_virt(ebda_addr); ++ ebda_size <<= 10; ++ } ++ if (ebda_addr && ebda_size) { ++ ebda_start = ebda_addr >> PAGE_SHIFT; ++ ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT; ++ } else { ++ ebda_start = 0x9f000 >> PAGE_SHIFT; ++ ebda_end = 0xa0000 >> PAGE_SHIFT; ++ } ++} ++#else ++static inline void gr_init_ebda(void) { } ++#endif ++ + void free_initmem(void) + { ++#ifdef CONFIG_PAX_KERNEXEC ++#ifdef CONFIG_X86_32 ++ /* PaX: limit KERNEL_CS to actual size */ ++ unsigned long addr, limit; ++ struct desc_struct d; ++ int cpu; ++#else ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; ++ unsigned long addr, end; ++#endif ++#endif ++ ++ gr_init_ebda(); ++ ++#ifdef CONFIG_PAX_KERNEXEC ++#ifdef CONFIG_X86_32 ++ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext; ++ limit = (limit - 1UL) >> PAGE_SHIFT; ++ ++ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { ++ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S); ++ } ++ ++ /* PaX: make KERNEL_CS read-only */ ++ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text)); ++ if (!paravirt_enabled()) ++ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT); ++/* ++ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); ++ } ++*/ ++#ifdef CONFIG_X86_PAE ++ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT); ++/* ++ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); ++ } ++*/ ++#endif ++ ++#ifdef CONFIG_MODULES ++ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT); ++#endif ++ ++#else ++ /* PaX: make kernel code/rodata read-only, rest non-executable */ ++ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ if (!pmd_present(*pmd)) ++ continue; ++ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata) ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); ++ else ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); ++ } ++ ++ addr = (unsigned long)__va(__pa(__START_KERNEL_map)); ++ end = addr + KERNEL_IMAGE_SIZE; ++ for (; addr < end; addr += PMD_SIZE) { ++ pgd = pgd_offset_k(addr); ++ pud = pud_offset(pgd, addr); ++ pmd = pmd_offset(pud, addr); ++ if (!pmd_present(*pmd)) ++ continue; ++ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata))) ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); ++ } ++#endif ++ ++ flush_tlb_all(); ++#endif ++ + free_init_pages("unused kernel", + (unsigned long)(&__init_begin), + (unsigned long)(&__init_end)); +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index e395048..cd38278 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void); + bool __read_mostly __vmalloc_start_set = false; + + /* +- * Creates a middle page table and puts a pointer to it in the +- * given global directory entry. This only returns the gd entry +- * in non-PAE compilation mode, since the middle layer is folded. +- */ +-static pmd_t * __init one_md_table_init(pgd_t *pgd) +-{ +- pud_t *pud; +- pmd_t *pmd_table; +- +-#ifdef CONFIG_X86_PAE +- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) { +- pmd_table = (pmd_t *)alloc_low_page(); +- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT); +- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT)); +- pud = pud_offset(pgd, 0); +- BUG_ON(pmd_table != pmd_offset(pud, 0)); +- +- return pmd_table; +- } +-#endif +- pud = pud_offset(pgd, 0); +- pmd_table = pmd_offset(pud, 0); +- +- return pmd_table; +-} +- +-/* + * Create a page table and place a pointer to it in a middle page + * directory entry: + */ +@@ -98,13 +71,28 @@ static pte_t * __init one_page_table_init(pmd_t *pmd) + pte_t *page_table = (pte_t *)alloc_low_page(); + + paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT); ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE)); ++#else + set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE)); ++#endif + BUG_ON(page_table != pte_offset_kernel(pmd, 0)); + } + + return pte_offset_kernel(pmd, 0); + } + ++static pmd_t * __init one_md_table_init(pgd_t *pgd) ++{ ++ pud_t *pud; ++ pmd_t *pmd_table; ++ ++ pud = pud_offset(pgd, 0); ++ pmd_table = pmd_offset(pud, 0); ++ ++ return pmd_table; ++} ++ + pmd_t * __init populate_extra_pmd(unsigned long vaddr) + { + int pgd_idx = pgd_index(vaddr); +@@ -208,6 +196,7 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base) + int pgd_idx, pmd_idx; + unsigned long vaddr; + pgd_t *pgd; ++ pud_t *pud; + pmd_t *pmd; + pte_t *pte = NULL; + unsigned long count = page_table_range_init_count(start, end); +@@ -222,8 +211,13 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base) + pgd = pgd_base + pgd_idx; + + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) { +- pmd = one_md_table_init(pgd); +- pmd = pmd + pmd_index(vaddr); ++ pud = pud_offset(pgd, vaddr); ++ pmd = pmd_offset(pud, vaddr); ++ ++#ifdef CONFIG_X86_PAE ++ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT); ++#endif ++ + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); + pmd++, pmd_idx++) { + pte = page_table_kmap_check(one_page_table_init(pmd), +@@ -235,11 +229,20 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base) + } + } + +-static inline int is_kernel_text(unsigned long addr) ++static inline int is_kernel_text(unsigned long start, unsigned long end) + { +- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end) +- return 1; +- return 0; ++ if ((start >= ktla_ktva((unsigned long)_etext) || ++ end <= ktla_ktva((unsigned long)_stext)) && ++ (start >= ktla_ktva((unsigned long)_einittext) || ++ end <= ktla_ktva((unsigned long)_sinittext)) && ++ ++#ifdef CONFIG_ACPI_SLEEP ++ (start >= (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) && ++#endif ++ ++ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000))) ++ return 0; ++ return 1; + } + + /* +@@ -256,9 +259,10 @@ kernel_physical_mapping_init(unsigned long start, + unsigned long last_map_addr = end; + unsigned long start_pfn, end_pfn; + pgd_t *pgd_base = swapper_pg_dir; +- int pgd_idx, pmd_idx, pte_ofs; ++ unsigned int pgd_idx, pmd_idx, pte_ofs; + unsigned long pfn; + pgd_t *pgd; ++ pud_t *pud; + pmd_t *pmd; + pte_t *pte; + unsigned pages_2m, pages_4k; +@@ -291,8 +295,13 @@ repeat: + pfn = start_pfn; + pgd_idx = pgd_index((pfn<> PAGE_SHIFT); ++#endif + + if (pfn >= end_pfn) + continue; +@@ -304,14 +313,13 @@ repeat: + #endif + for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn; + pmd++, pmd_idx++) { +- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET; ++ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET; + + /* + * Map with big pages if possible, otherwise + * create normal page tables: + */ + if (use_pse) { +- unsigned int addr2; + pgprot_t prot = PAGE_KERNEL_LARGE; + /* + * first pass will use the same initial +@@ -322,11 +330,7 @@ repeat: + _PAGE_PSE); + + pfn &= PMD_MASK >> PAGE_SHIFT; +- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE + +- PAGE_OFFSET + PAGE_SIZE-1; +- +- if (is_kernel_text(addr) || +- is_kernel_text(addr2)) ++ if (is_kernel_text(address, address + PMD_SIZE)) + prot = PAGE_KERNEL_LARGE_EXEC; + + pages_2m++; +@@ -343,7 +347,7 @@ repeat: + pte_ofs = pte_index((pfn<> 10, + +- (unsigned long)&_etext, (unsigned long)&_edata, +- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10, ++ (unsigned long)&_sdata, (unsigned long)&_edata, ++ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10, + +- (unsigned long)&_text, (unsigned long)&_etext, ++ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext), + ((unsigned long)&_etext - (unsigned long)&_text) >> 10); + + /* +@@ -883,6 +885,7 @@ void set_kernel_text_rw(void) + if (!kernel_set_to_readonly) + return; + ++ start = ktla_ktva(start); + pr_debug("Set kernel text: %lx - %lx for read write\n", + start, start+size); + +@@ -897,6 +900,7 @@ void set_kernel_text_ro(void) + if (!kernel_set_to_readonly) + return; + ++ start = ktla_ktva(start); + pr_debug("Set kernel text: %lx - %lx for read only\n", + start, start+size); + +@@ -925,6 +929,7 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = PFN_ALIGN(_etext) - start; + ++ start = ktla_ktva(start); + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + printk(KERN_INFO "Write protecting the kernel text: %luk\n", + size >> 10); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index f35c66c..84b95ef 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on); + * around without checking the pgd every time. + */ + +-pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP; ++pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP); + EXPORT_SYMBOL_GPL(__supported_pte_mask); + + int force_personality32; +@@ -184,12 +184,29 @@ void sync_global_pgds(unsigned long start, unsigned long end) + + for (address = start; address <= end; address += PGDIR_SIZE) { + const pgd_t *pgd_ref = pgd_offset_k(address); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ unsigned long cpu; ++#else + struct page *page; ++#endif + + if (pgd_none(*pgd_ref)) + continue; + + spin_lock(&pgd_lock); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { ++ pgd_t *pgd = pgd_offset_cpu(cpu, user, address); ++ ++ if (pgd_none(*pgd)) ++ set_pgd(pgd, *pgd_ref); ++ else ++ BUG_ON(pgd_page_vaddr(*pgd) ++ != pgd_page_vaddr(*pgd_ref)); ++ pgd = pgd_offset_cpu(cpu, kernel, address); ++#else + list_for_each_entry(page, &pgd_list, lru) { + pgd_t *pgd; + spinlock_t *pgt_lock; +@@ -198,6 +215,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) + /* the pgt_lock only for Xen */ + pgt_lock = &pgd_page_get_mm(page)->page_table_lock; + spin_lock(pgt_lock); ++#endif + + if (pgd_none(*pgd)) + set_pgd(pgd, *pgd_ref); +@@ -205,7 +223,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) + BUG_ON(pgd_page_vaddr(*pgd) + != pgd_page_vaddr(*pgd_ref)); + ++#ifndef CONFIG_PAX_PER_CPU_PGD + spin_unlock(pgt_lock); ++#endif ++ + } + spin_unlock(&pgd_lock); + } +@@ -238,7 +259,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) + { + if (pgd_none(*pgd)) { + pud_t *pud = (pud_t *)spp_getpage(); +- pgd_populate(&init_mm, pgd, pud); ++ pgd_populate_kernel(&init_mm, pgd, pud); + if (pud != pud_offset(pgd, 0)) + printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", + pud, pud_offset(pgd, 0)); +@@ -250,7 +271,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) + { + if (pud_none(*pud)) { + pmd_t *pmd = (pmd_t *) spp_getpage(); +- pud_populate(&init_mm, pud, pmd); ++ pud_populate_kernel(&init_mm, pud, pmd); + if (pmd != pmd_offset(pud, 0)) + printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", + pmd, pmd_offset(pud, 0)); +@@ -279,7 +300,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) + pmd = fill_pmd(pud, vaddr); + pte = fill_pte(pmd, vaddr); + ++ pax_open_kernel(); + set_pte(pte, new_pte); ++ pax_close_kernel(); + + /* + * It's enough to flush this one mapping. +@@ -338,14 +361,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, + pgd = pgd_offset_k((unsigned long)__va(phys)); + if (pgd_none(*pgd)) { + pud = (pud_t *) spp_getpage(); +- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE | +- _PAGE_USER)); ++ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE)); + } + pud = pud_offset(pgd, (unsigned long)__va(phys)); + if (pud_none(*pud)) { + pmd = (pmd_t *) spp_getpage(); +- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE | +- _PAGE_USER)); ++ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE)); + } + pmd = pmd_offset(pud, phys); + BUG_ON(!pmd_none(*pmd)); +@@ -586,7 +607,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, + prot); + + spin_lock(&init_mm.page_table_lock); +- pud_populate(&init_mm, pud, pmd); ++ pud_populate_kernel(&init_mm, pud, pmd); + spin_unlock(&init_mm.page_table_lock); + } + __flush_tlb_all(); +@@ -627,7 +648,7 @@ kernel_physical_mapping_init(unsigned long start, + page_size_mask); + + spin_lock(&init_mm.page_table_lock); +- pgd_populate(&init_mm, pgd, pud); ++ pgd_populate_kernel(&init_mm, pgd, pud); + spin_unlock(&init_mm.page_table_lock); + pgd_changed = true; + } +@@ -1188,8 +1209,8 @@ int kern_addr_valid(unsigned long addr) + static struct vm_area_struct gate_vma = { + .vm_start = VSYSCALL_START, + .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), +- .vm_page_prot = PAGE_READONLY_EXEC, +- .vm_flags = VM_READ | VM_EXEC ++ .vm_page_prot = PAGE_READONLY, ++ .vm_flags = VM_READ + }; + + struct vm_area_struct *get_gate_vma(struct mm_struct *mm) +@@ -1223,7 +1244,7 @@ int in_gate_area_no_mm(unsigned long addr) + + const char *arch_vma_name(struct vm_area_struct *vma) + { +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso) ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso) + return "[vdso]"; + if (vma == &gate_vma) + return "[vsyscall]"; +diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c +index 7b179b4..6bd17777 100644 +--- a/arch/x86/mm/iomap_32.c ++++ b/arch/x86/mm/iomap_32.c +@@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot) + type = kmap_atomic_idx_push(); + idx = type + KM_TYPE_NR * smp_processor_id(); + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx); ++ ++ pax_open_kernel(); + set_pte(kmap_pte - idx, pfn_pte(pfn, prot)); ++ pax_close_kernel(); ++ + arch_flush_lazy_mmu_mode(); + + return (void *)vaddr; +diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c +index 799580c..72f9fe0 100644 +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr, + for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) { + int is_ram = page_is_ram(pfn); + +- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn))) ++ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn)))) + return NULL; + WARN_ON_ONCE(is_ram); + } +@@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot); + * + * Caller must ensure there is only one unmapping for the same pointer. + */ +-void iounmap(volatile void __iomem *addr) ++void iounmap(const volatile void __iomem *addr) + { + struct vm_struct *p, *o; + +@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) + + /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ + if (page_is_ram(start >> PAGE_SHIFT)) ++#ifdef CONFIG_HIGHMEM ++ if ((start >> PAGE_SHIFT) < max_low_pfn) ++#endif + return __va(phys); + + addr = (void __force *)ioremap_cache(start, PAGE_SIZE); +@@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) + void unxlate_dev_mem_ptr(unsigned long phys, void *addr) + { + if (page_is_ram(phys >> PAGE_SHIFT)) ++#ifdef CONFIG_HIGHMEM ++ if ((phys >> PAGE_SHIFT) < max_low_pfn) ++#endif + return; + + iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK)); +@@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str) + early_param("early_ioremap_debug", early_ioremap_debug_setup); + + static __initdata int after_paging_init; +-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss; ++static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE); + + static inline pmd_t * __init early_ioremap_pmd(unsigned long addr) + { +@@ -376,8 +382,7 @@ void __init early_ioremap_init(void) + slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i); + + pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN)); +- memset(bm_pte, 0, sizeof(bm_pte)); +- pmd_populate_kernel(&init_mm, pmd, bm_pte); ++ pmd_populate_user(&init_mm, pmd, bm_pte); + + /* + * The boot-ioremap range spans multiple pmds, for which +diff --git a/arch/x86/mm/kmemcheck/kmemcheck.c b/arch/x86/mm/kmemcheck/kmemcheck.c +index d87dd6d..bf3fa66 100644 +--- a/arch/x86/mm/kmemcheck/kmemcheck.c ++++ b/arch/x86/mm/kmemcheck/kmemcheck.c +@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *regs, unsigned long address, + * memory (e.g. tracked pages)? For now, we need this to avoid + * invoking kmemcheck for PnP BIOS calls. + */ +- if (regs->flags & X86_VM_MASK) ++ if (v8086_mode(regs)) + return false; +- if (regs->cs != __KERNEL_CS) ++ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS) + return false; + + pte = kmemcheck_pte_lookup(address); +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index 25e7e13..1964579 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void) + * Leave an at least ~128 MB hole with possible stack randomization. + */ + #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size()) +-#define MAX_GAP (TASK_SIZE/6*5) ++#define MAX_GAP (pax_task_size/6*5) + + static int mmap_is_legacy(void) + { +@@ -82,27 +82,40 @@ static unsigned long mmap_rnd(void) + return rnd << PAGE_SHIFT; + } + +-static unsigned long mmap_base(void) ++static unsigned long mmap_base(struct mm_struct *mm) + { + unsigned long gap = rlimit(RLIMIT_STACK); ++ unsigned long pax_task_size = TASK_SIZE; ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) ++ pax_task_size = SEGMEXEC_TASK_SIZE; ++#endif + + if (gap < MIN_GAP) + gap = MIN_GAP; + else if (gap > MAX_GAP) + gap = MAX_GAP; + +- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd()); ++ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd()); + } + + /* + * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64 + * does, but not when emulating X86_32 + */ +-static unsigned long mmap_legacy_base(void) ++static unsigned long mmap_legacy_base(struct mm_struct *mm) + { +- if (mmap_is_ia32()) ++ if (mmap_is_ia32()) { ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) ++ return SEGMEXEC_TASK_UNMAPPED_BASE; ++ else ++#endif ++ + return TASK_UNMAPPED_BASE; +- else ++ } else + return TASK_UNMAPPED_BASE + mmap_rnd(); + } + +@@ -112,8 +125,15 @@ static unsigned long mmap_legacy_base(void) + */ + void arch_pick_mmap_layout(struct mm_struct *mm) + { +- mm->mmap_legacy_base = mmap_legacy_base(); +- mm->mmap_base = mmap_base(); ++ mm->mmap_legacy_base = mmap_legacy_base(mm); ++ mm->mmap_base = mmap_base(mm); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (mm->pax_flags & MF_PAX_RANDMMAP) { ++ mm->mmap_legacy_base += mm->delta_mmap; ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++ } ++#endif + + if (mmap_is_legacy()) { + mm->mmap_base = mm->mmap_legacy_base; +diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c +index 0057a7a..95c7edd 100644 +--- a/arch/x86/mm/mmio-mod.c ++++ b/arch/x86/mm/mmio-mod.c +@@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs, + break; + default: + { +- unsigned char *ip = (unsigned char *)instptr; ++ unsigned char *ip = (unsigned char *)ktla_ktva(instptr); + my_trace->opcode = MMIO_UNKNOWN_OP; + my_trace->width = 0; + my_trace->value = (*ip) << 16 | *(ip + 1) << 8 | +@@ -234,7 +234,7 @@ static void post(struct kmmio_probe *p, unsigned long condition, + static void ioremap_trace_core(resource_size_t offset, unsigned long size, + void __iomem *addr) + { +- static atomic_t next_id; ++ static atomic_unchecked_t next_id; + struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL); + /* These are page-unaligned. */ + struct mmiotrace_map map = { +@@ -258,7 +258,7 @@ static void ioremap_trace_core(resource_size_t offset, unsigned long size, + .private = trace + }, + .phys = offset, +- .id = atomic_inc_return(&next_id) ++ .id = atomic_inc_return_unchecked(&next_id) + }; + map.map_id = trace->id; + +@@ -290,7 +290,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size, + ioremap_trace_core(offset, size, addr); + } + +-static void iounmap_trace_core(volatile void __iomem *addr) ++static void iounmap_trace_core(const volatile void __iomem *addr) + { + struct mmiotrace_map map = { + .phys = 0, +@@ -328,7 +328,7 @@ not_enabled: + } + } + +-void mmiotrace_iounmap(volatile void __iomem *addr) ++void mmiotrace_iounmap(const volatile void __iomem *addr) + { + might_sleep(); + if (is_enabled()) /* recheck and proper locking in *_core() */ +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index 27aa0455..0eb1406 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -478,7 +478,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi) + return true; + } + +-static int __init numa_register_memblks(struct numa_meminfo *mi) ++static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi) + { + unsigned long uninitialized_var(pfn_align); + int i, nid; +diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c +index 461bc82..4e091a3 100644 +--- a/arch/x86/mm/pageattr-test.c ++++ b/arch/x86/mm/pageattr-test.c +@@ -35,7 +35,7 @@ enum { + + static int pte_testbit(pte_t pte) + { +- return pte_flags(pte) & _PAGE_UNUSED1; ++ return pte_flags(pte) & _PAGE_CPA_TEST; + } + + struct split_state { +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index a348868..3c64310 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -262,7 +262,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, + */ + #ifdef CONFIG_PCI_BIOS + if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT)) +- pgprot_val(forbidden) |= _PAGE_NX; ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; + #endif + + /* +@@ -270,9 +270,10 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, + * Does not cover __inittext since that is gone later on. On + * 64bit we do not enforce !NX on the low mapping + */ +- if (within(address, (unsigned long)_text, (unsigned long)_etext)) +- pgprot_val(forbidden) |= _PAGE_NX; ++ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext))) ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; + ++#ifdef CONFIG_DEBUG_RODATA + /* + * The .rodata section needs to be read-only. Using the pfn + * catches all aliases. +@@ -280,6 +281,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, + if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; ++#endif + + #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA) + /* +@@ -318,6 +320,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, + } + #endif + ++#ifdef CONFIG_PAX_KERNEXEC ++ if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) { ++ pgprot_val(forbidden) |= _PAGE_RW; ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; ++ } ++#endif ++ + prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden)); + + return prot; +@@ -416,23 +425,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys); + static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte) + { + /* change init_mm */ ++ pax_open_kernel(); + set_pte_atomic(kpte, pte); ++ + #ifdef CONFIG_X86_32 + if (!SHARED_KERNEL_PMD) { ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ unsigned long cpu; ++#else + struct page *page; ++#endif + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { ++ pgd_t *pgd = get_cpu_pgd(cpu, kernel); ++#else + list_for_each_entry(page, &pgd_list, lru) { +- pgd_t *pgd; ++ pgd_t *pgd = (pgd_t *)page_address(page); ++#endif ++ + pud_t *pud; + pmd_t *pmd; + +- pgd = (pgd_t *)page_address(page) + pgd_index(address); ++ pgd += pgd_index(address); + pud = pud_offset(pgd, address); + pmd = pmd_offset(pud, address); + set_pte_atomic((pte_t *)pmd, pte); + } + } + #endif ++ pax_close_kernel(); + } + + static int +diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c +index 6574388..87e9bef 100644 +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -376,7 +376,7 @@ int free_memtype(u64 start, u64 end) + + if (!entry) { + printk(KERN_INFO "%s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n", +- current->comm, current->pid, start, end - 1); ++ current->comm, task_pid_nr(current), start, end - 1); + return -EINVAL; + } + +@@ -506,8 +506,8 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) + + while (cursor < to) { + if (!devmem_is_allowed(pfn)) { +- printk(KERN_INFO "Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx]\n", +- current->comm, from, to - 1); ++ printk(KERN_INFO "Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx] (%#010Lx)\n", ++ current->comm, from, to - 1, cursor); + return 0; + } + cursor += PAGE_SIZE; +@@ -577,7 +577,7 @@ int kernel_map_sync_memtype(u64 base, unsigned long size, unsigned long flags) + if (ioremap_change_attr((unsigned long)__va(base), id_sz, flags) < 0) { + printk(KERN_INFO "%s:%d ioremap_change_attr failed %s " + "for [mem %#010Lx-%#010Lx]\n", +- current->comm, current->pid, ++ current->comm, task_pid_nr(current), + cattr_name(flags), + base, (unsigned long long)(base + size-1)); + return -EINVAL; +@@ -612,7 +612,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot, + flags = lookup_memtype(paddr); + if (want_flags != flags) { + printk(KERN_WARNING "%s:%d map pfn RAM range req %s for [mem %#010Lx-%#010Lx], got %s\n", +- current->comm, current->pid, ++ current->comm, task_pid_nr(current), + cattr_name(want_flags), + (unsigned long long)paddr, + (unsigned long long)(paddr + size - 1), +@@ -634,7 +634,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot, + free_memtype(paddr, paddr + size); + printk(KERN_ERR "%s:%d map pfn expected mapping type %s" + " for [mem %#010Lx-%#010Lx], got %s\n", +- current->comm, current->pid, ++ current->comm, task_pid_nr(current), + cattr_name(want_flags), + (unsigned long long)paddr, + (unsigned long long)(paddr + size - 1), +diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c +index 415f6c4..d319983 100644 +--- a/arch/x86/mm/pat_rbtree.c ++++ b/arch/x86/mm/pat_rbtree.c +@@ -160,7 +160,7 @@ success: + + failure: + printk(KERN_INFO "%s:%d conflicting memory types " +- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, start, ++ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), start, + end, cattr_name(found_type), cattr_name(match->type)); + return -EBUSY; + } +diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c +index 9f0614d..92ae64a 100644 +--- a/arch/x86/mm/pf_in.c ++++ b/arch/x86/mm/pf_in.c +@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned long ins_addr) + int i; + enum reason_type rv = OTHERS; + +- p = (unsigned char *)ins_addr; ++ p = (unsigned char *)ktla_ktva(ins_addr); + p += skip_prefix(p, &prf); + p += get_opcode(p, &opcode); + +@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(unsigned long ins_addr) + struct prefix_bits prf; + int i; + +- p = (unsigned char *)ins_addr; ++ p = (unsigned char *)ktla_ktva(ins_addr); + p += skip_prefix(p, &prf); + p += get_opcode(p, &opcode); + +@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned long ins_addr) + struct prefix_bits prf; + int i; + +- p = (unsigned char *)ins_addr; ++ p = (unsigned char *)ktla_ktva(ins_addr); + p += skip_prefix(p, &prf); + p += get_opcode(p, &opcode); + +@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned long ins_addr, struct pt_regs *regs) + struct prefix_bits prf; + int i; + +- p = (unsigned char *)ins_addr; ++ p = (unsigned char *)ktla_ktva(ins_addr); + p += skip_prefix(p, &prf); + p += get_opcode(p, &opcode); + for (i = 0; i < ARRAY_SIZE(reg_rop); i++) +@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned long ins_addr) + struct prefix_bits prf; + int i; + +- p = (unsigned char *)ins_addr; ++ p = (unsigned char *)ktla_ktva(ins_addr); + p += skip_prefix(p, &prf); + p += get_opcode(p, &opcode); + for (i = 0; i < ARRAY_SIZE(imm_wop); i++) +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index c96314a..433b127 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -97,10 +97,71 @@ static inline void pgd_list_del(pgd_t *pgd) + list_del(&page->lru); + } + +-#define UNSHARED_PTRS_PER_PGD \ +- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD) ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT; + ++void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) ++{ ++ unsigned int count = USER_PGD_PTRS; + ++ if (!pax_user_shadow_base) ++ return; ++ ++ while (count--) ++ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); ++} ++#endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++void __clone_user_pgds(pgd_t *dst, const pgd_t *src) ++{ ++ unsigned int count = USER_PGD_PTRS; ++ ++ while (count--) { ++ pgd_t pgd; ++ ++#ifdef CONFIG_X86_64 ++ pgd = __pgd(pgd_val(*src++) | _PAGE_USER); ++#else ++ pgd = *src++; ++#endif ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ pgd = __pgd(pgd_val(pgd) & clone_pgd_mask); ++#endif ++ ++ *dst++ = pgd; ++ } ++ ++} ++#endif ++ ++#ifdef CONFIG_X86_64 ++#define pxd_t pud_t ++#define pyd_t pgd_t ++#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn) ++#define pgtable_pxd_page_ctor(page) true ++#define pgtable_pxd_page_dtor(page) ++#define pxd_free(mm, pud) pud_free((mm), (pud)) ++#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud)) ++#define pyd_offset(mm, address) pgd_offset((mm), (address)) ++#define PYD_SIZE PGDIR_SIZE ++#else ++#define pxd_t pmd_t ++#define pyd_t pud_t ++#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn) ++#define pgtable_pxd_page_ctor(page) pgtable_pmd_page_ctor(page) ++#define pgtable_pxd_page_dtor(page) pgtable_pmd_page_dtor(page) ++#define pxd_free(mm, pud) pmd_free((mm), (pud)) ++#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud)) ++#define pyd_offset(mm, address) pud_offset((mm), (address)) ++#define PYD_SIZE PUD_SIZE ++#endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {} ++static inline void pgd_dtor(pgd_t *pgd) {} ++#else + static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm) + { + BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm)); +@@ -141,6 +202,7 @@ static void pgd_dtor(pgd_t *pgd) + pgd_list_del(pgd); + spin_unlock(&pgd_lock); + } ++#endif + + /* + * List of all pgd's needed for non-PAE so it can invalidate entries +@@ -153,7 +215,7 @@ static void pgd_dtor(pgd_t *pgd) + * -- nyc + */ + +-#ifdef CONFIG_X86_PAE ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) + /* + * In PAE mode, we need to do a cr3 reload (=tlb flush) when + * updating the top-level pagetable entries to guarantee the +@@ -165,7 +227,7 @@ static void pgd_dtor(pgd_t *pgd) + * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate + * and initialize the kernel pmds here. + */ +-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD ++#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD) + + void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) + { +@@ -183,43 +245,45 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) + */ + flush_tlb_mm(mm); + } ++#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD) ++#define PREALLOCATED_PXDS USER_PGD_PTRS + #else /* !CONFIG_X86_PAE */ + + /* No need to prepopulate any pagetable entries in non-PAE modes. */ +-#define PREALLOCATED_PMDS 0 ++#define PREALLOCATED_PXDS 0 + + #endif /* CONFIG_X86_PAE */ + +-static void free_pmds(pmd_t *pmds[]) ++static void free_pxds(pxd_t *pxds[]) + { + int i; + +- for(i = 0; i < PREALLOCATED_PMDS; i++) +- if (pmds[i]) { +- pgtable_pmd_page_dtor(virt_to_page(pmds[i])); +- free_page((unsigned long)pmds[i]); ++ for(i = 0; i < PREALLOCATED_PXDS; i++) ++ if (pxds[i]) { ++ pgtable_pxd_page_dtor(virt_to_page(pxds[i])); ++ free_page((unsigned long)pxds[i]); + } + } + +-static int preallocate_pmds(pmd_t *pmds[]) ++static int preallocate_pxds(pxd_t *pxds[]) + { + int i; + bool failed = false; + +- for(i = 0; i < PREALLOCATED_PMDS; i++) { +- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP); +- if (!pmd) ++ for(i = 0; i < PREALLOCATED_PXDS; i++) { ++ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP); ++ if (!pxd) + failed = true; +- if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) { +- free_page((unsigned long)pmd); +- pmd = NULL; ++ if (pxd && !pgtable_pxd_page_ctor(virt_to_page(pxd))) { ++ free_page((unsigned long)pxd); ++ pxd = NULL; + failed = true; + } +- pmds[i] = pmd; ++ pxds[i] = pxd; + } + + if (failed) { +- free_pmds(pmds); ++ free_pxds(pxds); + return -ENOMEM; + } + +@@ -232,49 +296,52 @@ static int preallocate_pmds(pmd_t *pmds[]) + * preallocate which never got a corresponding vma will need to be + * freed manually. + */ +-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp) ++static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp) + { + int i; + +- for(i = 0; i < PREALLOCATED_PMDS; i++) { ++ for(i = 0; i < PREALLOCATED_PXDS; i++) { + pgd_t pgd = pgdp[i]; + + if (pgd_val(pgd) != 0) { +- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd); ++ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd); + +- pgdp[i] = native_make_pgd(0); ++ set_pgd(pgdp + i, native_make_pgd(0)); + +- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT); +- pmd_free(mm, pmd); ++ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT); ++ pxd_free(mm, pxd); + } + } + } + +-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[]) ++static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[]) + { +- pud_t *pud; ++ pyd_t *pyd; + int i; + +- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */ ++ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */ + return; + +- pud = pud_offset(pgd, 0); +- +- for (i = 0; i < PREALLOCATED_PMDS; i++, pud++) { +- pmd_t *pmd = pmds[i]; ++#ifdef CONFIG_X86_64 ++ pyd = pyd_offset(mm, 0L); ++#else ++ pyd = pyd_offset(pgd, 0L); ++#endif + ++ for (i = 0; i < PREALLOCATED_PXDS; i++, pyd++) { ++ pxd_t *pxd = pxds[i]; + if (i >= KERNEL_PGD_BOUNDARY) +- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]), +- sizeof(pmd_t) * PTRS_PER_PMD); ++ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]), ++ sizeof(pxd_t) * PTRS_PER_PMD); + +- pud_populate(mm, pud, pmd); ++ pyd_populate(mm, pyd, pxd); + } + } + + pgd_t *pgd_alloc(struct mm_struct *mm) + { + pgd_t *pgd; +- pmd_t *pmds[PREALLOCATED_PMDS]; ++ pxd_t *pxds[PREALLOCATED_PXDS]; + + pgd = (pgd_t *)__get_free_page(PGALLOC_GFP); + +@@ -283,11 +350,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) + + mm->pgd = pgd; + +- if (preallocate_pmds(pmds) != 0) ++ if (preallocate_pxds(pxds) != 0) + goto out_free_pgd; + + if (paravirt_pgd_alloc(mm) != 0) +- goto out_free_pmds; ++ goto out_free_pxds; + + /* + * Make sure that pre-populating the pmds is atomic with +@@ -297,14 +364,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) + spin_lock(&pgd_lock); + + pgd_ctor(mm, pgd); +- pgd_prepopulate_pmd(mm, pgd, pmds); ++ pgd_prepopulate_pxd(mm, pgd, pxds); + + spin_unlock(&pgd_lock); + + return pgd; + +-out_free_pmds: +- free_pmds(pmds); ++out_free_pxds: ++ free_pxds(pxds); + out_free_pgd: + free_page((unsigned long)pgd); + out: +@@ -313,7 +380,7 @@ out: + + void pgd_free(struct mm_struct *mm, pgd_t *pgd) + { +- pgd_mop_up_pmds(mm, pgd); ++ pgd_mop_up_pxds(mm, pgd); + pgd_dtor(pgd); + paravirt_pgd_free(mm, pgd); + free_page((unsigned long)pgd); +diff --git a/arch/x86/mm/pgtable_32.c b/arch/x86/mm/pgtable_32.c +index a69bcb8..19068ab 100644 +--- a/arch/x86/mm/pgtable_32.c ++++ b/arch/x86/mm/pgtable_32.c +@@ -47,10 +47,13 @@ void set_pte_vaddr(unsigned long vaddr, pte_t pteval) + return; + } + pte = pte_offset_kernel(pmd, vaddr); ++ ++ pax_open_kernel(); + if (pte_val(pteval)) + set_pte_at(&init_mm, vaddr, pte, pteval); + else + pte_clear(&init_mm, vaddr, pte); ++ pax_close_kernel(); + + /* + * It's enough to flush this one mapping. +diff --git a/arch/x86/mm/physaddr.c b/arch/x86/mm/physaddr.c +index e666cbb..61788c45 100644 +--- a/arch/x86/mm/physaddr.c ++++ b/arch/x86/mm/physaddr.c +@@ -10,7 +10,7 @@ + #ifdef CONFIG_X86_64 + + #ifdef CONFIG_DEBUG_VIRTUAL +-unsigned long __phys_addr(unsigned long x) ++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x) + { + unsigned long y = x - __START_KERNEL_map; + +@@ -67,7 +67,7 @@ EXPORT_SYMBOL(__virt_addr_valid); + #else + + #ifdef CONFIG_DEBUG_VIRTUAL +-unsigned long __phys_addr(unsigned long x) ++unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x) + { + unsigned long phys_addr = x - PAGE_OFFSET; + /* VMALLOC_* aren't constants */ +diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c +index 90555bf..f5f1828 100644 +--- a/arch/x86/mm/setup_nx.c ++++ b/arch/x86/mm/setup_nx.c +@@ -5,8 +5,10 @@ + #include + #include + ++#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) + static int disable_nx; + ++#ifndef CONFIG_PAX_PAGEEXEC + /* + * noexec = on|off + * +@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str) + return 0; + } + early_param("noexec", noexec_setup); ++#endif ++ ++#endif + + void x86_configure_nx(void) + { ++#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) + if (cpu_has_nx && !disable_nx) + __supported_pte_mask |= _PAGE_NX; + else ++#endif + __supported_pte_mask &= ~_PAGE_NX; + } + +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index dd8dda1..9e9b0f6 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -48,7 +48,11 @@ void leave_mm(int cpu) + BUG(); + if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) { + cpumask_clear_cpu(cpu, mm_cpumask(active_mm)); ++ ++#ifndef CONFIG_PAX_PER_CPU_PGD + load_cr3(swapper_pg_dir); ++#endif ++ + } + } + EXPORT_SYMBOL_GPL(leave_mm); +diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c +new file mode 100644 +index 0000000..dace51c +--- /dev/null ++++ b/arch/x86/mm/uderef_64.c +@@ -0,0 +1,37 @@ ++#include ++#include ++#include ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++/* PaX: due to the special call convention these functions must ++ * - remain leaf functions under all configurations, ++ * - never be called directly, only dereferenced from the wrappers. ++ */ ++void __pax_open_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL); ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_open_userland); ++ ++void __pax_close_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER); ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_close_userland); ++#endif +diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S +index 0149575..f746de8 100644 +--- a/arch/x86/net/bpf_jit.S ++++ b/arch/x86/net/bpf_jit.S +@@ -9,6 +9,7 @@ + */ + #include + #include ++#include + + /* + * Calling convention : +@@ -35,6 +36,7 @@ sk_load_word_positive_offset: + jle bpf_slow_path_word + mov (SKBDATA,%rsi),%eax + bswap %eax /* ntohl() */ ++ pax_force_retaddr + ret + + sk_load_half: +@@ -52,6 +54,7 @@ sk_load_half_positive_offset: + jle bpf_slow_path_half + movzwl (SKBDATA,%rsi),%eax + rol $8,%ax # ntohs() ++ pax_force_retaddr + ret + + sk_load_byte: +@@ -66,6 +69,7 @@ sk_load_byte_positive_offset: + cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */ + jle bpf_slow_path_byte + movzbl (SKBDATA,%rsi),%eax ++ pax_force_retaddr + ret + + /** +@@ -87,6 +91,7 @@ sk_load_byte_msh_positive_offset: + movzbl (SKBDATA,%rsi),%ebx + and $15,%bl + shl $2,%bl ++ pax_force_retaddr + ret + + /* rsi contains offset and can be scratched */ +@@ -109,6 +114,7 @@ bpf_slow_path_word: + js bpf_error + mov -12(%rbp),%eax + bswap %eax ++ pax_force_retaddr + ret + + bpf_slow_path_half: +@@ -117,12 +123,14 @@ bpf_slow_path_half: + mov -12(%rbp),%ax + rol $8,%ax + movzwl %ax,%eax ++ pax_force_retaddr + ret + + bpf_slow_path_byte: + bpf_slow_path_common(1) + js bpf_error + movzbl -12(%rbp),%eax ++ pax_force_retaddr + ret + + bpf_slow_path_byte_msh: +@@ -133,6 +141,7 @@ bpf_slow_path_byte_msh: + and $15,%al + shl $2,%al + xchg %eax,%ebx ++ pax_force_retaddr + ret + + #define sk_negative_common(SIZE) \ +@@ -157,6 +166,7 @@ sk_load_word_negative_offset: + sk_negative_common(4) + mov (%rax), %eax + bswap %eax ++ pax_force_retaddr + ret + + bpf_slow_path_half_neg: +@@ -168,6 +178,7 @@ sk_load_half_negative_offset: + mov (%rax),%ax + rol $8,%ax + movzwl %ax,%eax ++ pax_force_retaddr + ret + + bpf_slow_path_byte_neg: +@@ -177,6 +188,7 @@ sk_load_byte_negative_offset: + .globl sk_load_byte_negative_offset + sk_negative_common(1) + movzbl (%rax), %eax ++ pax_force_retaddr + ret + + bpf_slow_path_byte_msh_neg: +@@ -190,6 +202,7 @@ sk_load_byte_msh_negative_offset: + and $15,%al + shl $2,%al + xchg %eax,%ebx ++ pax_force_retaddr + ret + + bpf_error: +@@ -197,4 +210,5 @@ bpf_error: + xor %eax,%eax + mov -8(%rbp),%rbx + leaveq ++ pax_force_retaddr + ret +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 4ed75dd..3cf24f0b 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -50,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) + return ptr + len; + } + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++#define MAX_INSTR_CODE_SIZE 96 ++#else ++#define MAX_INSTR_CODE_SIZE 64 ++#endif ++ + #define EMIT(bytes, len) do { prog = emit_code(prog, bytes, len); } while (0) + + #define EMIT1(b1) EMIT(b1, 1) + #define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2) + #define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3) + #define EMIT4(b1, b2, b3, b4) EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4) ++ ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++/* original constant will appear in ecx */ ++#define DILUTE_CONST_SEQUENCE(_off, _key) \ ++do { \ ++ /* mov ecx, randkey */ \ ++ EMIT1(0xb9); \ ++ EMIT(_key, 4); \ ++ /* xor ecx, randkey ^ off */ \ ++ EMIT2(0x81, 0xf1); \ ++ EMIT((_key) ^ (_off), 4); \ ++} while (0) ++ ++#define EMIT1_off32(b1, _off) \ ++do { \ ++ switch (b1) { \ ++ case 0x05: /* add eax, imm32 */ \ ++ case 0x2d: /* sub eax, imm32 */ \ ++ case 0x25: /* and eax, imm32 */ \ ++ case 0x0d: /* or eax, imm32 */ \ ++ case 0xb8: /* mov eax, imm32 */ \ ++ case 0x35: /* xor eax, imm32 */ \ ++ case 0x3d: /* cmp eax, imm32 */ \ ++ case 0xa9: /* test eax, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ EMIT2((b1) - 4, 0xc8); /* convert imm instruction to eax, ecx */\ ++ break; \ ++ case 0xbb: /* mov ebx, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* mov ebx, ecx */ \ ++ EMIT2(0x89, 0xcb); \ ++ break; \ ++ case 0xbe: /* mov esi, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* mov esi, ecx */ \ ++ EMIT2(0x89, 0xce); \ ++ break; \ ++ case 0xe8: /* call rel imm32, always to known funcs */ \ ++ EMIT1(b1); \ ++ EMIT(_off, 4); \ ++ break; \ ++ case 0xe9: /* jmp rel imm32 */ \ ++ EMIT1(b1); \ ++ EMIT(_off, 4); \ ++ /* prevent fall-through, we're not called if off = 0 */ \ ++ EMIT(0xcccccccc, 4); \ ++ EMIT(0xcccccccc, 4); \ ++ break; \ ++ default: \ ++ BUILD_BUG(); \ ++ } \ ++} while (0) ++ ++#define EMIT2_off32(b1, b2, _off) \ ++do { \ ++ if ((b1) == 0x8d && (b2) == 0xb3) { /* lea esi, [rbx+imm32] */ \ ++ EMIT2(0x8d, 0xb3); /* lea esi, [rbx+randkey] */ \ ++ EMIT(randkey, 4); \ ++ EMIT2(0x8d, 0xb6); /* lea esi, [esi+off-randkey] */ \ ++ EMIT((_off) - randkey, 4); \ ++ } else if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */\ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* imul eax, ecx */ \ ++ EMIT3(0x0f, 0xaf, 0xc1); \ ++ } else { \ ++ BUILD_BUG(); \ ++ } \ ++} while (0) ++#else + #define EMIT1_off32(b1, off) do { EMIT1(b1); EMIT(off, 4);} while (0) ++#define EMIT2_off32(b1, b2, off) do { EMIT2(b1, b2); EMIT(off, 4);} while (0) ++#endif + + #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ + #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ +@@ -91,6 +168,24 @@ do { \ + #define X86_JBE 0x76 + #define X86_JA 0x77 + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++#define APPEND_FLOW_VERIFY() \ ++do { \ ++ /* mov ecx, randkey */ \ ++ EMIT1(0xb9); \ ++ EMIT(randkey, 4); \ ++ /* cmp ecx, randkey */ \ ++ EMIT2(0x81, 0xf9); \ ++ EMIT(randkey, 4); \ ++ /* jz after 8 int 3s */ \ ++ EMIT2(0x74, 0x08); \ ++ EMIT(0xcccccccc, 4); \ ++ EMIT(0xcccccccc, 4); \ ++} while (0) ++#else ++#define APPEND_FLOW_VERIFY() do { } while (0) ++#endif ++ + #define EMIT_COND_JMP(op, offset) \ + do { \ + if (is_near(offset)) \ +@@ -98,6 +193,7 @@ do { \ + else { \ + EMIT2(0x0f, op + 0x10); \ + EMIT(offset, 4); /* jxx .+off32 */ \ ++ APPEND_FLOW_VERIFY(); \ + } \ + } while (0) + +@@ -145,55 +241,54 @@ static int pkt_type_offset(void) + return -1; + } + +-struct bpf_binary_header { +- unsigned int pages; +- /* Note : for security reasons, bpf code will follow a randomly +- * sized amount of int3 instructions +- */ +- u8 image[]; +-}; +- +-static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen, ++/* Note : for security reasons, bpf code will follow a randomly ++ * sized amount of int3 instructions ++ */ ++static u8 *bpf_alloc_binary(unsigned int proglen, + u8 **image_ptr) + { + unsigned int sz, hole; +- struct bpf_binary_header *header; ++ u8 *header; + + /* Most of BPF filters are really small, + * but if some of them fill a page, allow at least + * 128 extra bytes to insert a random section of int3 + */ +- sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE); +- header = module_alloc(sz); ++ sz = round_up(proglen + 128, PAGE_SIZE); ++ header = module_alloc_exec(sz); + if (!header) + return NULL; + ++ pax_open_kernel(); + memset(header, 0xcc, sz); /* fill whole space with int3 instructions */ ++ pax_close_kernel(); + +- header->pages = sz / PAGE_SIZE; +- hole = sz - (proglen + sizeof(*header)); ++ hole = PAGE_SIZE - (proglen & ~PAGE_MASK); + + /* insert a random number of int3 instructions before BPF code */ +- *image_ptr = &header->image[prandom_u32() % hole]; ++ *image_ptr = &header[prandom_u32() % hole]; + return header; + } + + void bpf_jit_compile(struct sk_filter *fp) + { +- u8 temp[64]; ++ u8 temp[MAX_INSTR_CODE_SIZE]; + u8 *prog; + unsigned int proglen, oldproglen = 0; + int ilen, i; + int t_offset, f_offset; + u8 t_op, f_op, seen = 0, pass; + u8 *image = NULL; +- struct bpf_binary_header *header = NULL; ++ u8 *header = NULL; + u8 *func; + int pc_ret0 = -1; /* bpf index of first RET #0 instruction (if any) */ + unsigned int cleanup_addr; /* epilogue code offset */ + unsigned int *addrs; + const struct sock_filter *filter = fp->insns; + int flen = fp->len; ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ unsigned int randkey; ++#endif + + if (!bpf_jit_enable) + return; +@@ -203,10 +298,10 @@ void bpf_jit_compile(struct sk_filter *fp) + return; + + /* Before first pass, make a rough estimation of addrs[] +- * each bpf instruction is translated to less than 64 bytes ++ * each bpf instruction is translated to less than MAX_INSTR_CODE_SIZE bytes + */ + for (proglen = 0, i = 0; i < flen; i++) { +- proglen += 64; ++ proglen += MAX_INSTR_CODE_SIZE; + addrs[i] = proglen; + } + cleanup_addr = proglen; /* epilogue address */ +@@ -285,6 +380,10 @@ void bpf_jit_compile(struct sk_filter *fp) + for (i = 0; i < flen; i++) { + unsigned int K = filter[i].k; + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ randkey = prandom_u32(); ++#endif ++ + switch (filter[i].code) { + case BPF_S_ALU_ADD_X: /* A += X; */ + seen |= SEEN_XREG; +@@ -317,10 +416,8 @@ void bpf_jit_compile(struct sk_filter *fp) + case BPF_S_ALU_MUL_K: /* A *= K */ + if (is_imm8(K)) + EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ +- else { +- EMIT2(0x69, 0xc0); /* imul imm32,%eax */ +- EMIT(K, 4); +- } ++ else ++ EMIT2_off32(0x69, 0xc0, K); /* imul imm32,%eax */ + break; + case BPF_S_ALU_DIV_X: /* A /= X; */ + seen |= SEEN_XREG; +@@ -364,7 +461,11 @@ void bpf_jit_compile(struct sk_filter *fp) + break; + } + EMIT2(0x31, 0xd2); /* xor %edx,%edx */ ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ DILUTE_CONST_SEQUENCE(K, randkey); ++#else + EMIT1(0xb9);EMIT(K, 4); /* mov imm32,%ecx */ ++#endif + EMIT2(0xf7, 0xf1); /* div %ecx */ + EMIT2(0x89, 0xd0); /* mov %edx,%eax */ + break; +@@ -372,7 +473,11 @@ void bpf_jit_compile(struct sk_filter *fp) + if (K == 1) + break; + EMIT2(0x31, 0xd2); /* xor %edx,%edx */ ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ DILUTE_CONST_SEQUENCE(K, randkey); ++#else + EMIT1(0xb9);EMIT(K, 4); /* mov imm32,%ecx */ ++#endif + EMIT2(0xf7, 0xf1); /* div %ecx */ + break; + case BPF_S_ALU_AND_X: +@@ -643,8 +748,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; + if (is_imm8(K)) { + EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ + } else { +- EMIT2(0x8d, 0xb3); /* lea imm32(%rbx),%esi */ +- EMIT(K, 4); ++ EMIT2_off32(0x8d, 0xb3, K); /* lea imm32(%rbx),%esi */ + } + } else { + EMIT2(0x89,0xde); /* mov %ebx,%esi */ +@@ -734,10 +838,12 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; + if (unlikely(proglen + ilen > oldproglen)) { + pr_err("bpb_jit_compile fatal error\n"); + kfree(addrs); +- module_free(NULL, header); ++ module_free_exec(NULL, image); + return; + } ++ pax_open_kernel(); + memcpy(image + proglen, temp, ilen); ++ pax_close_kernel(); + } + proglen += ilen; + addrs[i] = proglen; +@@ -770,7 +876,6 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; + + if (image) { + bpf_flush_icache(header, image + proglen); +- set_memory_ro((unsigned long)header, header->pages); + fp->bpf_func = (void *)image; + } + out: +@@ -782,10 +887,9 @@ static void bpf_jit_free_deferred(struct work_struct *work) + { + struct sk_filter *fp = container_of(work, struct sk_filter, work); + unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; +- struct bpf_binary_header *header = (void *)addr; + +- set_memory_rw(addr, header->pages); +- module_free(NULL, header); ++ set_memory_rw(addr, 1); ++ module_free_exec(NULL, (void *)addr); + kfree(fp); + } + +diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c +index 5d04be5..2beeaa2 100644 +--- a/arch/x86/oprofile/backtrace.c ++++ b/arch/x86/oprofile/backtrace.c +@@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_frame_ia32 *head) + struct stack_frame_ia32 *fp; + unsigned long bytes; + +- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); ++ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead)); + if (bytes != 0) + return NULL; + +- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame); ++ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame); + + oprofile_add_trace(bufhead[0].return_address); + +@@ -92,7 +92,7 @@ static struct stack_frame *dump_user_backtrace(struct stack_frame *head) + struct stack_frame bufhead[2]; + unsigned long bytes; + +- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); ++ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead)); + if (bytes != 0) + return NULL; + +@@ -111,7 +111,7 @@ x86_backtrace(struct pt_regs * const regs, unsigned int depth) + { + struct stack_frame *head = (struct stack_frame *)frame_pointer(regs); + +- if (!user_mode_vm(regs)) { ++ if (!user_mode(regs)) { + unsigned long stack = kernel_stack_pointer(regs); + if (depth) + dump_trace(NULL, regs, (unsigned long *)stack, 0, +diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c +index 6890d84..1dad1f1 100644 +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "op_counter.h" + #include "op_x86_model.h" +@@ -774,8 +775,11 @@ int __init op_nmi_init(struct oprofile_operations *ops) + if (ret) + return ret; + +- if (!model->num_virt_counters) +- model->num_virt_counters = model->num_counters; ++ if (!model->num_virt_counters) { ++ pax_open_kernel(); ++ *(unsigned int *)&model->num_virt_counters = model->num_counters; ++ pax_close_kernel(); ++ } + + mux_init(ops); + +diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c +index 50d86c0..7985318 100644 +--- a/arch/x86/oprofile/op_model_amd.c ++++ b/arch/x86/oprofile/op_model_amd.c +@@ -519,9 +519,11 @@ static int op_amd_init(struct oprofile_operations *ops) + num_counters = AMD64_NUM_COUNTERS; + } + +- op_amd_spec.num_counters = num_counters; +- op_amd_spec.num_controls = num_counters; +- op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS); ++ pax_open_kernel(); ++ *(unsigned int *)&op_amd_spec.num_counters = num_counters; ++ *(unsigned int *)&op_amd_spec.num_controls = num_counters; ++ *(unsigned int *)&op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS); ++ pax_close_kernel(); + + return 0; + } +diff --git a/arch/x86/oprofile/op_model_ppro.c b/arch/x86/oprofile/op_model_ppro.c +index d90528e..0127e2b 100644 +--- a/arch/x86/oprofile/op_model_ppro.c ++++ b/arch/x86/oprofile/op_model_ppro.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include "op_x86_model.h" + #include "op_counter.h" +@@ -221,8 +222,10 @@ static void arch_perfmon_setup_counters(void) + + num_counters = min((int)eax.split.num_counters, OP_MAX_COUNTER); + +- op_arch_perfmon_spec.num_counters = num_counters; +- op_arch_perfmon_spec.num_controls = num_counters; ++ pax_open_kernel(); ++ *(unsigned int *)&op_arch_perfmon_spec.num_counters = num_counters; ++ *(unsigned int *)&op_arch_perfmon_spec.num_controls = num_counters; ++ pax_close_kernel(); + } + + static int arch_perfmon_init(struct oprofile_operations *ignore) +diff --git a/arch/x86/oprofile/op_x86_model.h b/arch/x86/oprofile/op_x86_model.h +index 71e8a67..6a313bb 100644 +--- a/arch/x86/oprofile/op_x86_model.h ++++ b/arch/x86/oprofile/op_x86_model.h +@@ -52,7 +52,7 @@ struct op_x86_model_spec { + void (*switch_ctrl)(struct op_x86_model_spec const *model, + struct op_msrs const * const msrs); + #endif +-}; ++} __do_const; + + struct op_counter_config; + +diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c +index 84b9d67..260e5ff 100644 +--- a/arch/x86/pci/intel_mid_pci.c ++++ b/arch/x86/pci/intel_mid_pci.c +@@ -245,7 +245,7 @@ int __init intel_mid_pci_init(void) + pr_info("Intel MID platform detected, using MID PCI ops\n"); + pci_mmcfg_late_init(); + pcibios_enable_irq = intel_mid_pci_irq_enable; +- pci_root_ops = intel_mid_pci_ops; ++ memcpy((void *)&pci_root_ops, &intel_mid_pci_ops, sizeof pci_root_ops); + pci_soc_mode = 1; + /* Continue with standard init */ + return 1; +diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c +index 372e9b8..e775a6c 100644 +--- a/arch/x86/pci/irq.c ++++ b/arch/x86/pci/irq.c +@@ -50,7 +50,7 @@ struct irq_router { + struct irq_router_handler { + u16 vendor; + int (*probe)(struct irq_router *r, struct pci_dev *router, u16 device); +-}; ++} __do_const; + + int (*pcibios_enable_irq)(struct pci_dev *dev) = pirq_enable_irq; + void (*pcibios_disable_irq)(struct pci_dev *dev) = NULL; +@@ -794,7 +794,7 @@ static __init int pico_router_probe(struct irq_router *r, struct pci_dev *router + return 0; + } + +-static __initdata struct irq_router_handler pirq_routers[] = { ++static __initconst const struct irq_router_handler pirq_routers[] = { + { PCI_VENDOR_ID_INTEL, intel_router_probe }, + { PCI_VENDOR_ID_AL, ali_router_probe }, + { PCI_VENDOR_ID_ITE, ite_router_probe }, +@@ -821,7 +821,7 @@ static struct pci_dev *pirq_router_dev; + static void __init pirq_find_router(struct irq_router *r) + { + struct irq_routing_table *rt = pirq_table; +- struct irq_router_handler *h; ++ const struct irq_router_handler *h; + + #ifdef CONFIG_PCI_BIOS + if (!rt->signature) { +@@ -1094,7 +1094,7 @@ static int __init fix_acer_tm360_irqrouting(const struct dmi_system_id *d) + return 0; + } + +-static struct dmi_system_id __initdata pciirq_dmi_table[] = { ++static const struct dmi_system_id __initconst pciirq_dmi_table[] = { + { + .callback = fix_broken_hp_bios_irq9, + .ident = "HP Pavilion N5400 Series Laptop", +diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c +index c77b24a..c979855 100644 +--- a/arch/x86/pci/pcbios.c ++++ b/arch/x86/pci/pcbios.c +@@ -79,7 +79,7 @@ union bios32 { + static struct { + unsigned long address; + unsigned short segment; +-} bios32_indirect = { 0, __KERNEL_CS }; ++} bios32_indirect __read_only = { 0, __PCIBIOS_CS }; + + /* + * Returns the entry point for the given service, NULL on error +@@ -92,37 +92,80 @@ static unsigned long bios32_service(unsigned long service) + unsigned long length; /* %ecx */ + unsigned long entry; /* %edx */ + unsigned long flags; ++ struct desc_struct d, *gdt; + + local_irq_save(flags); +- __asm__("lcall *(%%edi); cld" ++ ++ gdt = get_cpu_gdt_table(smp_processor_id()); ++ ++ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC); ++ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S); ++ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC); ++ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S); ++ ++ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld" + : "=a" (return_code), + "=b" (address), + "=c" (length), + "=d" (entry) + : "0" (service), + "1" (0), +- "D" (&bios32_indirect)); ++ "D" (&bios32_indirect), ++ "r"(__PCIBIOS_DS) ++ : "memory"); ++ ++ pax_open_kernel(); ++ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0; ++ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0; ++ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0; ++ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0; ++ pax_close_kernel(); ++ + local_irq_restore(flags); + + switch (return_code) { +- case 0: +- return address + entry; +- case 0x80: /* Not present */ +- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service); +- return 0; +- default: /* Shouldn't happen */ +- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n", +- service, return_code); ++ case 0: { ++ int cpu; ++ unsigned char flags; ++ ++ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry); ++ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) { ++ printk(KERN_WARNING "bios32_service: not valid\n"); + return 0; ++ } ++ address = address + PAGE_OFFSET; ++ length += 16UL; /* some BIOSs underreport this... */ ++ flags = 4; ++ if (length >= 64*1024*1024) { ++ length >>= PAGE_SHIFT; ++ flags |= 8; ++ } ++ ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { ++ gdt = get_cpu_gdt_table(cpu); ++ pack_descriptor(&d, address, length, 0x9b, flags); ++ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S); ++ pack_descriptor(&d, address, length, 0x93, flags); ++ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S); ++ } ++ return entry; ++ } ++ case 0x80: /* Not present */ ++ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service); ++ return 0; ++ default: /* Shouldn't happen */ ++ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n", ++ service, return_code); ++ return 0; + } + } + + static struct { + unsigned long address; + unsigned short segment; +-} pci_indirect = { 0, __KERNEL_CS }; ++} pci_indirect __read_only = { 0, __PCIBIOS_CS }; + +-static int pci_bios_present; ++static int pci_bios_present __read_only; + + static int check_pcibios(void) + { +@@ -131,11 +174,13 @@ static int check_pcibios(void) + unsigned long flags, pcibios_entry; + + if ((pcibios_entry = bios32_service(PCI_SERVICE))) { +- pci_indirect.address = pcibios_entry + PAGE_OFFSET; ++ pci_indirect.address = pcibios_entry; + + local_irq_save(flags); +- __asm__( +- "lcall *(%%edi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%edi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -144,7 +189,8 @@ static int check_pcibios(void) + "=b" (ebx), + "=c" (ecx) + : "1" (PCIBIOS_PCI_BIOS_PRESENT), +- "D" (&pci_indirect) ++ "D" (&pci_indirect), ++ "r" (__PCIBIOS_DS) + : "memory"); + local_irq_restore(flags); + +@@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + + switch (len) { + case 1: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + : "1" (PCIBIOS_READ_CONFIG_BYTE), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + /* + * Zero-extend the result beyond 8 bits, do not trust the + * BIOS having done it: +@@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + *value &= 0xff; + break; + case 2: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + : "1" (PCIBIOS_READ_CONFIG_WORD), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + /* + * Zero-extend the result beyond 16 bits, do not trust the + * BIOS having done it: +@@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + *value &= 0xffff; + break; + case 4: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus, + : "1" (PCIBIOS_READ_CONFIG_DWORD), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + break; + } + +@@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int seg, unsigned int bus, + + switch (len) { + case 1: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus, + "c" (value), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + break; + case 2: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus, + "c" (value), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + break; + case 4: +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w6, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n\t" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int seg, unsigned int bus, + "c" (value), + "b" (bx), + "D" ((long)reg), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + break; + } + +@@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void) + + DBG("PCI: Fetching IRQ routing table... "); + __asm__("push %%es\n\t" ++ "movw %w8, %%ds\n\t" + "push %%ds\n\t" + "pop %%es\n\t" +- "lcall *(%%esi); cld\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" + "pop %%es\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void) + "1" (0), + "D" ((long) &opt), + "S" (&pci_indirect), +- "m" (opt) ++ "m" (opt), ++ "r" (__PCIBIOS_DS) + : "memory"); + DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map); + if (ret & 0xff00) +@@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq) + { + int ret; + +- __asm__("lcall *(%%esi); cld\n\t" ++ __asm__("movw %w5, %%ds\n\t" ++ "lcall *%%ss:(%%esi); cld\n\t" ++ "push %%ss\n\t" ++ "pop %%ds\n" + "jc 1f\n\t" + "xor %%ah, %%ah\n" + "1:" +@@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq) + : "0" (PCIBIOS_SET_PCI_HW_INT), + "b" ((dev->bus->number << 8) | dev->devfn), + "c" ((irq << 8) | (pin + 10)), +- "S" (&pci_indirect)); ++ "S" (&pci_indirect), ++ "r" (__PCIBIOS_DS)); + return !(ret & 0xff00); + } + EXPORT_SYMBOL(pcibios_set_irq_routing); +diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c +index 9ee3491..872192f 100644 +--- a/arch/x86/platform/efi/efi_32.c ++++ b/arch/x86/platform/efi/efi_32.c +@@ -59,11 +59,22 @@ void efi_call_phys_prelog(void) + { + struct desc_ptr gdt_descr; + ++#ifdef CONFIG_PAX_KERNEXEC ++ struct desc_struct d; ++#endif ++ + local_irq_save(efi_rt_eflags); + + load_cr3(initial_page_table); + __flush_tlb_all(); + ++#ifdef CONFIG_PAX_KERNEXEC ++ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); ++ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); ++#endif ++ + gdt_descr.address = __pa(get_cpu_gdt_table(0)); + gdt_descr.size = GDT_SIZE - 1; + load_gdt(&gdt_descr); +@@ -73,11 +84,24 @@ void efi_call_phys_epilog(void) + { + struct desc_ptr gdt_descr; + ++#ifdef CONFIG_PAX_KERNEXEC ++ struct desc_struct d; ++ ++ memset(&d, 0, sizeof d); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S); ++#endif ++ + gdt_descr.address = (unsigned long)get_cpu_gdt_table(0); + gdt_descr.size = GDT_SIZE - 1; + load_gdt(&gdt_descr); + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); ++#else + load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + + local_irq_restore(efi_rt_eflags); +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index 666b74a..673d88f 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -97,6 +97,11 @@ void __init efi_call_phys_prelog(void) + vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); + } ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + } + +@@ -114,6 +119,11 @@ void __init efi_call_phys_epilog(void) + for (pgd = 0; pgd < n_pgds; pgd++) + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); + kfree(save_pgd); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); ++#endif ++ + __flush_tlb_all(); + local_irq_restore(efi_flags); + early_code_mapping_set_exec(0); +diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S +index fbe66e6..eae5e38 100644 +--- a/arch/x86/platform/efi/efi_stub_32.S ++++ b/arch/x86/platform/efi/efi_stub_32.S +@@ -6,7 +6,9 @@ + */ + + #include ++#include + #include ++#include + + /* + * efi_call_phys(void *, ...) is a function with variable parameters. +@@ -20,7 +22,7 @@ + * service functions will comply with gcc calling convention, too. + */ + +-.text ++__INIT + ENTRY(efi_call_phys) + /* + * 0. The function can only be called in Linux kernel. So CS has been +@@ -36,10 +38,24 @@ ENTRY(efi_call_phys) + * The mapping of lower virtual memory has been created in prelog and + * epilog. + */ +- movl $1f, %edx +- subl $__PAGE_OFFSET, %edx +- jmp *%edx ++#ifdef CONFIG_PAX_KERNEXEC ++ movl $(__KERNEXEC_EFI_DS), %edx ++ mov %edx, %ds ++ mov %edx, %es ++ mov %edx, %ss ++ addl $2f,(1f) ++ ljmp *(1f) ++ ++__INITDATA ++1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS ++.previous ++ ++2: ++ subl $2b,(1b) ++#else ++ jmp 1f-__PAGE_OFFSET + 1: ++#endif + + /* + * 2. Now on the top of stack is the return +@@ -47,14 +63,8 @@ ENTRY(efi_call_phys) + * parameter 2, ..., param n. To make things easy, we save the return + * address of efi_call_phys in a global variable. + */ +- popl %edx +- movl %edx, saved_return_addr +- /* get the function pointer into ECX*/ +- popl %ecx +- movl %ecx, efi_rt_function_ptr +- movl $2f, %edx +- subl $__PAGE_OFFSET, %edx +- pushl %edx ++ popl (saved_return_addr) ++ popl (efi_rt_function_ptr) + + /* + * 3. Clear PG bit in %CR0. +@@ -73,9 +83,8 @@ ENTRY(efi_call_phys) + /* + * 5. Call the physical function. + */ +- jmp *%ecx ++ call *(efi_rt_function_ptr-__PAGE_OFFSET) + +-2: + /* + * 6. After EFI runtime service returns, control will return to + * following instruction. We'd better readjust stack pointer first. +@@ -88,35 +97,36 @@ ENTRY(efi_call_phys) + movl %cr0, %edx + orl $0x80000000, %edx + movl %edx, %cr0 +- jmp 1f +-1: ++ + /* + * 8. Now restore the virtual mode from flat mode by + * adding EIP with PAGE_OFFSET. + */ +- movl $1f, %edx +- jmp *%edx ++#ifdef CONFIG_PAX_KERNEXEC ++ movl $(__KERNEL_DS), %edx ++ mov %edx, %ds ++ mov %edx, %es ++ mov %edx, %ss ++ ljmp $(__KERNEL_CS),$1f ++#else ++ jmp 1f+__PAGE_OFFSET ++#endif + 1: + + /* + * 9. Balance the stack. And because EAX contain the return value, + * we'd better not clobber it. + */ +- leal efi_rt_function_ptr, %edx +- movl (%edx), %ecx +- pushl %ecx ++ pushl (efi_rt_function_ptr) + + /* +- * 10. Push the saved return address onto the stack and return. ++ * 10. Return to the saved return address. + */ +- leal saved_return_addr, %edx +- movl (%edx), %ecx +- pushl %ecx +- ret ++ jmpl *(saved_return_addr) + ENDPROC(efi_call_phys) + .previous + +-.data ++__INITDATA + saved_return_addr: + .long 0 + efi_rt_function_ptr: +diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S +index 88073b1..1cc2f53 100644 +--- a/arch/x86/platform/efi/efi_stub_64.S ++++ b/arch/x86/platform/efi/efi_stub_64.S +@@ -7,6 +7,7 @@ + */ + + #include ++#include + + #define SAVE_XMM \ + mov %rsp, %rax; \ +@@ -77,6 +78,7 @@ ENTRY(efi_call0) + RESTORE_PGT + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call0) + +@@ -89,6 +91,7 @@ ENTRY(efi_call1) + RESTORE_PGT + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call1) + +@@ -101,6 +104,7 @@ ENTRY(efi_call2) + RESTORE_PGT + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call2) + +@@ -114,6 +118,7 @@ ENTRY(efi_call3) + RESTORE_PGT + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call3) + +@@ -128,6 +133,7 @@ ENTRY(efi_call4) + RESTORE_PGT + addq $32, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call4) + +@@ -143,6 +149,7 @@ ENTRY(efi_call5) + RESTORE_PGT + addq $48, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call5) + +@@ -161,6 +168,7 @@ ENTRY(efi_call6) + RESTORE_PGT + addq $48, %rsp + RESTORE_XMM ++ pax_force_retaddr 0, 1 + ret + ENDPROC(efi_call6) + +diff --git a/arch/x86/platform/intel-mid/intel-mid.c b/arch/x86/platform/intel-mid/intel-mid.c +index 1bbedc4..eb795b5 100644 +--- a/arch/x86/platform/intel-mid/intel-mid.c ++++ b/arch/x86/platform/intel-mid/intel-mid.c +@@ -71,9 +71,10 @@ static void intel_mid_power_off(void) + { + }; + +-static void intel_mid_reboot(void) ++static void __noreturn intel_mid_reboot(void) + { + intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0); ++ BUG(); + } + + static unsigned long __init intel_mid_calibrate_tsc(void) +diff --git a/arch/x86/platform/olpc/olpc_dt.c b/arch/x86/platform/olpc/olpc_dt.c +index d6ee929..3637cb5 100644 +--- a/arch/x86/platform/olpc/olpc_dt.c ++++ b/arch/x86/platform/olpc/olpc_dt.c +@@ -156,7 +156,7 @@ void * __init prom_early_alloc(unsigned long size) + return res; + } + +-static struct of_pdt_ops prom_olpc_ops __initdata = { ++static struct of_pdt_ops prom_olpc_ops __initconst = { + .nextprop = olpc_dt_nextprop, + .getproplen = olpc_dt_getproplen, + .getproperty = olpc_dt_getproperty, +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 424f4c9..f2a2988 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -137,11 +137,8 @@ static void do_fpu_end(void) + static void fix_processor_context(void) + { + int cpu = smp_processor_id(); +- struct tss_struct *t = &per_cpu(init_tss, cpu); +-#ifdef CONFIG_X86_64 +- struct desc_struct *desc = get_cpu_gdt_table(cpu); +- tss_desc tss; +-#endif ++ struct tss_struct *t = init_tss + cpu; ++ + set_tss_desc(cpu, t); /* + * This just modifies memory; should not be + * necessary. But... This is necessary, because +@@ -150,10 +147,6 @@ static void fix_processor_context(void) + */ + + #ifdef CONFIG_X86_64 +- memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc)); +- tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */ +- write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS); +- + syscall_init(); /* This sets MSR_*STAR and related */ + #endif + load_TR_desc(); /* This does ltr */ +diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c +index bad628a..a102610 100644 +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -68,7 +68,13 @@ void __init setup_real_mode(void) + __va(real_mode_header->trampoline_header); + + #ifdef CONFIG_X86_32 +- trampoline_header->start = __pa_symbol(startup_32_smp); ++ trampoline_header->start = __pa_symbol(ktla_ktva(startup_32_smp)); ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ trampoline_header->start -= LOAD_PHYSICAL_ADDR; ++#endif ++ ++ trampoline_header->boot_cs = __BOOT_CS; + trampoline_header->gdt_limit = __BOOT_DS + 7; + trampoline_header->gdt_base = __pa_symbol(boot_gdt); + #else +@@ -84,7 +90,7 @@ void __init setup_real_mode(void) + *trampoline_cr4_features = read_cr4(); + + trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd); +- trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd; ++ trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd & ~_PAGE_NX; + trampoline_pgd[511] = init_level4_pgt[511].pgd; + #endif + } +diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile +index 3497f14..cc73b92 100644 +--- a/arch/x86/realmode/rm/Makefile ++++ b/arch/x86/realmode/rm/Makefile +@@ -66,5 +66,8 @@ $(obj)/realmode.relocs: $(obj)/realmode.elf FORCE + + KBUILD_CFLAGS := $(LINUXINCLUDE) $(REALMODE_CFLAGS) -D_SETUP -D_WAKEUP \ + -I$(srctree)/arch/x86/boot ++ifdef CONSTIFY_PLUGIN ++KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify ++endif + KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ + GCOV_PROFILE := n +diff --git a/arch/x86/realmode/rm/header.S b/arch/x86/realmode/rm/header.S +index a28221d..93c40f1 100644 +--- a/arch/x86/realmode/rm/header.S ++++ b/arch/x86/realmode/rm/header.S +@@ -30,7 +30,9 @@ GLOBAL(real_mode_header) + #endif + /* APM/BIOS reboot */ + .long pa_machine_real_restart_asm +-#ifdef CONFIG_X86_64 ++#ifdef CONFIG_X86_32 ++ .long __KERNEL_CS ++#else + .long __KERNEL32_CS + #endif + END(real_mode_header) +diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S +index 48ddd76..c26749f 100644 +--- a/arch/x86/realmode/rm/trampoline_32.S ++++ b/arch/x86/realmode/rm/trampoline_32.S +@@ -24,6 +24,12 @@ + #include + #include "realmode.h" + ++#ifdef CONFIG_PAX_KERNEXEC ++#define ta(X) (X) ++#else ++#define ta(X) (pa_ ## X) ++#endif ++ + .text + .code16 + +@@ -38,8 +44,6 @@ ENTRY(trampoline_start) + + cli # We should be safe anyway + +- movl tr_start, %eax # where we need to go +- + movl $0xA5A5A5A5, trampoline_status + # write marker for master knows we're running + +@@ -55,7 +59,7 @@ ENTRY(trampoline_start) + movw $1, %dx # protected mode (PE) bit + lmsw %dx # into protected mode + +- ljmpl $__BOOT_CS, $pa_startup_32 ++ ljmpl *(trampoline_header) + + .section ".text32","ax" + .code32 +@@ -66,7 +70,7 @@ ENTRY(startup_32) # note: also used from wakeup_asm.S + .balign 8 + GLOBAL(trampoline_header) + tr_start: .space 4 +- tr_gdt_pad: .space 2 ++ tr_boot_cs: .space 2 + tr_gdt: .space 6 + END(trampoline_header) + +diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S +index dac7b20..72dbaca 100644 +--- a/arch/x86/realmode/rm/trampoline_64.S ++++ b/arch/x86/realmode/rm/trampoline_64.S +@@ -93,6 +93,7 @@ ENTRY(startup_32) + movl %edx, %gs + + movl pa_tr_cr4, %eax ++ andl $~X86_CR4_PCIDE, %eax + movl %eax, %cr4 # Enable PAE mode + + # Setup trampoline 4 level pagetables +@@ -106,7 +107,7 @@ ENTRY(startup_32) + wrmsr + + # Enable paging and in turn activate Long Mode +- movl $(X86_CR0_PG | X86_CR0_WP | X86_CR0_PE), %eax ++ movl $(X86_CR0_PG | X86_CR0_PE), %eax + movl %eax, %cr0 + + /* +diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile +index e812034..c747134 100644 +--- a/arch/x86/tools/Makefile ++++ b/arch/x86/tools/Makefile +@@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in + + $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c + +-HOST_EXTRACFLAGS += -I$(srctree)/tools/include ++HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb + hostprogs-y += relocs + relocs-objs := relocs_32.o relocs_64.o relocs_common.o + relocs: $(obj)/relocs +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index cfbdbdb..1aa763c 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -1,5 +1,7 @@ + /* This is included from relocs_32/64.c */ + ++#include "../../../include/generated/autoconf.h" ++ + #define ElfW(type) _ElfW(ELF_BITS, type) + #define _ElfW(bits, type) __ElfW(bits, type) + #define __ElfW(bits, type) Elf##bits##_##type +@@ -11,6 +13,7 @@ + #define Elf_Sym ElfW(Sym) + + static Elf_Ehdr ehdr; ++static Elf_Phdr *phdr; + + struct relocs { + uint32_t *offset; +@@ -383,9 +386,39 @@ static void read_ehdr(FILE *fp) + } + } + ++static void read_phdrs(FILE *fp) ++{ ++ unsigned int i; ++ ++ phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr)); ++ if (!phdr) { ++ die("Unable to allocate %d program headers\n", ++ ehdr.e_phnum); ++ } ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) { ++ die("Seek to %d failed: %s\n", ++ ehdr.e_phoff, strerror(errno)); ++ } ++ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) { ++ die("Cannot read ELF program headers: %s\n", ++ strerror(errno)); ++ } ++ for(i = 0; i < ehdr.e_phnum; i++) { ++ phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type); ++ phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset); ++ phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr); ++ phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr); ++ phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz); ++ phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz); ++ phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags); ++ phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align); ++ } ++ ++} ++ + static void read_shdrs(FILE *fp) + { +- int i; ++ unsigned int i; + Elf_Shdr shdr; + + secs = calloc(ehdr.e_shnum, sizeof(struct section)); +@@ -420,7 +453,7 @@ static void read_shdrs(FILE *fp) + + static void read_strtabs(FILE *fp) + { +- int i; ++ unsigned int i; + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + if (sec->shdr.sh_type != SHT_STRTAB) { +@@ -445,7 +478,7 @@ static void read_strtabs(FILE *fp) + + static void read_symtabs(FILE *fp) + { +- int i,j; ++ unsigned int i,j; + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + if (sec->shdr.sh_type != SHT_SYMTAB) { +@@ -476,9 +509,11 @@ static void read_symtabs(FILE *fp) + } + + +-static void read_relocs(FILE *fp) ++static void read_relocs(FILE *fp, int use_real_mode) + { +- int i,j; ++ unsigned int i,j; ++ uint32_t base; ++ + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + if (sec->shdr.sh_type != SHT_REL_TYPE) { +@@ -498,9 +533,22 @@ static void read_relocs(FILE *fp) + die("Cannot read symbol table: %s\n", + strerror(errno)); + } ++ base = 0; ++ ++#ifdef CONFIG_X86_32 ++ for (j = 0; !use_real_mode && j < ehdr.e_phnum; j++) { ++ if (phdr[j].p_type != PT_LOAD ) ++ continue; ++ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz) ++ continue; ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr; ++ break; ++ } ++#endif ++ + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { + Elf_Rel *rel = &sec->reltab[j]; +- rel->r_offset = elf_addr_to_cpu(rel->r_offset); ++ rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base; + rel->r_info = elf_xword_to_cpu(rel->r_info); + #if (SHT_REL_TYPE == SHT_RELA) + rel->r_addend = elf_xword_to_cpu(rel->r_addend); +@@ -512,7 +560,7 @@ static void read_relocs(FILE *fp) + + static void print_absolute_symbols(void) + { +- int i; ++ unsigned int i; + const char *format; + + if (ELF_BITS == 64) +@@ -525,7 +573,7 @@ static void print_absolute_symbols(void) + for (i = 0; i < ehdr.e_shnum; i++) { + struct section *sec = &secs[i]; + char *sym_strtab; +- int j; ++ unsigned int j; + + if (sec->shdr.sh_type != SHT_SYMTAB) { + continue; +@@ -552,7 +600,7 @@ static void print_absolute_symbols(void) + + static void print_absolute_relocs(void) + { +- int i, printed = 0; ++ unsigned int i, printed = 0; + const char *format; + + if (ELF_BITS == 64) +@@ -565,7 +613,7 @@ static void print_absolute_relocs(void) + struct section *sec_applies, *sec_symtab; + char *sym_strtab; + Elf_Sym *sh_symtab; +- int j; ++ unsigned int j; + if (sec->shdr.sh_type != SHT_REL_TYPE) { + continue; + } +@@ -642,13 +690,13 @@ static void add_reloc(struct relocs *r, uint32_t offset) + static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, + Elf_Sym *sym, const char *symname)) + { +- int i; ++ unsigned int i; + /* Walk through the relocations */ + for (i = 0; i < ehdr.e_shnum; i++) { + char *sym_strtab; + Elf_Sym *sh_symtab; + struct section *sec_applies, *sec_symtab; +- int j; ++ unsigned int j; + struct section *sec = &secs[i]; + + if (sec->shdr.sh_type != SHT_REL_TYPE) { +@@ -822,6 +870,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + { + unsigned r_type = ELF32_R_TYPE(rel->r_info); + int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname); ++ char *sym_strtab = sec->link->link->strtab; ++ ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */ ++ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load")) ++ return 0; ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) ++ return 0; ++ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR")) ++ return 0; ++#endif + + switch (r_type) { + case R_386_NONE: +@@ -960,7 +1025,7 @@ static int write32_as_text(uint32_t v, FILE *f) + + static void emit_relocs(int as_text, int use_real_mode) + { +- int i; ++ unsigned int i; + int (*write_reloc)(uint32_t, FILE *) = write32; + int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + const char *symname); +@@ -1060,10 +1125,11 @@ void process(FILE *fp, int use_real_mode, int as_text, + { + regex_init(use_real_mode); + read_ehdr(fp); ++ read_phdrs(fp); + read_shdrs(fp); + read_strtabs(fp); + read_symtabs(fp); +- read_relocs(fp); ++ read_relocs(fp, use_real_mode); + if (ELF_BITS == 64) + percpu_init(); + if (show_absolute_syms) { +diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c +index 80ffa5b..a33bd15 100644 +--- a/arch/x86/um/tls_32.c ++++ b/arch/x86/um/tls_32.c +@@ -260,7 +260,7 @@ out: + if (unlikely(task == current && + !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) { + printk(KERN_ERR "get_tls_entry: task with pid %d got here " +- "without flushed TLS.", current->pid); ++ "without flushed TLS.", task_pid_nr(current)); + } + + return 0; +diff --git a/arch/x86/vdso/Makefile b/arch/x86/vdso/Makefile +index fd14be1..e3c79c0 100644 +--- a/arch/x86/vdso/Makefile ++++ b/arch/x86/vdso/Makefile +@@ -181,7 +181,7 @@ quiet_cmd_vdso = VDSO $@ + -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \ + sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@' + +-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) ++VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) + GCOV_PROFILE := n + + # +diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c +index d6bfb87..876ee18 100644 +--- a/arch/x86/vdso/vdso32-setup.c ++++ b/arch/x86/vdso/vdso32-setup.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + enum { + VDSO_DISABLED = 0, +@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int map) + void enable_sep_cpu(void) + { + int cpu = get_cpu(); +- struct tss_struct *tss = &per_cpu(init_tss, cpu); ++ struct tss_struct *tss = init_tss + cpu; + + if (!boot_cpu_has(X86_FEATURE_SEP)) { + put_cpu(); +@@ -249,7 +250,7 @@ static int __init gate_vma_init(void) + gate_vma.vm_start = FIXADDR_USER_START; + gate_vma.vm_end = FIXADDR_USER_END; + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; +- gate_vma.vm_page_prot = __P101; ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); + + return 0; + } +@@ -330,14 +331,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + if (compat) + addr = VDSO_HIGH_BASE; + else { +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0); ++ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE); + if (IS_ERR_VALUE(addr)) { + ret = addr; + goto up_fail; + } + } + +- current->mm->context.vdso = (void *)addr; ++ current->mm->context.vdso = addr; + + if (compat_uses_vma || !compat) { + /* +@@ -353,11 +354,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + } + + current_thread_info()->sysenter_return = +- VDSO32_SYMBOL(addr, SYSENTER_RETURN); ++ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN); + + up_fail: + if (ret) +- current->mm->context.vdso = NULL; ++ current->mm->context.vdso = 0; + + up_write(&mm->mmap_sem); + +@@ -404,8 +405,14 @@ __initcall(ia32_binfmt_init); + + const char *arch_vma_name(struct vm_area_struct *vma) + { +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso) ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso) + return "[vdso]"; ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso) ++ return "[vdso]"; ++#endif ++ + return NULL; + } + +@@ -415,7 +422,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm) + * Check to see if the corresponding task was created in compat vdso + * mode. + */ +- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE) ++ if (mm && mm->context.vdso == VDSO_HIGH_BASE) + return &gate_vma; + return NULL; + } +diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c +index 431e875..cbb23f3 100644 +--- a/arch/x86/vdso/vma.c ++++ b/arch/x86/vdso/vma.c +@@ -16,8 +16,6 @@ + #include + #include + +-unsigned int __read_mostly vdso_enabled = 1; +- + extern char vdso_start[], vdso_end[]; + extern unsigned short vdso_sync_cpuid; + +@@ -141,7 +139,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len) + * unaligned here as a result of stack start randomization. + */ + addr = PAGE_ALIGN(addr); +- addr = align_vdso_addr(addr); + + return addr; + } +@@ -154,30 +151,31 @@ static int setup_additional_pages(struct linux_binprm *bprm, + unsigned size) + { + struct mm_struct *mm = current->mm; +- unsigned long addr; ++ unsigned long addr = 0; + int ret; + +- if (!vdso_enabled) +- return 0; +- + down_write(&mm->mmap_sem); ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP)) ++#endif ++ + addr = vdso_addr(mm->start_stack, size); ++ addr = align_vdso_addr(addr); + addr = get_unmapped_area(NULL, addr, size, 0, 0); + if (IS_ERR_VALUE(addr)) { + ret = addr; + goto up_fail; + } + +- current->mm->context.vdso = (void *)addr; ++ mm->context.vdso = addr; + + ret = install_special_mapping(mm, addr, size, + VM_READ|VM_EXEC| + VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, + pages); +- if (ret) { +- current->mm->context.vdso = NULL; +- goto up_fail; +- } ++ if (ret) ++ mm->context.vdso = 0; + + up_fail: + up_write(&mm->mmap_sem); +@@ -197,10 +195,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + vdsox32_size); + } + #endif +- +-static __init int vdso_setup(char *s) +-{ +- vdso_enabled = simple_strtoul(s, NULL, 0); +- return 0; +-} +-__setup("vdso=", vdso_setup); +diff --git a/arch/x86/xen/Kconfig b/arch/x86/xen/Kconfig +index 01b9026..1e476df 100644 +--- a/arch/x86/xen/Kconfig ++++ b/arch/x86/xen/Kconfig +@@ -9,6 +9,7 @@ config XEN + select XEN_HAVE_PVMMU + depends on X86_64 || (X86_32 && X86_PAE && !X86_VISWS) + depends on X86_TSC ++ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_XEN + help + This is the Linux Xen port. Enabling this will allow the + kernel to boot in a paravirtualized environment under the +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 201d09a..e4723e5 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); + + struct shared_info xen_dummy_shared_info; + +-void *xen_initial_gdt; +- + RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); + __read_mostly int xen_have_vector_callback; + EXPORT_SYMBOL_GPL(xen_have_vector_callback); +@@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* +@@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[(GDT_SIZE + PAGE_SIZE - 1) / PAGE_SIZE]; + int f; + + /* +@@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) + * 8-byte entries, or 16 4k pages.. + */ + +- BUG_ON(size > 65536); ++ BUG_ON(size > GDT_SIZE); + BUG_ON(va & ~PAGE_MASK); + + for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { +@@ -989,7 +985,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) + return 0; + } + +-static void set_xen_basic_apic_ops(void) ++static void __init set_xen_basic_apic_ops(void) + { + apic->read = xen_apic_read; + apic->write = xen_apic_write; +@@ -1295,30 +1291,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { + #endif + }; + +-static void xen_reboot(int reason) ++static __noreturn void xen_reboot(int reason) + { + struct sched_shutdown r = { .reason = reason }; + +- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r)) +- BUG(); ++ HYPERVISOR_sched_op(SCHEDOP_shutdown, &r); ++ BUG(); + } + +-static void xen_restart(char *msg) ++static __noreturn void xen_restart(char *msg) + { + xen_reboot(SHUTDOWN_reboot); + } + +-static void xen_emergency_restart(void) ++static __noreturn void xen_emergency_restart(void) + { + xen_reboot(SHUTDOWN_reboot); + } + +-static void xen_machine_halt(void) ++static __noreturn void xen_machine_halt(void) + { + xen_reboot(SHUTDOWN_poweroff); + } + +-static void xen_machine_power_off(void) ++static __noreturn void xen_machine_power_off(void) + { + if (pm_power_off) + pm_power_off(); +@@ -1564,7 +1560,17 @@ asmlinkage void __init xen_start_kernel(void) + __userpte_alloc_gfp &= ~__GFP_HIGHMEM; + + /* Work out if we support NX */ +- x86_configure_nx(); ++#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) ++ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 && ++ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) { ++ unsigned l, h; ++ ++ __supported_pte_mask |= _PAGE_NX; ++ rdmsr(MSR_EFER, l, h); ++ l |= EFER_NX; ++ wrmsr(MSR_EFER, l, h); ++ } ++#endif + + /* Get mfn list */ + xen_build_dynamic_phys_to_machine(); +@@ -1592,13 +1598,6 @@ asmlinkage void __init xen_start_kernel(void) + + machine_ops = xen_machine_ops; + +- /* +- * The only reliable way to retain the initial address of the +- * percpu gdt_page is to remember it here, so we can go and +- * mark it RW later, when the initial percpu area is freed. +- */ +- xen_initial_gdt = &per_cpu(gdt_page, 0); +- + xen_smp_init(); + + #ifdef CONFIG_ACPI_NUMA +diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c +index 2423ef0..4f6fb5b 100644 +--- a/arch/x86/xen/mmu.c ++++ b/arch/x86/xen/mmu.c +@@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val) + return val; + } + +-static pteval_t pte_pfn_to_mfn(pteval_t val) ++static pteval_t __intentional_overflow(-1) pte_pfn_to_mfn(pteval_t val) + { + if (val & _PAGE_PRESENT) { + unsigned long pfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT; +@@ -1904,6 +1904,9 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) + /* L3_k[510] -> level2_kernel_pgt + * L3_i[511] -> level2_fixmap_pgt */ + convert_pfn_mfn(level3_kernel_pgt); ++ convert_pfn_mfn(level3_vmalloc_start_pgt); ++ convert_pfn_mfn(level3_vmalloc_end_pgt); ++ convert_pfn_mfn(level3_vmemmap_pgt); + } + /* We get [511][511] and have Xen's version of level2_kernel_pgt */ + l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd); +@@ -1933,8 +1936,12 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) + set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); + set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); + set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO); ++ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO); + set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO); + set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO); ++ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); + +@@ -2123,6 +2130,7 @@ static void __init xen_post_allocator_init(void) + pv_mmu_ops.set_pud = xen_set_pud; + #if PAGETABLE_LEVELS == 4 + pv_mmu_ops.set_pgd = xen_set_pgd; ++ pv_mmu_ops.set_pgd_batched = xen_set_pgd; + #endif + + /* This will work as long as patching hasn't happened yet +@@ -2201,6 +2209,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { + .pud_val = PV_CALLEE_SAVE(xen_pud_val), + .make_pud = PV_CALLEE_SAVE(xen_make_pud), + .set_pgd = xen_set_pgd_hyper, ++ .set_pgd_batched = xen_set_pgd_hyper, + + .alloc_pud = xen_alloc_pmd_init, + .release_pud = xen_release_pmd_init, +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index a18eadd..2e2f10e 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -283,17 +283,13 @@ static void __init xen_smp_prepare_boot_cpu(void) + + if (xen_pv_domain()) { + if (!xen_feature(XENFEAT_writable_page_tables)) +- /* We've switched to the "real" per-cpu gdt, so make +- * sure the old memory can be recycled. */ +- make_lowmem_page_readwrite(xen_initial_gdt); +- + #ifdef CONFIG_X86_32 + /* + * Xen starts us with XEN_FLAT_RING1_DS, but linux code + * expects __USER_DS + */ +- loadsegment(ds, __USER_DS); +- loadsegment(es, __USER_DS); ++ loadsegment(ds, __KERNEL_DS); ++ loadsegment(es, __KERNEL_DS); + #endif + + xen_filter_cpu_maps(); +@@ -372,7 +368,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) + #ifdef CONFIG_X86_32 + /* Note: PVH is not yet supported on x86_32. */ + ctxt->user_regs.fs = __KERNEL_PERCPU; +- ctxt->user_regs.gs = __KERNEL_STACK_CANARY; ++ savesegment(gs, ctxt->user_regs.gs); + #endif + ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle; + +@@ -381,8 +377,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle) + if (!xen_feature(XENFEAT_auto_translated_physmap)) { + ctxt->flags = VGCF_IN_KERNEL; + ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */ +- ctxt->user_regs.ds = __USER_DS; +- ctxt->user_regs.es = __USER_DS; ++ ctxt->user_regs.ds = __KERNEL_DS; ++ ctxt->user_regs.es = __KERNEL_DS; + ctxt->user_regs.ss = __KERNEL_DS; + + xen_copy_trap_info(ctxt->trap_ctxt); +@@ -437,13 +433,12 @@ static int xen_cpu_up(unsigned int cpu, struct task_struct *idle) + int rc; + + per_cpu(current_task, cpu) = idle; ++ per_cpu(current_tinfo, cpu) = &idle->tinfo; + #ifdef CONFIG_X86_32 + irq_ctx_init(cpu); + #else + clear_tsk_thread_flag(idle, TIF_FORK); +- per_cpu(kernel_stack, cpu) = +- (unsigned long)task_stack_page(idle) - +- KERNEL_STACK_OFFSET + THREAD_SIZE; ++ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE; + #endif + xen_setup_runstate_info(cpu); + xen_setup_timer(cpu); +@@ -719,7 +714,7 @@ static const struct smp_ops xen_smp_ops __initconst = { + + void __init xen_smp_init(void) + { +- smp_ops = xen_smp_ops; ++ memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops); + xen_fill_possible_map(); + } + +diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S +index 33ca6e4..0ded929 100644 +--- a/arch/x86/xen/xen-asm_32.S ++++ b/arch/x86/xen/xen-asm_32.S +@@ -84,14 +84,14 @@ ENTRY(xen_iret) + ESP_OFFSET=4 # bytes pushed onto stack + + /* +- * Store vcpu_info pointer for easy access. Do it this way to +- * avoid having to reload %fs ++ * Store vcpu_info pointer for easy access. + */ + #ifdef CONFIG_SMP +- GET_THREAD_INFO(%eax) +- movl %ss:TI_cpu(%eax), %eax +- movl %ss:__per_cpu_offset(,%eax,4), %eax +- mov %ss:xen_vcpu(%eax), %eax ++ push %fs ++ mov $(__KERNEL_PERCPU), %eax ++ mov %eax, %fs ++ mov PER_CPU_VAR(xen_vcpu), %eax ++ pop %fs + #else + movl %ss:xen_vcpu, %eax + #endif +diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S +index 485b695..fda3e7c 100644 +--- a/arch/x86/xen/xen-head.S ++++ b/arch/x86/xen/xen-head.S +@@ -39,6 +39,17 @@ ENTRY(startup_xen) + #ifdef CONFIG_X86_32 + mov %esi,xen_start_info + mov $init_thread_union+THREAD_SIZE,%esp ++#ifdef CONFIG_SMP ++ movl $cpu_gdt_table,%edi ++ movl $__per_cpu_load,%eax ++ movw %ax,__KERNEL_PERCPU + 2(%edi) ++ rorl $16,%eax ++ movb %al,__KERNEL_PERCPU + 4(%edi) ++ movb %ah,__KERNEL_PERCPU + 7(%edi) ++ movl $__per_cpu_end - 1,%eax ++ subl $__per_cpu_start,%eax ++ movw %ax,__KERNEL_PERCPU + 0(%edi) ++#endif + #else + mov %rsi,xen_start_info + mov $init_thread_union+THREAD_SIZE,%rsp +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 1cb6f4c..9981524 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -10,8 +10,6 @@ + extern const char xen_hypervisor_callback[]; + extern const char xen_failsafe_callback[]; + +-extern void *xen_initial_gdt; +- + struct trap_info; + void xen_copy_trap_info(struct trap_info *traps); + +diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h +index 525bd3d..ef888b1 100644 +--- a/arch/xtensa/variants/dc232b/include/variant/core.h ++++ b/arch/xtensa/variants/dc232b/include/variant/core.h +@@ -119,9 +119,9 @@ + ----------------------------------------------------------------------*/ + + #define XCHAL_ICACHE_LINESIZE 32 /* I-cache line size in bytes */ +-#define XCHAL_DCACHE_LINESIZE 32 /* D-cache line size in bytes */ + #define XCHAL_ICACHE_LINEWIDTH 5 /* log2(I line size in bytes) */ + #define XCHAL_DCACHE_LINEWIDTH 5 /* log2(D line size in bytes) */ ++#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */ + + #define XCHAL_ICACHE_SIZE 16384 /* I-cache size in bytes or 0 */ + #define XCHAL_DCACHE_SIZE 16384 /* D-cache size in bytes or 0 */ +diff --git a/arch/xtensa/variants/fsf/include/variant/core.h b/arch/xtensa/variants/fsf/include/variant/core.h +index 2f33760..835e50a 100644 +--- a/arch/xtensa/variants/fsf/include/variant/core.h ++++ b/arch/xtensa/variants/fsf/include/variant/core.h +@@ -11,6 +11,7 @@ + #ifndef _XTENSA_CORE_H + #define _XTENSA_CORE_H + ++#include + + /**************************************************************************** + Parameters Useful for Any Code, USER or PRIVILEGED +@@ -112,9 +113,9 @@ + ----------------------------------------------------------------------*/ + + #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */ +-#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */ + #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */ + #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */ ++#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */ + + #define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */ + #define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */ +diff --git a/arch/xtensa/variants/s6000/include/variant/core.h b/arch/xtensa/variants/s6000/include/variant/core.h +index af00795..2bb8105 100644 +--- a/arch/xtensa/variants/s6000/include/variant/core.h ++++ b/arch/xtensa/variants/s6000/include/variant/core.h +@@ -11,6 +11,7 @@ + #ifndef _XTENSA_CORE_CONFIGURATION_H + #define _XTENSA_CORE_CONFIGURATION_H + ++#include + + /**************************************************************************** + Parameters Useful for Any Code, USER or PRIVILEGED +@@ -118,9 +119,9 @@ + ----------------------------------------------------------------------*/ + + #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */ +-#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */ + #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */ + #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */ ++#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */ + + #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ + #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index 4e491d9..c8e18e4 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -812,7 +812,7 @@ static void blkcg_css_free(struct cgroup_subsys_state *css) + static struct cgroup_subsys_state * + blkcg_css_alloc(struct cgroup_subsys_state *parent_css) + { +- static atomic64_t id_seq = ATOMIC64_INIT(0); ++ static atomic64_unchecked_t id_seq = ATOMIC64_INIT(0); + struct blkcg *blkcg; + + if (!parent_css) { +@@ -826,7 +826,7 @@ blkcg_css_alloc(struct cgroup_subsys_state *parent_css) + + blkcg->cfq_weight = CFQ_WEIGHT_DEFAULT; + blkcg->cfq_leaf_weight = CFQ_WEIGHT_DEFAULT; +- blkcg->id = atomic64_inc_return(&id_seq); /* root is 0, start from 1 */ ++ blkcg->id = atomic64_inc_return_unchecked(&id_seq); /* root is 0, start from 1 */ + done: + spin_lock_init(&blkcg->lock); + INIT_RADIX_TREE(&blkcg->blkg_tree, GFP_ATOMIC); +diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c +index 1855bf5..af12b06 100644 +--- a/block/blk-iopoll.c ++++ b/block/blk-iopoll.c +@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopoll *iopoll) + } + EXPORT_SYMBOL(blk_iopoll_complete); + +-static void blk_iopoll_softirq(struct softirq_action *h) ++static __latent_entropy void blk_iopoll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = blk_iopoll_budget; +diff --git a/block/blk-map.c b/block/blk-map.c +index ae4ae10..c470b8d 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -302,7 +302,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, + if (!len || !kbuf) + return -EINVAL; + +- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf); ++ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf); + if (do_copy) + bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading); + else +diff --git a/block/blk-softirq.c b/block/blk-softirq.c +index 57790c1..5e988dd 100644 +--- a/block/blk-softirq.c ++++ b/block/blk-softirq.c +@@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/block/bsg.c b/block/bsg.c +index 420a5a9..23834aa 100644 +--- a/block/bsg.c ++++ b/block/bsg.c +@@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq, + struct sg_io_v4 *hdr, struct bsg_device *bd, + fmode_t has_write_perm) + { ++ unsigned char tmpcmd[sizeof(rq->__cmd)]; ++ unsigned char *cmdptr; ++ + if (hdr->request_len > BLK_MAX_CDB) { + rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL); + if (!rq->cmd) + return -ENOMEM; +- } ++ cmdptr = rq->cmd; ++ } else ++ cmdptr = tmpcmd; + +- if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request, ++ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request, + hdr->request_len)) + return -EFAULT; + ++ if (cmdptr != rq->cmd) ++ memcpy(rq->cmd, cmdptr, hdr->request_len); ++ + if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) { + if (blk_verify_command(rq->cmd, has_write_perm)) + return -EPERM; +diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c +index fbd5a67..f24fd95 100644 +--- a/block/compat_ioctl.c ++++ b/block/compat_ioctl.c +@@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode, + cgc = compat_alloc_user_space(sizeof(*cgc)); + cgc32 = compat_ptr(arg); + +- if (copy_in_user(&cgc->cmd, &cgc32->cmd, sizeof(cgc->cmd)) || ++ if (copy_in_user(cgc->cmd, cgc32->cmd, sizeof(cgc->cmd)) || + get_user(data, &cgc32->buffer) || + put_user(compat_ptr(data), &cgc->buffer) || + copy_in_user(&cgc->buflen, &cgc32->buflen, +@@ -341,7 +341,7 @@ static int compat_fd_ioctl(struct block_device *bdev, fmode_t mode, + err |= __get_user(f->spec1, &uf->spec1); + err |= __get_user(f->fmt_gap, &uf->fmt_gap); + err |= __get_user(name, &uf->name); +- f->name = compat_ptr(name); ++ f->name = (void __force_kernel *)compat_ptr(name); + if (err) { + err = -EFAULT; + goto out; +diff --git a/block/genhd.c b/block/genhd.c +index 791f419..89f21c4 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -467,21 +467,24 @@ static char *bdevt_str(dev_t devt, char *buf) + + /* + * Register device numbers dev..(dev+range-1) +- * range must be nonzero ++ * Noop if @range is zero. + * The hash chain is sorted on range, so that subranges can override. + */ + void blk_register_region(dev_t devt, unsigned long range, struct module *module, + struct kobject *(*probe)(dev_t, int *, void *), + int (*lock)(dev_t, void *), void *data) + { +- kobj_map(bdev_map, devt, range, module, probe, lock, data); ++ if (range) ++ kobj_map(bdev_map, devt, range, module, probe, lock, data); + } + + EXPORT_SYMBOL(blk_register_region); + ++/* undo blk_register_region(), noop if @range is zero */ + void blk_unregister_region(dev_t devt, unsigned long range) + { +- kobj_unmap(bdev_map, devt, range); ++ if (range) ++ kobj_unmap(bdev_map, devt, range); + } + + EXPORT_SYMBOL(blk_unregister_region); +diff --git a/block/partitions/efi.c b/block/partitions/efi.c +index dc51f46..d5446a8 100644 +--- a/block/partitions/efi.c ++++ b/block/partitions/efi.c +@@ -293,14 +293,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state, + if (!gpt) + return NULL; + ++ if (!le32_to_cpu(gpt->num_partition_entries)) ++ return NULL; ++ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL); ++ if (!pte) ++ return NULL; ++ + count = le32_to_cpu(gpt->num_partition_entries) * + le32_to_cpu(gpt->sizeof_partition_entry); +- if (!count) +- return NULL; +- pte = kmalloc(count, GFP_KERNEL); +- if (!pte) +- return NULL; +- + if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba), + (u8 *) pte, count) < count) { + kfree(pte); +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index 2648797..92ed21f 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -67,7 +67,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p) + return put_user(0, p); + } + +-static int sg_get_timeout(struct request_queue *q) ++static int __intentional_overflow(-1) sg_get_timeout(struct request_queue *q) + { + return jiffies_to_clock_t(q->sg_timeout); + } +@@ -224,8 +224,20 @@ EXPORT_SYMBOL(blk_verify_command); + static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq, + struct sg_io_hdr *hdr, fmode_t mode) + { +- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len)) ++ unsigned char tmpcmd[sizeof(rq->__cmd)]; ++ unsigned char *cmdptr; ++ ++ if (rq->cmd != rq->__cmd) ++ cmdptr = rq->cmd; ++ else ++ cmdptr = tmpcmd; ++ ++ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len)) + return -EFAULT; ++ ++ if (cmdptr != rq->cmd) ++ memcpy(rq->cmd, cmdptr, hdr->cmd_len); ++ + if (blk_verify_command(rq->cmd, mode & FMODE_WRITE)) + return -EPERM; + +@@ -417,6 +429,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + int err; + unsigned int in_len, out_len, bytes, opcode, cmdlen; + char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE]; ++ unsigned char tmpcmd[sizeof(rq->__cmd)]; ++ unsigned char *cmdptr; + + if (!sic) + return -EINVAL; +@@ -450,9 +464,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, + */ + err = -EFAULT; + rq->cmd_len = cmdlen; +- if (copy_from_user(rq->cmd, sic->data, cmdlen)) ++ ++ if (rq->cmd != rq->__cmd) ++ cmdptr = rq->cmd; ++ else ++ cmdptr = tmpcmd; ++ ++ if (copy_from_user(cmdptr, sic->data, cmdlen)) + goto error; + ++ if (rq->cmd != cmdptr) ++ memcpy(rq->cmd, cmdptr, cmdlen); ++ + if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) + goto error; + +diff --git a/crypto/cryptd.c b/crypto/cryptd.c +index 7bdd61b..afec999 100644 +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx { + + struct cryptd_blkcipher_request_ctx { + crypto_completion_t complete; +-}; ++} __no_const; + + struct cryptd_hash_ctx { + struct crypto_shash *child; +@@ -80,7 +80,7 @@ struct cryptd_aead_ctx { + + struct cryptd_aead_request_ctx { + crypto_completion_t complete; +-}; ++} __no_const; + + static void cryptd_queue_worker(struct work_struct *work); + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index 309d345..1632720 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -440,7 +440,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name) + int ret; + + pinst->kobj.kset = pcrypt_kset; +- ret = kobject_add(&pinst->kobj, NULL, name); ++ ret = kobject_add(&pinst->kobj, NULL, "%s", name); + if (!ret) + kobject_uevent(&pinst->kobj, KOBJ_ADD); + +diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c +index 15dddc1..b61cf0c 100644 +--- a/drivers/acpi/acpica/hwxfsleep.c ++++ b/drivers/acpi/acpica/hwxfsleep.c +@@ -63,11 +63,12 @@ static acpi_status acpi_hw_sleep_dispatch(u8 sleep_state, u32 function_id); + /* Legacy functions are optional, based upon ACPI_REDUCED_HARDWARE */ + + static struct acpi_sleep_functions acpi_sleep_dispatch[] = { +- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep), +- acpi_hw_extended_sleep}, +- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep), +- acpi_hw_extended_wake_prep}, +- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake), acpi_hw_extended_wake} ++ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep), ++ .extended_function = acpi_hw_extended_sleep}, ++ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep), ++ .extended_function = acpi_hw_extended_wake_prep}, ++ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake), ++ .extended_function = acpi_hw_extended_wake} + }; + + /* +diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h +index e5bcd91..74f050d 100644 +--- a/drivers/acpi/apei/apei-internal.h ++++ b/drivers/acpi/apei/apei-internal.h +@@ -19,7 +19,7 @@ typedef int (*apei_exec_ins_func_t)(struct apei_exec_context *ctx, + struct apei_exec_ins_type { + u32 flags; + apei_exec_ins_func_t run; +-}; ++} __do_const; + + struct apei_exec_context { + u32 ip; +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index dab7cb7..f0d2994 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -500,7 +500,7 @@ static void __ghes_print_estatus(const char *pfx, + const struct acpi_hest_generic *generic, + const struct acpi_generic_status *estatus) + { +- static atomic_t seqno; ++ static atomic_unchecked_t seqno; + unsigned int curr_seqno; + char pfx_seq[64]; + +@@ -511,7 +511,7 @@ static void __ghes_print_estatus(const char *pfx, + else + pfx = KERN_ERR; + } +- curr_seqno = atomic_inc_return(&seqno); ++ curr_seqno = atomic_inc_return_unchecked(&seqno); + snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno); + printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n", + pfx_seq, generic->header.source_id); +diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c +index a83e3c6..c3d617f 100644 +--- a/drivers/acpi/bgrt.c ++++ b/drivers/acpi/bgrt.c +@@ -86,8 +86,10 @@ static int __init bgrt_init(void) + if (!bgrt_image) + return -ENODEV; + +- bin_attr_image.private = bgrt_image; +- bin_attr_image.size = bgrt_image_size; ++ pax_open_kernel(); ++ *(void **)&bin_attr_image.private = bgrt_image; ++ *(size_t *)&bin_attr_image.size = bgrt_image_size; ++ pax_close_kernel(); + + bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj); + if (!bgrt_kobj) +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c +index afec452..c5d8b96 100644 +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -51,7 +51,7 @@ struct acpi_blacklist_item { + u32 is_critical_error; + }; + +-static struct dmi_system_id acpi_osi_dmi_table[] __initdata; ++static const struct dmi_system_id acpi_osi_dmi_table[] __initconst; + + /* + * POLICY: If *anything* doesn't work, put it on the blacklist. +@@ -163,7 +163,7 @@ static int __init dmi_disable_osi_win8(const struct dmi_system_id *d) + return 0; + } + +-static struct dmi_system_id acpi_osi_dmi_table[] __initdata = { ++static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = { + { + .callback = dmi_disable_osi_vista, + .ident = "Fujitsu Siemens", +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index c68e724..e863008 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,10 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++#ifdef CONFIG_GRKERNSEC_KMEM ++ return -EPERM; ++#endif ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 3dca36d..abaf070 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -952,7 +952,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr) + { + int i, count = CPUIDLE_DRIVER_STATE_START; + struct acpi_processor_cx *cx; +- struct cpuidle_state *state; ++ cpuidle_state_no_const *state; + struct cpuidle_driver *drv = &acpi_idle_driver; + + if (!pr->flags.power_setup_done) +diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c +index 91a32ce..d77fcaf 100644 +--- a/drivers/acpi/sysfs.c ++++ b/drivers/acpi/sysfs.c +@@ -425,11 +425,11 @@ static u32 num_counters; + static struct attribute **all_attrs; + static u32 acpi_gpe_count; + +-static struct attribute_group interrupt_stats_attr_group = { ++static attribute_group_no_const interrupt_stats_attr_group = { + .name = "interrupts", + }; + +-static struct kobj_attribute *counter_attrs; ++static kobj_attribute_no_const *counter_attrs; + + static void delete_gpe_attr_array(void) + { +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index 36605ab..6ef6d4b 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1239,7 +1239,7 @@ int ahci_kick_engine(struct ata_port *ap) + } + EXPORT_SYMBOL_GPL(ahci_kick_engine); + +-static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp, ++static int __intentional_overflow(-1) ahci_exec_polled_cmd(struct ata_port *ap, int pmp, + struct ata_taskfile *tf, int is_cmd, u16 flags, + unsigned long timeout_msec) + { +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 8cb2522..a815e54 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); + static void ata_dev_xfermask(struct ata_device *dev); + static unsigned long ata_dev_blacklisted(const struct ata_device *dev); + +-atomic_t ata_print_id = ATOMIC_INIT(0); ++atomic_unchecked_t ata_print_id = ATOMIC_INIT(0); + + struct ata_force_param { + const char *name; +@@ -4851,7 +4851,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4867,7 +4867,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +@@ -5986,6 +5986,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) + return; + + spin_lock(&lock); ++ pax_open_kernel(); + + for (cur = ops->inherits; cur; cur = cur->inherits) { + void **inherit = (void **)cur; +@@ -5999,8 +6000,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) + if (IS_ERR(*pp)) + *pp = NULL; + +- ops->inherits = NULL; ++ *(struct ata_port_operations **)&ops->inherits = NULL; + ++ pax_close_kernel(); + spin_unlock(&lock); + } + +@@ -6193,7 +6195,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) + + /* give ports names and add SCSI hosts */ + for (i = 0; i < host->n_ports; i++) { +- host->ports[i]->print_id = atomic_inc_return(&ata_print_id); ++ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id); + host->ports[i]->local_port_no = i + 1; + } + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index ef8567d..8bdbd03 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4147,7 +4147,7 @@ int ata_sas_port_init(struct ata_port *ap) + + if (rc) + return rc; +- ap->print_id = atomic_inc_return(&ata_print_id); ++ ap->print_id = atomic_inc_return_unchecked(&ata_print_id); + return 0; + } + EXPORT_SYMBOL_GPL(ata_sas_port_init); +diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h +index 45b5ab3..98446b8 100644 +--- a/drivers/ata/libata.h ++++ b/drivers/ata/libata.h +@@ -53,7 +53,7 @@ enum { + ATA_DNXFER_QUIET = (1 << 31), + }; + +-extern atomic_t ata_print_id; ++extern atomic_unchecked_t ata_print_id; + extern int atapi_passthru16; + extern int libata_fua; + extern int libata_noacpi; +diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c +index 73492dd..ca2bff5 100644 +--- a/drivers/ata/pata_arasan_cf.c ++++ b/drivers/ata/pata_arasan_cf.c +@@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev) + /* Handle platform specific quirks */ + if (quirk) { + if (quirk & CF_BROKEN_PIO) { +- ap->ops->set_piomode = NULL; ++ pax_open_kernel(); ++ *(void **)&ap->ops->set_piomode = NULL; ++ pax_close_kernel(); + ap->pio_mask = 0; + } + if (quirk & CF_BROKEN_MWDMA) +diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c +index f9b983a..887b9d8 100644 +--- a/drivers/atm/adummy.c ++++ b/drivers/atm/adummy.c +@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct sk_buff *skb) + vcc->pop(vcc, skb); + else + dev_kfree_skb_any(skb); +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + + return 0; + } +diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c +index 62a7607..cc4be104 100644 +--- a/drivers/atm/ambassador.c ++++ b/drivers/atm/ambassador.c +@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) { + PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx); + + // VC layer stats +- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx); ++ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx); + + // free the descriptor + kfree (tx_descr); +@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) { + dump_skb ("<<<", vc, skb); + + // VC layer stats +- atomic_inc(&atm_vcc->stats->rx); ++ atomic_inc_unchecked(&atm_vcc->stats->rx); + __net_timestamp(skb); + // end of our responsibility + atm_vcc->push (atm_vcc, skb); +@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) { + } else { + PRINTK (KERN_INFO, "dropped over-size frame"); + // should we count this? +- atomic_inc(&atm_vcc->stats->rx_drop); ++ atomic_inc_unchecked(&atm_vcc->stats->rx_drop); + } + + } else { +@@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * atm_vcc, struct sk_buff * skb) { + } + + if (check_area (skb->data, skb->len)) { +- atomic_inc(&atm_vcc->stats->tx_err); ++ atomic_inc_unchecked(&atm_vcc->stats->tx_err); + return -ENOMEM; // ? + } + +diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c +index 0e3f8f9..765a7a5 100644 +--- a/drivers/atm/atmtcp.c ++++ b/drivers/atm/atmtcp.c +@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb) + if (vcc->pop) vcc->pop(vcc,skb); + else dev_kfree_skb(skb); + if (dev_data) return 0; +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + return -ENOLINK; + } + size = skb->len+sizeof(struct atmtcp_hdr); +@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb) + if (!new_skb) { + if (vcc->pop) vcc->pop(vcc,skb); + else dev_kfree_skb(skb); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + return -ENOBUFS; + } + hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr)); +@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb) + if (vcc->pop) vcc->pop(vcc,skb); + else dev_kfree_skb(skb); + out_vcc->push(out_vcc,new_skb); +- atomic_inc(&vcc->stats->tx); +- atomic_inc(&out_vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->tx); ++ atomic_inc_unchecked(&out_vcc->stats->rx); + return 0; + } + +@@ -299,7 +299,7 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb) + out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci)); + read_unlock(&vcc_sklist_lock); + if (!out_vcc) { +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + goto done; + } + skb_pull(skb,sizeof(struct atmtcp_hdr)); +@@ -311,8 +311,8 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb) + __net_timestamp(new_skb); + skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len); + out_vcc->push(out_vcc,new_skb); +- atomic_inc(&vcc->stats->tx); +- atomic_inc(&out_vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->tx); ++ atomic_inc_unchecked(&out_vcc->stats->rx); + done: + if (vcc->pop) vcc->pop(vcc,skb); + else dev_kfree_skb(skb); +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index b1955ba..b179940 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -522,7 +522,7 @@ static int rx_aal0(struct atm_vcc *vcc) + DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n", + vcc->dev->number); + length = 0; +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + } + else { + length = ATM_CELL_SIZE-1; /* no HEC */ +@@ -577,7 +577,7 @@ static int rx_aal5(struct atm_vcc *vcc) + size); + } + eff = length = 0; +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + } + else { + size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2); +@@ -594,7 +594,7 @@ static int rx_aal5(struct atm_vcc *vcc) + "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n", + vcc->dev->number,vcc->vci,length,size << 2,descr); + length = eff = 0; +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + } + } + skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL; +@@ -767,7 +767,7 @@ rx_dequeued++; + vcc->push(vcc,skb); + pushed++; + } +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + wake_up(&eni_dev->rx_wait); + } +@@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *dev) + PCI_DMA_TODEVICE); + if (vcc->pop) vcc->pop(vcc,skb); + else dev_kfree_skb_irq(skb); +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + wake_up(&eni_dev->tx_wait); + dma_complete++; + } +diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c +index b41c948..a002b17 100644 +--- a/drivers/atm/firestream.c ++++ b/drivers/atm/firestream.c +@@ -749,7 +749,7 @@ static void process_txdone_queue (struct fs_dev *dev, struct queue *q) + } + } + +- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx); ++ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx); + + fs_dprintk (FS_DEBUG_TXMEM, "i"); + fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb); +@@ -816,7 +816,7 @@ static void process_incoming (struct fs_dev *dev, struct queue *q) + #endif + skb_put (skb, qe->p1 & 0xffff); + ATM_SKB(skb)->vcc = atm_vcc; +- atomic_inc(&atm_vcc->stats->rx); ++ atomic_inc_unchecked(&atm_vcc->stats->rx); + __net_timestamp(skb); + fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb); + atm_vcc->push (atm_vcc, skb); +@@ -837,12 +837,12 @@ static void process_incoming (struct fs_dev *dev, struct queue *q) + kfree (pe); + } + if (atm_vcc) +- atomic_inc(&atm_vcc->stats->rx_drop); ++ atomic_inc_unchecked(&atm_vcc->stats->rx_drop); + break; + case 0x1f: /* Reassembly abort: no buffers. */ + /* Silently increment error counter. */ + if (atm_vcc) +- atomic_inc(&atm_vcc->stats->rx_drop); ++ atomic_inc_unchecked(&atm_vcc->stats->rx_drop); + break; + default: /* Hmm. Haven't written the code to handle the others yet... -- REW */ + printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n", +diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c +index 204814e..cede831 100644 +--- a/drivers/atm/fore200e.c ++++ b/drivers/atm/fore200e.c +@@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200e) + #endif + /* check error condition */ + if (*entry->status & STATUS_ERROR) +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + else +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + } + } + +@@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp + if (skb == NULL) { + DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len); + +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + return -ENOMEM; + } + +@@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp + + dev_kfree_skb_any(skb); + +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + return -ENOMEM; + } + + ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0); + + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0); + +@@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200e) + DPRINTK(2, "damaged PDU on %d.%d.%d\n", + fore200e->atm_dev->number, + entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + } + } + +@@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb) + goto retry_here; + } + +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + + fore200e->tx_sat++; + DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n", +diff --git a/drivers/atm/he.c b/drivers/atm/he.c +index aa6be26..f70a785 100644 +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -1690,7 +1690,7 @@ he_service_rbrq(struct he_dev *he_dev, int group) + + if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) { + hprintk("HBUF_ERR! (cid 0x%x)\n", cid); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + goto return_host_buffers; + } + +@@ -1717,7 +1717,7 @@ he_service_rbrq(struct he_dev *he_dev, int group) + RBRQ_LEN_ERR(he_dev->rbrq_head) + ? "LEN_ERR" : "", + vcc->vpi, vcc->vci); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto return_host_buffers; + } + +@@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, int group) + vcc->push(vcc, skb); + spin_lock(&he_dev->global_lock); + +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + return_host_buffers: + ++pdus_assembled; +@@ -2095,7 +2095,7 @@ __enqueue_tpd(struct he_dev *he_dev, struct he_tpd *tpd, unsigned cid) + tpd->vcc->pop(tpd->vcc, tpd->skb); + else + dev_kfree_skb_any(tpd->skb); +- atomic_inc(&tpd->vcc->stats->tx_err); ++ atomic_inc_unchecked(&tpd->vcc->stats->tx_err); + } + pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status)); + return; +@@ -2507,7 +2507,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb) + vcc->pop(vcc, skb); + else + dev_kfree_skb_any(skb); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + return -EINVAL; + } + +@@ -2518,7 +2518,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb) + vcc->pop(vcc, skb); + else + dev_kfree_skb_any(skb); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + return -EINVAL; + } + #endif +@@ -2530,7 +2530,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb) + vcc->pop(vcc, skb); + else + dev_kfree_skb_any(skb); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + spin_unlock_irqrestore(&he_dev->global_lock, flags); + return -ENOMEM; + } +@@ -2572,7 +2572,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb) + vcc->pop(vcc, skb); + else + dev_kfree_skb_any(skb); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + spin_unlock_irqrestore(&he_dev->global_lock, flags); + return -ENOMEM; + } +@@ -2603,7 +2603,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb) + __enqueue_tpd(he_dev, tpd, cid); + spin_unlock_irqrestore(&he_dev->global_lock, flags); + +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + + return 0; + } +diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c +index 1dc0519..1aadaf7 100644 +--- a/drivers/atm/horizon.c ++++ b/drivers/atm/horizon.c +@@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev, int irq) { + { + struct atm_vcc * vcc = ATM_SKB(skb)->vcc; + // VC layer stats +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + __net_timestamp(skb); + // end of our responsibility + vcc->push (vcc, skb); +@@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const dev, int irq) { + dev->tx_iovec = NULL; + + // VC layer stats +- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx); ++ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx); + + // free the skb + hrz_kfree_skb (skb); +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 1bdf104..9dc44b1 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc) + else + dev_kfree_skb(skb); + +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + } + + atomic_dec(&scq->used); +@@ -1075,13 +1075,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + if ((sb = dev_alloc_skb(64)) == NULL) { + printk("%s: Can't allocate buffers for aal0.\n", + card->name); +- atomic_add(i, &vcc->stats->rx_drop); ++ atomic_add_unchecked(i, &vcc->stats->rx_drop); + break; + } + if (!atm_charge(vcc, sb->truesize)) { + RXPRINTK("%s: atm_charge() dropped aal0 packets.\n", + card->name); +- atomic_add(i - 1, &vcc->stats->rx_drop); ++ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); + dev_kfree_skb(sb); + break; + } +@@ -1098,7 +1098,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + ATM_SKB(sb)->vcc = vcc; + __net_timestamp(sb); + vcc->push(vcc, sb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + cell += ATM_CELL_PAYLOAD; + } +@@ -1135,13 +1135,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + "(CDC: %08x)\n", + card->name, len, rpp->len, readl(SAR_REG_CDC)); + recycle_rx_pool_skb(card, rpp); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + return; + } + if (stat & SAR_RSQE_CRC) { + RXPRINTK("%s: AAL5 CRC error.\n", card->name); + recycle_rx_pool_skb(card, rpp); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + return; + } + if (skb_queue_len(&rpp->queue) > 1) { +@@ -1152,7 +1152,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + RXPRINTK("%s: Can't alloc RX skb.\n", + card->name); + recycle_rx_pool_skb(card, rpp); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + return; + } + if (!atm_charge(vcc, skb->truesize)) { +@@ -1171,7 +1171,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + __net_timestamp(skb); + + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + return; + } +@@ -1193,7 +1193,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe) + __net_timestamp(skb); + + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + if (skb->truesize > SAR_FB_SIZE_3) + add_rx_skb(card, 3, SAR_FB_SIZE_3, 1); +@@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *card) + if (vcc->qos.aal != ATM_AAL0) { + RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n", + card->name, vpi, vci); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + goto drop; + } + + if ((sb = dev_alloc_skb(64)) == NULL) { + printk("%s: Can't allocate buffers for AAL0.\n", + card->name); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto drop; + } + +@@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *card) + ATM_SKB(sb)->vcc = vcc; + __net_timestamp(sb); + vcc->push(vcc, sb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + + drop: + skb_pull(queue, 64); +@@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam) + + if (vc == NULL) { + printk("%s: NULL connection in send().\n", card->name); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb(skb); + return -EINVAL; + } + if (!test_bit(VCF_TX, &vc->flags)) { + printk("%s: Trying to transmit on a non-tx VC.\n", card->name); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb(skb); + return -EINVAL; + } +@@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam) + break; + default: + printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb(skb); + return -EINVAL; + } + + if (skb_shinfo(skb)->nr_frags != 0) { + printk("%s: No scatter-gather yet.\n", card->name); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb(skb); + return -EINVAL; + } +@@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam) + + err = queue_skb(card, vc, skb, oam); + if (err) { +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb(skb); + return err; + } +@@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, void *cell, int flags) + skb = dev_alloc_skb(64); + if (!skb) { + printk("%s: Out of memory in send_oam().\n", card->name); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + return -ENOMEM; + } + atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc); +diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c +index 4217f29..88f547a 100644 +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -1145,7 +1145,7 @@ static int rx_pkt(struct atm_dev *dev) + status = (u_short) (buf_desc_ptr->desc_mode); + if (status & (RX_CER | RX_PTE | RX_OFL)) + { +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + IF_ERR(printk("IA: bad packet, dropping it");) + if (status & RX_CER) { + IF_ERR(printk(" cause: packet CRC error\n");) +@@ -1168,7 +1168,7 @@ static int rx_pkt(struct atm_dev *dev) + len = dma_addr - buf_addr; + if (len > iadev->rx_buf_sz) { + printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto out_free_desc; + } + +@@ -1318,7 +1318,7 @@ static void rx_dle_intr(struct atm_dev *dev) + ia_vcc = INPH_IA_VCC(vcc); + if (ia_vcc == NULL) + { +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + atm_return(vcc, skb->truesize); + dev_kfree_skb_any(skb); + goto INCR_DLE; +@@ -1330,7 +1330,7 @@ static void rx_dle_intr(struct atm_dev *dev) + if ((length > iadev->rx_buf_sz) || (length > + (skb->len - sizeof(struct cpcs_trailer)))) + { +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)", + length, skb->len);) + atm_return(vcc, skb->truesize); +@@ -1346,7 +1346,7 @@ static void rx_dle_intr(struct atm_dev *dev) + + IF_RX(printk("rx_dle_intr: skb push");) + vcc->push(vcc,skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + iadev->rx_pkt_cnt++; + } + INCR_DLE: +@@ -2826,15 +2826,15 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg) + { + struct k_sonet_stats *stats; + stats = &PRIV(_ia_dev[board])->sonet_stats; +- printk("section_bip: %d\n", atomic_read(&stats->section_bip)); +- printk("line_bip : %d\n", atomic_read(&stats->line_bip)); +- printk("path_bip : %d\n", atomic_read(&stats->path_bip)); +- printk("line_febe : %d\n", atomic_read(&stats->line_febe)); +- printk("path_febe : %d\n", atomic_read(&stats->path_febe)); +- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs)); +- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs)); +- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells)); +- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells)); ++ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip)); ++ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip)); ++ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip)); ++ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe)); ++ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe)); ++ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs)); ++ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs)); ++ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells)); ++ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells)); + } + ia_cmds.status = 0; + break; +@@ -2939,7 +2939,7 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) { + if ((desc == 0) || (desc > iadev->num_tx_desc)) + { + IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);) +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + if (vcc->pop) + vcc->pop(vcc, skb); + else +@@ -3044,14 +3044,14 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) { + ATM_DESC(skb) = vcc->vci; + skb_queue_tail(&iadev->tx_dma_q, skb); + +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + iadev->tx_pkt_cnt++; + /* Increment transaction counter */ + writel(2, iadev->dma+IPHASE5575_TX_COUNTER); + + #if 0 + /* add flow control logic */ +- if (atomic_read(&vcc->stats->tx) % 20 == 0) { ++ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) { + if (iavcc->vc_desc_cnt > 10) { + vcc->tx_quota = vcc->tx_quota * 3 / 4; + printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota ); +diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c +index fa7d701..1e404c7 100644 +--- a/drivers/atm/lanai.c ++++ b/drivers/atm/lanai.c +@@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai, + vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0); + lanai_endtx(lanai, lvcc); + lanai_free_skb(lvcc->tx.atmvcc, skb); +- atomic_inc(&lvcc->tx.atmvcc->stats->tx); ++ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx); + } + + /* Try to fill the buffer - don't call unless there is backlog */ +@@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc *lvcc, int endptr) + ATM_SKB(skb)->vcc = lvcc->rx.atmvcc; + __net_timestamp(skb); + lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb); +- atomic_inc(&lvcc->rx.atmvcc->stats->rx); ++ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx); + out: + lvcc->rx.buf.ptr = end; + cardvcc_write(lvcc, endptr, vcc_rxreadptr); +@@ -1667,7 +1667,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s) + DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 " + "vcc %d\n", lanai->number, (unsigned int) s, vci); + lanai->stats.service_rxnotaal5++; +- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err); ++ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err); + return 0; + } + if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) { +@@ -1679,7 +1679,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s) + int bytes; + read_unlock(&vcc_sklist_lock); + DPRINTK("got trashed rx pdu on vci %d\n", vci); +- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err); ++ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err); + lvcc->stats.x.aal5.service_trash++; + bytes = (SERVICE_GET_END(s) * 16) - + (((unsigned long) lvcc->rx.buf.ptr) - +@@ -1691,7 +1691,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s) + } + if (s & SERVICE_STREAM) { + read_unlock(&vcc_sklist_lock); +- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err); ++ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err); + lvcc->stats.x.aal5.service_stream++; + printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream " + "PDU on VCI %d!\n", lanai->number, vci); +@@ -1699,7 +1699,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s) + return 0; + } + DPRINTK("got rx crc error on vci %d\n", vci); +- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err); ++ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err); + lvcc->stats.x.aal5.service_rxcrc++; + lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4]; + cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr); +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index 9587e95..b45c5cb 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -1640,7 +1640,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb) + if ((vc = (vc_map *) vcc->dev_data) == NULL) { + printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", + card->index); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb_any(skb); + return -EINVAL; + } +@@ -1648,7 +1648,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb) + if (!vc->tx) { + printk("nicstar%d: Trying to transmit on a non-tx VC.\n", + card->index); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb_any(skb); + return -EINVAL; + } +@@ -1656,14 +1656,14 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb) + if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) { + printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", + card->index); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb_any(skb); + return -EINVAL; + } + + if (skb_shinfo(skb)->nr_frags != 0) { + printk("nicstar%d: No scatter-gather yet.\n", card->index); +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb_any(skb); + return -EINVAL; + } +@@ -1711,11 +1711,11 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb) + } + + if (push_scqe(card, vc, scq, &scqe, skb) != 0) { +- atomic_inc(&vcc->stats->tx_err); ++ atomic_inc_unchecked(&vcc->stats->tx_err); + dev_kfree_skb_any(skb); + return -EIO; + } +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + + return 0; + } +@@ -2032,14 +2032,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + printk + ("nicstar%d: Can't allocate buffers for aal0.\n", + card->index); +- atomic_add(i, &vcc->stats->rx_drop); ++ atomic_add_unchecked(i, &vcc->stats->rx_drop); + break; + } + if (!atm_charge(vcc, sb->truesize)) { + RXPRINTK + ("nicstar%d: atm_charge() dropped aal0 packets.\n", + card->index); +- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */ ++ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */ + dev_kfree_skb_any(sb); + break; + } +@@ -2054,7 +2054,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ATM_SKB(sb)->vcc = vcc; + __net_timestamp(sb); + vcc->push(vcc, sb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + cell += ATM_CELL_PAYLOAD; + } + +@@ -2071,7 +2071,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + if (iovb == NULL) { + printk("nicstar%d: Out of iovec buffers.\n", + card->index); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + recycle_rx_buf(card, skb); + return; + } +@@ -2095,7 +2095,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + small or large buffer itself. */ + } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) { + printk("nicstar%d: received too big AAL5 SDU.\n", card->index); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data, + NS_MAX_IOVECS); + NS_PRV_IOVCNT(iovb) = 0; +@@ -2115,7 +2115,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ("nicstar%d: Expected a small buffer, and this is not one.\n", + card->index); + which_list(card, skb); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + recycle_rx_buf(card, skb); + vc->rx_iov = NULL; + recycle_iov_buf(card, iovb); +@@ -2128,7 +2128,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ("nicstar%d: Expected a large buffer, and this is not one.\n", + card->index); + which_list(card, skb); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data, + NS_PRV_IOVCNT(iovb)); + vc->rx_iov = NULL; +@@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + printk(" - PDU size mismatch.\n"); + else + printk(".\n"); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data, + NS_PRV_IOVCNT(iovb)); + vc->rx_iov = NULL; +@@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + /* skb points to a small buffer */ + if (!atm_charge(vcc, skb->truesize)) { + push_rxbufs(card, skb); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + } else { + skb_put(skb, len); + dequeue_sm_buf(card, skb); +@@ -2175,7 +2175,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ATM_SKB(skb)->vcc = vcc; + __net_timestamp(skb); + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */ + struct sk_buff *sb; +@@ -2186,7 +2186,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + if (len <= NS_SMBUFSIZE) { + if (!atm_charge(vcc, sb->truesize)) { + push_rxbufs(card, sb); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + } else { + skb_put(sb, len); + dequeue_sm_buf(card, sb); +@@ -2196,7 +2196,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ATM_SKB(sb)->vcc = vcc; + __net_timestamp(sb); + vcc->push(vcc, sb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + + push_rxbufs(card, skb); +@@ -2205,7 +2205,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + + if (!atm_charge(vcc, skb->truesize)) { + push_rxbufs(card, skb); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + } else { + dequeue_lg_buf(card, skb); + #ifdef NS_USE_DESTRUCTORS +@@ -2218,7 +2218,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + ATM_SKB(skb)->vcc = vcc; + __net_timestamp(skb); + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + + push_rxbufs(card, sb); +@@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + printk + ("nicstar%d: Out of huge buffers.\n", + card->index); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + recycle_iovec_rx_bufs(card, + (struct iovec *) + iovb->data, +@@ -2290,7 +2290,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + card->hbpool.count++; + } else + dev_kfree_skb_any(hb); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + } else { + /* Copy the small buffer to the huge buffer */ + sb = (struct sk_buff *)iov->iov_base; +@@ -2327,7 +2327,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe) + #endif /* NS_USE_DESTRUCTORS */ + __net_timestamp(hb); + vcc->push(vcc, hb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + } + +diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c +index e3fb496..d9646bf 100644 +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -838,7 +838,7 @@ void solos_bh(unsigned long card_arg) + } + atm_charge(vcc, skb->truesize); + vcc->push(vcc, skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + break; + + case PKT_STATUS: +@@ -1116,7 +1116,7 @@ static uint32_t fpga_tx(struct solos_card *card) + vcc = SKB_CB(oldskb)->vcc; + + if (vcc) { +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + solos_pop(vcc, oldskb); + } else { + dev_kfree_skb_irq(oldskb); +diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c +index 0215934..ce9f5b1 100644 +--- a/drivers/atm/suni.c ++++ b/drivers/atm/suni.c +@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock); + + + #define ADD_LIMITED(s,v) \ +- atomic_add((v),&stats->s); \ +- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX); ++ atomic_add_unchecked((v),&stats->s); \ ++ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX); + + + static void suni_hz(unsigned long from_timer) +diff --git a/drivers/atm/uPD98402.c b/drivers/atm/uPD98402.c +index 5120a96..e2572bd 100644 +--- a/drivers/atm/uPD98402.c ++++ b/drivers/atm/uPD98402.c +@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *dev,struct sonet_stats __user *arg,int ze + struct sonet_stats tmp; + int error = 0; + +- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs); ++ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs); + sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp); + if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp)); + if (zero && !error) { +@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) + + + #define ADD_LIMITED(s,v) \ +- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \ +- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \ +- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); } ++ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \ ++ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \ ++ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); } + + + static void stat_event(struct atm_dev *dev) +@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev *dev) + if (reason & uPD98402_INT_PFM) stat_event(dev); + if (reason & uPD98402_INT_PCO) { + (void) GET(PCOCR); /* clear interrupt cause */ +- atomic_add(GET(HECCT), ++ atomic_add_unchecked(GET(HECCT), + &PRIV(dev)->sonet_stats.uncorr_hcs); + } + if ((reason & uPD98402_INT_RFO) && +@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev *dev) + PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO | + uPD98402_INT_LOS),PIMR); /* enable them */ + (void) fetch_stats(dev,NULL,1); /* clear kernel counters */ +- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1); +- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1); +- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1); ++ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1); ++ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1); ++ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1); + return 0; + } + +diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c +index 969c3c2..9b72956 100644 +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]); + } + if (!size) { + dev_kfree_skb_irq(skb); +- if (vcc) atomic_inc(&vcc->stats->rx_err); ++ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err); + continue; + } + if (!atm_charge(vcc,skb->truesize)) { +@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]); + skb->len = size; + ATM_SKB(skb)->vcc = vcc; + vcc->push(vcc,skb); +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + } + zout(pos & 0xffff,MTA(mbx)); + #if 0 /* probably a stupid idea */ +@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD_V | uPD98401_TXPD_DP | + skb_queue_head(&zatm_vcc->backlog,skb); + break; + } +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + wake_up(&zatm_vcc->tx_wait); + } + +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 59dc808..f10c74e 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -1124,7 +1124,7 @@ int subsys_interface_register(struct subsys_interface *sif) + return -EINVAL; + + mutex_lock(&subsys->p->mutex); +- list_add_tail(&sif->node, &subsys->p->interfaces); ++ pax_list_add_tail((struct list_head *)&sif->node, &subsys->p->interfaces); + if (sif->add_dev) { + subsys_dev_iter_init(&iter, subsys, NULL, NULL); + while ((dev = subsys_dev_iter_next(&iter))) +@@ -1149,7 +1149,7 @@ void subsys_interface_unregister(struct subsys_interface *sif) + subsys = sif->subsys; + + mutex_lock(&subsys->p->mutex); +- list_del_init(&sif->node); ++ pax_list_del_init((struct list_head *)&sif->node); + if (sif->remove_dev) { + subsys_dev_iter_init(&iter, subsys, NULL, NULL); + while ((dev = subsys_dev_iter_next(&iter))) +diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c +index 25798db..15f130e 100644 +--- a/drivers/base/devtmpfs.c ++++ b/drivers/base/devtmpfs.c +@@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir) + if (!thread) + return 0; + +- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL); ++ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL); + if (err) + printk(KERN_INFO "devtmpfs: error mounting %i\n", err); + else +@@ -380,11 +380,11 @@ static int devtmpfsd(void *p) + *err = sys_unshare(CLONE_NEWNS); + if (*err) + goto out; +- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options); ++ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options); + if (*err) + goto out; +- sys_chdir("/.."); /* will traverse into overmounted root */ +- sys_chroot("."); ++ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */ ++ sys_chroot((char __force_user *)"."); + complete(&setup_done); + while (1) { + spin_lock(&req_lock); +diff --git a/drivers/base/node.c b/drivers/base/node.c +index bc9f43b..29703b8 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -620,7 +620,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf) + struct node_attr { + struct device_attribute attr; + enum node_states state; +-}; ++} __do_const; + + static ssize_t show_node_state(struct device *dev, + struct device_attribute *attr, char *buf) +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index bfb8955..4ebff34 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1809,9 +1809,9 @@ int __pm_genpd_remove_callbacks(struct device *dev, bool clear_td) + + if (dev->power.subsys_data->domain_data) { + gpd_data = to_gpd_data(dev->power.subsys_data->domain_data); +- gpd_data->ops = (struct gpd_dev_ops){ NULL }; ++ memset(&gpd_data->ops, 0, sizeof(gpd_data->ops)); + if (clear_td) +- gpd_data->td = (struct gpd_timing_data){ 0 }; ++ memset(&gpd_data->td, 0, sizeof(gpd_data->td)); + + if (--gpd_data->refcount == 0) { + dev->power.subsys_data->domain_data = NULL; +@@ -1850,7 +1850,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state) + { + struct cpuidle_driver *cpuidle_drv; + struct gpd_cpu_data *cpu_data; +- struct cpuidle_state *idle_state; ++ cpuidle_state_no_const *idle_state; + int ret = 0; + + if (IS_ERR_OR_NULL(genpd) || state < 0) +@@ -1918,7 +1918,7 @@ int pm_genpd_name_attach_cpuidle(const char *name, int state) + int pm_genpd_detach_cpuidle(struct generic_pm_domain *genpd) + { + struct gpd_cpu_data *cpu_data; +- struct cpuidle_state *idle_state; ++ cpuidle_state_no_const *idle_state; + int ret = 0; + + if (IS_ERR_OR_NULL(genpd)) +diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c +index 03e089a..0e9560c 100644 +--- a/drivers/base/power/sysfs.c ++++ b/drivers/base/power/sysfs.c +@@ -185,7 +185,7 @@ static ssize_t rtpm_status_show(struct device *dev, + return -EIO; + } + } +- return sprintf(buf, p); ++ return sprintf(buf, "%s", p); + } + + static DEVICE_ATTR(runtime_status, 0444, rtpm_status_show, NULL); +diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c +index 2d56f41..8830f19 100644 +--- a/drivers/base/power/wakeup.c ++++ b/drivers/base/power/wakeup.c +@@ -29,14 +29,14 @@ bool events_check_enabled __read_mostly; + * They need to be modified together atomically, so it's better to use one + * atomic variable to hold them both. + */ +-static atomic_t combined_event_count = ATOMIC_INIT(0); ++static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0); + + #define IN_PROGRESS_BITS (sizeof(int) * 4) + #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1) + + static void split_counters(unsigned int *cnt, unsigned int *inpr) + { +- unsigned int comb = atomic_read(&combined_event_count); ++ unsigned int comb = atomic_read_unchecked(&combined_event_count); + + *cnt = (comb >> IN_PROGRESS_BITS); + *inpr = comb & MAX_IN_PROGRESS; +@@ -395,7 +395,7 @@ static void wakeup_source_activate(struct wakeup_source *ws) + ws->start_prevent_time = ws->last_time; + + /* Increment the counter of events in progress. */ +- cec = atomic_inc_return(&combined_event_count); ++ cec = atomic_inc_return_unchecked(&combined_event_count); + + trace_wakeup_source_activate(ws->name, cec); + } +@@ -521,7 +521,7 @@ static void wakeup_source_deactivate(struct wakeup_source *ws) + * Increment the counter of registered wakeup events and decrement the + * couter of wakeup events in progress simultaneously. + */ +- cec = atomic_add_return(MAX_IN_PROGRESS, &combined_event_count); ++ cec = atomic_add_return_unchecked(MAX_IN_PROGRESS, &combined_event_count); + trace_wakeup_source_deactivate(ws->name, cec); + + split_counters(&cnt, &inpr); +diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c +index e8d11b6..7b1b36f 100644 +--- a/drivers/base/syscore.c ++++ b/drivers/base/syscore.c +@@ -21,7 +21,7 @@ static DEFINE_MUTEX(syscore_ops_lock); + void register_syscore_ops(struct syscore_ops *ops) + { + mutex_lock(&syscore_ops_lock); +- list_add_tail(&ops->node, &syscore_ops_list); ++ pax_list_add_tail((struct list_head *)&ops->node, &syscore_ops_list); + mutex_unlock(&syscore_ops_lock); + } + EXPORT_SYMBOL_GPL(register_syscore_ops); +@@ -33,7 +33,7 @@ EXPORT_SYMBOL_GPL(register_syscore_ops); + void unregister_syscore_ops(struct syscore_ops *ops) + { + mutex_lock(&syscore_ops_lock); +- list_del(&ops->node); ++ pax_list_del((struct list_head *)&ops->node); + mutex_unlock(&syscore_ops_lock); + } + EXPORT_SYMBOL_GPL(unregister_syscore_ops); +diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c +index 036e8ab..6221dec 100644 +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -3011,7 +3011,7 @@ static void start_io(ctlr_info_t *h) + while (!list_empty(&h->reqQ)) { + c = list_entry(h->reqQ.next, CommandList_struct, list); + /* can't do anything if fifo is full */ +- if ((h->access.fifo_full(h))) { ++ if ((h->access->fifo_full(h))) { + dev_warn(&h->pdev->dev, "fifo full\n"); + break; + } +@@ -3021,7 +3021,7 @@ static void start_io(ctlr_info_t *h) + h->Qdepth--; + + /* Tell the controller execute command */ +- h->access.submit_command(h, c); ++ h->access->submit_command(h, c); + + /* Put job onto the completed Q */ + addQ(&h->cmpQ, c); +@@ -3447,17 +3447,17 @@ startio: + + static inline unsigned long get_next_completion(ctlr_info_t *h) + { +- return h->access.command_completed(h); ++ return h->access->command_completed(h); + } + + static inline int interrupt_pending(ctlr_info_t *h) + { +- return h->access.intr_pending(h); ++ return h->access->intr_pending(h); + } + + static inline long interrupt_not_for_us(ctlr_info_t *h) + { +- return ((h->access.intr_pending(h) == 0) || ++ return ((h->access->intr_pending(h) == 0) || + (h->interrupts_enabled == 0)); + } + +@@ -3490,7 +3490,7 @@ static inline u32 next_command(ctlr_info_t *h) + u32 a; + + if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant))) +- return h->access.command_completed(h); ++ return h->access->command_completed(h); + + if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) { + a = *(h->reply_pool_head); /* Next cmd in ring buffer */ +@@ -4047,7 +4047,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h) + trans_support & CFGTBL_Trans_use_short_tags); + + /* Change the access methods to the performant access methods */ +- h->access = SA5_performant_access; ++ h->access = &SA5_performant_access; + h->transMethod = CFGTBL_Trans_Performant; + + return; +@@ -4327,7 +4327,7 @@ static int cciss_pci_init(ctlr_info_t *h) + if (prod_index < 0) + return -ENODEV; + h->product_name = products[prod_index].product_name; +- h->access = *(products[prod_index].access); ++ h->access = products[prod_index].access; + + if (cciss_board_disabled(h)) { + dev_warn(&h->pdev->dev, "controller appears to be disabled\n"); +@@ -5059,7 +5059,7 @@ reinit_after_soft_reset: + } + + /* make sure the board interrupts are off */ +- h->access.set_intr_mask(h, CCISS_INTR_OFF); ++ h->access->set_intr_mask(h, CCISS_INTR_OFF); + rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx); + if (rc) + goto clean2; +@@ -5109,7 +5109,7 @@ reinit_after_soft_reset: + * fake ones to scoop up any residual completions. + */ + spin_lock_irqsave(&h->lock, flags); +- h->access.set_intr_mask(h, CCISS_INTR_OFF); ++ h->access->set_intr_mask(h, CCISS_INTR_OFF); + spin_unlock_irqrestore(&h->lock, flags); + free_irq(h->intr[h->intr_mode], h); + rc = cciss_request_irq(h, cciss_msix_discard_completions, +@@ -5129,9 +5129,9 @@ reinit_after_soft_reset: + dev_info(&h->pdev->dev, "Board READY.\n"); + dev_info(&h->pdev->dev, + "Waiting for stale completions to drain.\n"); +- h->access.set_intr_mask(h, CCISS_INTR_ON); ++ h->access->set_intr_mask(h, CCISS_INTR_ON); + msleep(10000); +- h->access.set_intr_mask(h, CCISS_INTR_OFF); ++ h->access->set_intr_mask(h, CCISS_INTR_OFF); + + rc = controller_reset_failed(h->cfgtable); + if (rc) +@@ -5154,7 +5154,7 @@ reinit_after_soft_reset: + cciss_scsi_setup(h); + + /* Turn the interrupts on so we can service requests */ +- h->access.set_intr_mask(h, CCISS_INTR_ON); ++ h->access->set_intr_mask(h, CCISS_INTR_ON); + + /* Get the firmware version */ + inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL); +@@ -5226,7 +5226,7 @@ static void cciss_shutdown(struct pci_dev *pdev) + kfree(flush_buf); + if (return_code != IO_OK) + dev_warn(&h->pdev->dev, "Error flushing cache\n"); +- h->access.set_intr_mask(h, CCISS_INTR_OFF); ++ h->access->set_intr_mask(h, CCISS_INTR_OFF); + free_irq(h->intr[h->intr_mode], h); + } + +diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h +index 7fda30e..2f27946 100644 +--- a/drivers/block/cciss.h ++++ b/drivers/block/cciss.h +@@ -101,7 +101,7 @@ struct ctlr_info + /* information about each logical volume */ + drive_info_struct *drv[CISS_MAX_LUN]; + +- struct access_method access; ++ struct access_method *access; + + /* queue and queue Info */ + struct list_head reqQ; +@@ -402,27 +402,27 @@ static bool SA5_performant_intr_pending(ctlr_info_t *h) + } + + static struct access_method SA5_access = { +- SA5_submit_command, +- SA5_intr_mask, +- SA5_fifo_full, +- SA5_intr_pending, +- SA5_completed, ++ .submit_command = SA5_submit_command, ++ .set_intr_mask = SA5_intr_mask, ++ .fifo_full = SA5_fifo_full, ++ .intr_pending = SA5_intr_pending, ++ .command_completed = SA5_completed, + }; + + static struct access_method SA5B_access = { +- SA5_submit_command, +- SA5B_intr_mask, +- SA5_fifo_full, +- SA5B_intr_pending, +- SA5_completed, ++ .submit_command = SA5_submit_command, ++ .set_intr_mask = SA5B_intr_mask, ++ .fifo_full = SA5_fifo_full, ++ .intr_pending = SA5B_intr_pending, ++ .command_completed = SA5_completed, + }; + + static struct access_method SA5_performant_access = { +- SA5_submit_command, +- SA5_performant_intr_mask, +- SA5_fifo_full, +- SA5_performant_intr_pending, +- SA5_performant_completed, ++ .submit_command = SA5_submit_command, ++ .set_intr_mask = SA5_performant_intr_mask, ++ .fifo_full = SA5_fifo_full, ++ .intr_pending = SA5_performant_intr_pending, ++ .command_completed = SA5_performant_completed, + }; + + struct board_type { +diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c +index 2b94403..fd6ad1f 100644 +--- a/drivers/block/cpqarray.c ++++ b/drivers/block/cpqarray.c +@@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev) + if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) { + goto Enomem4; + } +- hba[i]->access.set_intr_mask(hba[i], 0); ++ hba[i]->access->set_intr_mask(hba[i], 0); + if (request_irq(hba[i]->intr, do_ida_intr, + IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i])) + { +@@ -459,7 +459,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev) + add_timer(&hba[i]->timer); + + /* Enable IRQ now that spinlock and rate limit timer are set up */ +- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY); ++ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY); + + for(j=0; jproduct_name = products[i].product_name; +- c->access = *(products[i].access); ++ c->access = products[i].access; + break; + } + } +@@ -792,7 +792,7 @@ static int cpqarray_eisa_detect(void) + hba[ctlr]->intr = intr; + sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr); + hba[ctlr]->product_name = products[j].product_name; +- hba[ctlr]->access = *(products[j].access); ++ hba[ctlr]->access = products[j].access; + hba[ctlr]->ctlr = ctlr; + hba[ctlr]->board_id = board_id; + hba[ctlr]->pci_dev = NULL; /* not PCI */ +@@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h) + + while((c = h->reqQ) != NULL) { + /* Can't do anything if we're busy */ +- if (h->access.fifo_full(h) == 0) ++ if (h->access->fifo_full(h) == 0) + return; + + /* Get the first entry from the request Q */ +@@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h) + h->Qdepth--; + + /* Tell the controller to do our bidding */ +- h->access.submit_command(h, c); ++ h->access->submit_command(h, c); + + /* Get onto the completion Q */ + addQ(&h->cmpQ, c); +@@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) + unsigned long flags; + __u32 a,a1; + +- istat = h->access.intr_pending(h); ++ istat = h->access->intr_pending(h); + /* Is this interrupt for us? */ + if (istat == 0) + return IRQ_NONE; +@@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id) + */ + spin_lock_irqsave(IDA_LOCK(h->ctlr), flags); + if (istat & FIFO_NOT_EMPTY) { +- while((a = h->access.command_completed(h))) { ++ while((a = h->access->command_completed(h))) { + a1 = a; a &= ~3; + if ((c = h->cmpQ) == NULL) + { +@@ -1448,11 +1448,11 @@ static int sendcmd( + /* + * Disable interrupt + */ +- info_p->access.set_intr_mask(info_p, 0); ++ info_p->access->set_intr_mask(info_p, 0); + /* Make sure there is room in the command FIFO */ + /* Actually it should be completely empty at this time. */ + for (i = 200000; i > 0; i--) { +- temp = info_p->access.fifo_full(info_p); ++ temp = info_p->access->fifo_full(info_p); + if (temp != 0) { + break; + } +@@ -1465,7 +1465,7 @@ DBG( + /* + * Send the cmd + */ +- info_p->access.submit_command(info_p, c); ++ info_p->access->submit_command(info_p, c); + complete = pollcomplete(ctlr); + + pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr, +@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host) + * we check the new geometry. Then turn interrupts back on when + * we're done. + */ +- host->access.set_intr_mask(host, 0); ++ host->access->set_intr_mask(host, 0); + getgeometry(ctlr); +- host->access.set_intr_mask(host, FIFO_NOT_EMPTY); ++ host->access->set_intr_mask(host, FIFO_NOT_EMPTY); + + for(i=0; i 0; i--) { +- done = hba[ctlr]->access.command_completed(hba[ctlr]); ++ done = hba[ctlr]->access->command_completed(hba[ctlr]); + if (done == 0) { + udelay(10); /* a short fixed delay */ + } else +diff --git a/drivers/block/cpqarray.h b/drivers/block/cpqarray.h +index be73e9d..7fbf140 100644 +--- a/drivers/block/cpqarray.h ++++ b/drivers/block/cpqarray.h +@@ -99,7 +99,7 @@ struct ctlr_info { + drv_info_t drv[NWD]; + struct proc_dir_entry *proc; + +- struct access_method access; ++ struct access_method *access; + + cmdlist_t *reqQ; + cmdlist_t *cmpQ; +diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h +index 0e06f0c..c47b81d 100644 +--- a/drivers/block/drbd/drbd_int.h ++++ b/drivers/block/drbd/drbd_int.h +@@ -582,7 +582,7 @@ struct drbd_epoch { + struct drbd_tconn *tconn; + struct list_head list; + unsigned int barrier_nr; +- atomic_t epoch_size; /* increased on every request added. */ ++ atomic_unchecked_t epoch_size; /* increased on every request added. */ + atomic_t active; /* increased on every req. added, and dec on every finished. */ + unsigned long flags; + }; +@@ -1022,7 +1022,7 @@ struct drbd_conf { + unsigned int al_tr_number; + int al_tr_cycle; + wait_queue_head_t seq_wait; +- atomic_t packet_seq; ++ atomic_unchecked_t packet_seq; + unsigned int peer_seq; + spinlock_t peer_seq_lock; + unsigned int minor; +@@ -1573,7 +1573,7 @@ static inline int drbd_setsockopt(struct socket *sock, int level, int optname, + char __user *uoptval; + int err; + +- uoptval = (char __user __force *)optval; ++ uoptval = (char __force_user *)optval; + + set_fs(KERNEL_DS); + if (level == SOL_SOCKET) +diff --git a/drivers/block/drbd/drbd_interval.c b/drivers/block/drbd/drbd_interval.c +index 89c497c..9c736ae 100644 +--- a/drivers/block/drbd/drbd_interval.c ++++ b/drivers/block/drbd/drbd_interval.c +@@ -67,9 +67,9 @@ static void augment_rotate(struct rb_node *rb_old, struct rb_node *rb_new) + } + + static const struct rb_augment_callbacks augment_callbacks = { +- augment_propagate, +- augment_copy, +- augment_rotate, ++ .propagate = augment_propagate, ++ .copy = augment_copy, ++ .rotate = augment_rotate, + }; + + /** +diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c +index 929468e..7d934eb 100644 +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -1317,7 +1317,7 @@ static int _drbd_send_ack(struct drbd_conf *mdev, enum drbd_packet cmd, + p->sector = sector; + p->block_id = block_id; + p->blksize = blksize; +- p->seq_num = cpu_to_be32(atomic_inc_return(&mdev->packet_seq)); ++ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq)); + return drbd_send_command(mdev, sock, cmd, sizeof(*p), NULL, 0); + } + +@@ -1622,7 +1622,7 @@ int drbd_send_dblock(struct drbd_conf *mdev, struct drbd_request *req) + return -EIO; + p->sector = cpu_to_be64(req->i.sector); + p->block_id = (unsigned long)req; +- p->seq_num = cpu_to_be32(atomic_inc_return(&mdev->packet_seq)); ++ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq)); + dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw); + if (mdev->state.conn >= C_SYNC_SOURCE && + mdev->state.conn <= C_PAUSED_SYNC_T) +@@ -2577,8 +2577,8 @@ void conn_destroy(struct kref *kref) + { + struct drbd_tconn *tconn = container_of(kref, struct drbd_tconn, kref); + +- if (atomic_read(&tconn->current_epoch->epoch_size) != 0) +- conn_err(tconn, "epoch_size:%d\n", atomic_read(&tconn->current_epoch->epoch_size)); ++ if (atomic_read_unchecked(&tconn->current_epoch->epoch_size) != 0) ++ conn_err(tconn, "epoch_size:%d\n", atomic_read_unchecked(&tconn->current_epoch->epoch_size)); + kfree(tconn->current_epoch); + + idr_destroy(&tconn->volumes); +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index c706d50..5e1b472 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -3440,7 +3440,7 @@ out: + + void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib) + { +- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */ ++ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */ + struct sk_buff *msg; + struct drbd_genlmsghdr *d_out; + unsigned seq; +@@ -3453,7 +3453,7 @@ void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib) + return; + } + +- seq = atomic_inc_return(&drbd_genl_seq); ++ seq = atomic_inc_return_unchecked(&drbd_genl_seq); + msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO); + if (!msg) + goto failed; +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index d073305..4998fea 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -834,7 +834,7 @@ int drbd_connected(struct drbd_conf *mdev) + { + int err; + +- atomic_set(&mdev->packet_seq, 0); ++ atomic_set_unchecked(&mdev->packet_seq, 0); + mdev->peer_seq = 0; + + mdev->state_mutex = mdev->tconn->agreed_pro_version < 100 ? +@@ -1193,7 +1193,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, + do { + next_epoch = NULL; + +- epoch_size = atomic_read(&epoch->epoch_size); ++ epoch_size = atomic_read_unchecked(&epoch->epoch_size); + + switch (ev & ~EV_CLEANUP) { + case EV_PUT: +@@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn, + rv = FE_DESTROYED; + } else { + epoch->flags = 0; +- atomic_set(&epoch->epoch_size, 0); ++ atomic_set_unchecked(&epoch->epoch_size, 0); + /* atomic_set(&epoch->active, 0); is already zero */ + if (rv == FE_STILL_LIVE) + rv = FE_RECYCLED; +@@ -1451,7 +1451,7 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) + conn_wait_active_ee_empty(tconn); + drbd_flush(tconn); + +- if (atomic_read(&tconn->current_epoch->epoch_size)) { ++ if (atomic_read_unchecked(&tconn->current_epoch->epoch_size)) { + epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO); + if (epoch) + break; +@@ -1464,11 +1464,11 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi) + } + + epoch->flags = 0; +- atomic_set(&epoch->epoch_size, 0); ++ atomic_set_unchecked(&epoch->epoch_size, 0); + atomic_set(&epoch->active, 0); + + spin_lock(&tconn->epoch_lock); +- if (atomic_read(&tconn->current_epoch->epoch_size)) { ++ if (atomic_read_unchecked(&tconn->current_epoch->epoch_size)) { + list_add(&epoch->list, &tconn->current_epoch->list); + tconn->current_epoch = epoch; + tconn->epochs++; +@@ -2164,7 +2164,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) + + err = wait_for_and_update_peer_seq(mdev, peer_seq); + drbd_send_ack_dp(mdev, P_NEG_ACK, p, pi->size); +- atomic_inc(&tconn->current_epoch->epoch_size); ++ atomic_inc_unchecked(&tconn->current_epoch->epoch_size); + err2 = drbd_drain_block(mdev, pi->size); + if (!err) + err = err2; +@@ -2198,7 +2198,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi) + + spin_lock(&tconn->epoch_lock); + peer_req->epoch = tconn->current_epoch; +- atomic_inc(&peer_req->epoch->epoch_size); ++ atomic_inc_unchecked(&peer_req->epoch->epoch_size); + atomic_inc(&peer_req->epoch->active); + spin_unlock(&tconn->epoch_lock); + +@@ -4345,7 +4345,7 @@ struct data_cmd { + int expect_payload; + size_t pkt_size; + int (*fn)(struct drbd_tconn *, struct packet_info *); +-}; ++} __do_const; + + static struct data_cmd drbd_cmd_handler[] = { + [P_DATA] = { 1, sizeof(struct p_data), receive_Data }, +@@ -4465,7 +4465,7 @@ static void conn_disconnect(struct drbd_tconn *tconn) + if (!list_empty(&tconn->current_epoch->list)) + conn_err(tconn, "ASSERTION FAILED: tconn->current_epoch->list not empty\n"); + /* ok, no more ee's on the fly, it is safe to reset the epoch_size */ +- atomic_set(&tconn->current_epoch->epoch_size, 0); ++ atomic_set_unchecked(&tconn->current_epoch->epoch_size, 0); + tconn->send.seen_any_write_yet = false; + + conn_info(tconn, "Connection closed\n"); +@@ -5221,7 +5221,7 @@ static int tconn_finish_peer_reqs(struct drbd_tconn *tconn) + struct asender_cmd { + size_t pkt_size; + int (*fn)(struct drbd_tconn *tconn, struct packet_info *); +-}; ++} __do_const; + + static struct asender_cmd asender_tbl[] = { + [P_PING] = { 0, got_Ping }, +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 66e8c3b..9b68dd9 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -232,7 +232,7 @@ static int __do_lo_send_write(struct file *file, + + file_start_write(file); + set_fs(get_ds()); +- bw = file->f_op->write(file, buf, len, &pos); ++ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos); + set_fs(old_fs); + file_end_write(file); + if (likely(bw == len)) +diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c +index 091b9ea..f5428f8 100644 +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -382,15 +382,25 @@ static int null_init_hctx(struct blk_mq_hw_ctx *hctx, void *data, + return 0; + } + +-static struct blk_mq_ops null_mq_ops = { +- .queue_rq = null_queue_rq, +- .map_queue = blk_mq_map_queue, ++static struct blk_mq_ops null_mq_single_ops = { ++ .queue_rq = null_queue_rq, ++ .map_queue = blk_mq_map_queue, + .init_hctx = null_init_hctx, + .complete = null_softirq_done_fn, ++ .alloc_hctx = blk_mq_alloc_single_hw_queue, ++ .free_hctx = blk_mq_free_single_hw_queue, ++}; ++ ++static struct blk_mq_ops null_mq_per_node_ops = { ++ .queue_rq = null_queue_rq, ++ .map_queue = blk_mq_map_queue, ++ .init_hctx = null_init_hctx, ++ .alloc_hctx = null_alloc_hctx, ++ .free_hctx = null_free_hctx, + }; + + static struct blk_mq_reg null_mq_reg = { +- .ops = &null_mq_ops, ++ .ops = &null_mq_single_ops, + .queue_depth = 64, + .cmd_size = sizeof(struct nullb_cmd), + .flags = BLK_MQ_F_SHOULD_MERGE, +@@ -521,13 +531,8 @@ static int null_add_dev(void) + null_mq_reg.queue_depth = hw_queue_depth; + null_mq_reg.nr_hw_queues = submit_queues; + +- if (use_per_node_hctx) { +- null_mq_reg.ops->alloc_hctx = null_alloc_hctx; +- null_mq_reg.ops->free_hctx = null_free_hctx; +- } else { +- null_mq_reg.ops->alloc_hctx = blk_mq_alloc_single_hw_queue; +- null_mq_reg.ops->free_hctx = blk_mq_free_single_hw_queue; +- } ++ if (use_per_node_hctx) ++ null_mq_reg.ops = &null_mq_per_node_ops; + + nullb->q = blk_mq_init_queue(&null_mq_reg, nullb); + } else if (queue_mode == NULL_Q_BIO) { +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c +index a2af73d..c0b8f61 100644 +--- a/drivers/block/pktcdvd.c ++++ b/drivers/block/pktcdvd.c +@@ -108,7 +108,7 @@ static int pkt_seq_show(struct seq_file *m, void *p); + + static sector_t get_zone(sector_t sector, struct pktcdvd_device *pd) + { +- return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1); ++ return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1UL); + } + + /* +@@ -1888,7 +1888,7 @@ static noinline_for_stack int pkt_probe_settings(struct pktcdvd_device *pd) + return -EROFS; + } + pd->settings.fp = ti.fp; +- pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1); ++ pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1UL); + + if (ti.nwa_v) { + pd->nwa = be32_to_cpu(ti.next_writable); +diff --git a/drivers/block/smart1,2.h b/drivers/block/smart1,2.h +index e5565fb..71be10b4 100644 +--- a/drivers/block/smart1,2.h ++++ b/drivers/block/smart1,2.h +@@ -108,11 +108,11 @@ static unsigned long smart4_intr_pending(ctlr_info_t *h) + } + + static struct access_method smart4_access = { +- smart4_submit_command, +- smart4_intr_mask, +- smart4_fifo_full, +- smart4_intr_pending, +- smart4_completed, ++ .submit_command = smart4_submit_command, ++ .set_intr_mask = smart4_intr_mask, ++ .fifo_full = smart4_fifo_full, ++ .intr_pending = smart4_intr_pending, ++ .command_completed = smart4_completed, + }; + + /* +@@ -144,11 +144,11 @@ static unsigned long smart2_intr_pending(ctlr_info_t *h) + } + + static struct access_method smart2_access = { +- smart2_submit_command, +- smart2_intr_mask, +- smart2_fifo_full, +- smart2_intr_pending, +- smart2_completed, ++ .submit_command = smart2_submit_command, ++ .set_intr_mask = smart2_intr_mask, ++ .fifo_full = smart2_fifo_full, ++ .intr_pending = smart2_intr_pending, ++ .command_completed = smart2_completed, + }; + + /* +@@ -180,11 +180,11 @@ static unsigned long smart2e_intr_pending(ctlr_info_t *h) + } + + static struct access_method smart2e_access = { +- smart2e_submit_command, +- smart2e_intr_mask, +- smart2e_fifo_full, +- smart2e_intr_pending, +- smart2e_completed, ++ .submit_command = smart2e_submit_command, ++ .set_intr_mask = smart2e_intr_mask, ++ .fifo_full = smart2e_fifo_full, ++ .intr_pending = smart2e_intr_pending, ++ .command_completed = smart2e_completed, + }; + + /* +@@ -270,9 +270,9 @@ static unsigned long smart1_intr_pending(ctlr_info_t *h) + } + + static struct access_method smart1_access = { +- smart1_submit_command, +- smart1_intr_mask, +- smart1_fifo_full, +- smart1_intr_pending, +- smart1_completed, ++ .submit_command = smart1_submit_command, ++ .set_intr_mask = smart1_intr_mask, ++ .fifo_full = smart1_fifo_full, ++ .intr_pending = smart1_intr_pending, ++ .command_completed = smart1_completed, + }; +diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c +index f038dba..bb74c08 100644 +--- a/drivers/bluetooth/btwilink.c ++++ b/drivers/bluetooth/btwilink.c +@@ -288,7 +288,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb) + + static int bt_ti_probe(struct platform_device *pdev) + { +- static struct ti_st *hst; ++ struct ti_st *hst; + struct hci_dev *hdev; + int err; + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 8a3aff7..d7538c2 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -416,7 +416,6 @@ int register_cdrom(struct cdrom_device_info *cdi) + ENSURE(reset, CDC_RESET); + ENSURE(generic_packet, CDC_GENERIC_PACKET); + cdi->mc_flags = 0; +- cdo->n_minors = 0; + cdi->options = CDO_USE_FFLAGS; + + if (autoclose==1 && CDROM_CAN(CDC_CLOSE_TRAY)) +@@ -436,8 +435,11 @@ int register_cdrom(struct cdrom_device_info *cdi) + else + cdi->cdda_method = CDDA_OLD; + +- if (!cdo->generic_packet) +- cdo->generic_packet = cdrom_dummy_generic_packet; ++ if (!cdo->generic_packet) { ++ pax_open_kernel(); ++ *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet; ++ pax_close_kernel(); ++ } + + cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name); + mutex_lock(&cdrom_mutex); +@@ -458,7 +460,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi) + if (cdi->exit) + cdi->exit(cdi); + +- cdi->ops->n_minors--; + cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name); + } + +@@ -2107,7 +2108,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf, + */ + nr = nframes; + do { +- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); ++ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL); + if (cgc.buffer) + break; + +@@ -3429,7 +3430,7 @@ static int cdrom_print_info(const char *header, int val, char *info, + struct cdrom_device_info *cdi; + int ret; + +- ret = scnprintf(info + *pos, max_size - *pos, header); ++ ret = scnprintf(info + *pos, max_size - *pos, "%s", header); + if (!ret) + return 1; + +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index 51e75ad..39c4c76 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = { + .audio_ioctl = gdrom_audio_ioctl, + .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED | + CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R, +- .n_minors = 1, + }; + + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 1386749..5430258 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -8,7 +8,8 @@ source "drivers/tty/Kconfig" + + config DEVKMEM + bool "/dev/kmem virtual device support" +- default y ++ default n ++ depends on !GRKERNSEC_KMEM + help + Say Y here if you want to support the /dev/kmem device. The + /dev/kmem device is rarely used, but can be used for certain +@@ -577,6 +578,7 @@ config DEVPORT + bool + depends on !M68K + depends on ISA || PCI ++ depends on !GRKERNSEC_KMEM + default y + + source "drivers/s390/char/Kconfig" +diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c +index a48e05b..6bac831 100644 +--- a/drivers/char/agp/compat_ioctl.c ++++ b/drivers/char/agp/compat_ioctl.c +@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user + return -ENOMEM; + } + +- if (copy_from_user(usegment, (void __user *) ureserve.seg_list, ++ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list, + sizeof(*usegment) * ureserve.seg_count)) { + kfree(usegment); + kfree(ksegment); +diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c +index 1b19239..b87b143 100644 +--- a/drivers/char/agp/frontend.c ++++ b/drivers/char/agp/frontend.c +@@ -819,7 +819,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) + if (copy_from_user(&reserve, arg, sizeof(struct agp_region))) + return -EFAULT; + +- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment)) ++ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv)) + return -EFAULT; + + client = agp_find_client_by_pid(reserve.pid); +@@ -849,7 +849,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) + if (segment == NULL) + return -ENOMEM; + +- if (copy_from_user(segment, (void __user *) reserve.seg_list, ++ if (copy_from_user(segment, (void __force_user *) reserve.seg_list, + sizeof(struct agp_segment) * reserve.seg_count)) { + kfree(segment); + return -EFAULT; +diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c +index 4f94375..413694e 100644 +--- a/drivers/char/genrtc.c ++++ b/drivers/char/genrtc.c +@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file, + switch (cmd) { + + case RTC_PLL_GET: ++ memset(&pll, 0, sizeof(pll)); + if (get_rtc_pll(&pll)) + return -EINVAL; + else +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index d5d4cd8..22d561d 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -575,7 +575,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets, + } + + static int +-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, ++hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, + struct hpet_info *info) + { + struct hpet_timer __iomem *timer; +diff --git a/drivers/char/hw_random/intel-rng.c b/drivers/char/hw_random/intel-rng.c +index 86fe45c..c0ea948 100644 +--- a/drivers/char/hw_random/intel-rng.c ++++ b/drivers/char/hw_random/intel-rng.c +@@ -314,7 +314,7 @@ PFX "RNG, try using the 'no_fwh_detect' option.\n"; + + if (no_fwh_detect) + return -ENODEV; +- printk(warning); ++ printk("%s", warning); + return -EBUSY; + } + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index ec4e10f..f2a763b 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -420,7 +420,7 @@ struct ipmi_smi { + struct proc_dir_entry *proc_dir; + char proc_dir_name[10]; + +- atomic_t stats[IPMI_NUM_STATS]; ++ atomic_unchecked_t stats[IPMI_NUM_STATS]; + + /* + * run_to_completion duplicate of smb_info, smi_info +@@ -453,9 +453,9 @@ static DEFINE_MUTEX(smi_watchers_mutex); + + + #define ipmi_inc_stat(intf, stat) \ +- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat]) ++ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]) + #define ipmi_get_stat(intf, stat) \ +- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat])) ++ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])) + + static int is_lan_addr(struct ipmi_addr *addr) + { +@@ -2883,7 +2883,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers, + INIT_LIST_HEAD(&intf->cmd_rcvrs); + init_waitqueue_head(&intf->waitq); + for (i = 0; i < IPMI_NUM_STATS; i++) +- atomic_set(&intf->stats[i], 0); ++ atomic_set_unchecked(&intf->stats[i], 0); + + intf->proc_dir = NULL; + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 03f4189..e79f5e0 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -280,7 +280,7 @@ struct smi_info { + unsigned char slave_addr; + + /* Counters and things for the proc filesystem. */ +- atomic_t stats[SI_NUM_STATS]; ++ atomic_unchecked_t stats[SI_NUM_STATS]; + + struct task_struct *thread; + +@@ -289,9 +289,9 @@ struct smi_info { + }; + + #define smi_inc_stat(smi, stat) \ +- atomic_inc(&(smi)->stats[SI_STAT_ ## stat]) ++ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat]) + #define smi_get_stat(smi, stat) \ +- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat])) ++ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat])) + + #define SI_MAX_PARMS 4 + +@@ -3339,7 +3339,7 @@ static int try_smi_init(struct smi_info *new_smi) + atomic_set(&new_smi->req_events, 0); + new_smi->run_to_completion = 0; + for (i = 0; i < SI_NUM_STATS; i++) +- atomic_set(&new_smi->stats[i], 0); ++ atomic_set_unchecked(&new_smi->stats[i], 0); + + new_smi->interrupt_disabled = 1; + atomic_set(&new_smi->stop_operation, 0); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 92c5937..1be4e4d 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -36,6 +37,10 @@ + + #define DEVPORT_MINOR 4 + ++#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC) ++extern const struct file_operations grsec_fops; ++#endif ++ + static inline unsigned long size_inside_page(unsigned long start, + unsigned long size) + { +@@ -67,9 +72,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) + + while (cursor < to) { + if (!devmem_is_allowed(pfn)) { ++#ifdef CONFIG_GRKERNSEC_KMEM ++ gr_handle_mem_readwrite(from, to); ++#else + printk(KERN_INFO + "Program %s tried to access /dev/mem between %Lx->%Lx.\n", + current->comm, from, to); ++#endif + return 0; + } + cursor += PAGE_SIZE; +@@ -77,6 +86,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size) + } + return 1; + } ++#elif defined(CONFIG_GRKERNSEC_KMEM) ++static inline int range_is_allowed(unsigned long pfn, unsigned long size) ++{ ++ return 0; ++} + #else + static inline int range_is_allowed(unsigned long pfn, unsigned long size) + { +@@ -119,6 +133,7 @@ static ssize_t read_mem(struct file *file, char __user *buf, + + while (count > 0) { + unsigned long remaining; ++ char *temp; + + sz = size_inside_page(p, count); + +@@ -134,7 +149,23 @@ static ssize_t read_mem(struct file *file, char __user *buf, + if (!ptr) + return -EFAULT; + +- remaining = copy_to_user(buf, ptr, sz); ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY); ++ if (!temp) { ++ unxlate_dev_mem_ptr(p, ptr); ++ return -ENOMEM; ++ } ++ memcpy(temp, ptr, sz); ++#else ++ temp = ptr; ++#endif ++ ++ remaining = copy_to_user(buf, temp, sz); ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ + unxlate_dev_mem_ptr(p, ptr); + if (remaining) + return -EFAULT; +@@ -363,9 +394,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { + unsigned long p = *ppos; +- ssize_t low_count, read, sz; ++ ssize_t low_count, read, sz, err = 0; + char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ +- int err = 0; + + read = 0; + if (p < (unsigned long) high_memory) { +@@ -387,6 +417,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, + } + #endif + while (low_count > 0) { ++ char *temp; ++ + sz = size_inside_page(p, low_count); + + /* +@@ -396,7 +428,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf, + */ + kbuf = xlate_dev_kmem_ptr((char *)p); + +- if (copy_to_user(buf, kbuf, sz)) ++#ifdef CONFIG_PAX_USERCOPY ++ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY); ++ if (!temp) ++ return -ENOMEM; ++ memcpy(temp, kbuf, sz); ++#else ++ temp = kbuf; ++#endif ++ ++ err = copy_to_user(buf, temp, sz); ++ ++#ifdef CONFIG_PAX_USERCOPY ++ kfree(temp); ++#endif ++ ++ if (err) + return -EFAULT; + buf += sz; + p += sz; +@@ -821,6 +868,9 @@ static const struct memdev { + #ifdef CONFIG_PRINTK + [11] = { "kmsg", 0644, &kmsg_fops, NULL }, + #endif ++#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC) ++ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL }, ++#endif + }; + + static int memory_open(struct inode *inode, struct file *filp) +@@ -892,7 +942,7 @@ static int __init chr_dev_init(void) + continue; + + device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor), +- NULL, devlist[minor].name); ++ NULL, "%s", devlist[minor].name); + } + + return tty_init(); +diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c +index 9df78e2..01ba9ae 100644 +--- a/drivers/char/nvram.c ++++ b/drivers/char/nvram.c +@@ -247,7 +247,7 @@ static ssize_t nvram_read(struct file *file, char __user *buf, + + spin_unlock_irq(&rtc_lock); + +- if (copy_to_user(buf, contents, tmp - contents)) ++ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents)) + return -EFAULT; + + *ppos = i; +diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c +index 8320abd..ec48108 100644 +--- a/drivers/char/pcmcia/synclink_cs.c ++++ b/drivers/char/pcmcia/synclink_cs.c +@@ -2345,9 +2345,9 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgslpc_close(%s) entry, count=%d\n", +- __FILE__, __LINE__, info->device_name, port->count); ++ __FILE__, __LINE__, info->device_name, atomic_read(&port->count)); + +- WARN_ON(!port->count); ++ WARN_ON(!atomic_read(&port->count)); + + if (tty_port_close_start(port, tty, filp) == 0) + goto cleanup; +@@ -2365,7 +2365,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp) + cleanup: + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__, +- tty->driver->name, port->count); ++ tty->driver->name, atomic_read(&port->count)); + } + + /* Wait until the transmitter is empty. +@@ -2507,7 +2507,7 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgslpc_open(%s), old ref count = %d\n", +- __FILE__, __LINE__, tty->driver->name, port->count); ++ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count)); + + /* If port is closing, signal caller to try again */ + if (tty_hung_up_p(filp) || port->flags & ASYNC_CLOSING){ +@@ -2527,11 +2527,11 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) + goto cleanup; + } + spin_lock(&port->lock); +- port->count++; ++ atomic_inc(&port->count); + spin_unlock(&port->lock); + spin_unlock_irqrestore(&info->netlock, flags); + +- if (port->count == 1) { ++ if (atomic_read(&port->count) == 1) { + /* 1st open on this device, init hardware */ + retval = startup(info, tty); + if (retval < 0) +@@ -3920,7 +3920,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, + unsigned short new_crctype; + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + switch (encoding) +@@ -4024,7 +4024,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* arbitrate between network and tty opens */ + spin_lock_irqsave(&info->netlock, flags); +- if (info->port.count != 0 || info->netcount != 0) { ++ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) { + printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name); + spin_unlock_irqrestore(&info->netlock, flags); + return -EBUSY; +@@ -4114,7 +4114,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + printk("%s:hdlcdev_ioctl(%s)\n", __FILE__, dev->name); + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + if (cmd != SIOCWANDEV) +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 429b75b..a7f4145 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -270,10 +270,17 @@ + /* + * Configuration information + */ ++#ifdef CONFIG_GRKERNSEC_RANDNET ++#define INPUT_POOL_SHIFT 14 ++#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) ++#define OUTPUT_POOL_SHIFT 12 ++#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) ++#else + #define INPUT_POOL_SHIFT 12 + #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) + #define OUTPUT_POOL_SHIFT 10 + #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) ++#endif + #define SEC_XFER_SIZE 512 + #define EXTRACT_SIZE 10 + +@@ -284,9 +291,6 @@ + /* + * To allow fractional bits to be tracked, the entropy_count field is + * denominated in units of 1/8th bits. +- * +- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in +- * credit_entropy_bits() needs to be 64 bits wide. + */ + #define ENTROPY_SHIFT 3 + #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) +@@ -361,12 +365,19 @@ static struct poolinfo { + #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5) + int tap1, tap2, tap3, tap4, tap5; + } poolinfo_table[] = { ++#ifdef CONFIG_GRKERNSEC_RANDNET ++ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */ ++ { S(512), 411, 308, 208, 104, 1 }, ++ /* x^128 + x^104 + x^76 + x^51 + x^25 + x + 1 -- 105 */ ++ { S(128), 104, 76, 51, 25, 1 }, ++#else + /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ + /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ + { S(128), 104, 76, 51, 25, 1 }, + /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ + /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ + { S(32), 26, 19, 14, 7, 1 }, ++#endif + #if 0 + /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ + { S(2048), 1638, 1231, 819, 411, 1 }, +@@ -433,9 +444,9 @@ struct entropy_store { + }; + + static void push_to_pool(struct work_struct *work); +-static __u32 input_pool_data[INPUT_POOL_WORDS]; +-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS]; +-static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS]; ++static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy; ++static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy; ++static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy; + + static struct entropy_store input_pool = { + .poolinfo = &poolinfo_table[0], +@@ -524,8 +535,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, + input_rotate = (input_rotate + (i ? 7 : 14)) & 31; + } + +- ACCESS_ONCE(r->input_rotate) = input_rotate; +- ACCESS_ONCE(r->add_ptr) = i; ++ ACCESS_ONCE_RW(r->input_rotate) = input_rotate; ++ ACCESS_ONCE_RW(r->add_ptr) = i; + smp_wmb(); + + if (out) +@@ -632,7 +643,7 @@ retry: + /* The +2 corresponds to the /4 in the denominator */ + + do { +- unsigned int anfrac = min(pnfrac, pool_size/2); ++ u64 anfrac = min(pnfrac, pool_size/2); + unsigned int add = + ((pool_size - entropy_count)*anfrac*3) >> s; + +@@ -1151,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, + + extract_buf(r, tmp); + i = min_t(int, nbytes, EXTRACT_SIZE); +- if (copy_to_user(buf, tmp, i)) { ++ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) { + ret = -EFAULT; + break; + } +@@ -1507,7 +1518,7 @@ EXPORT_SYMBOL(generate_random_uuid); + #include + + static int min_read_thresh = 8, min_write_thresh; +-static int max_read_thresh = INPUT_POOL_WORDS * 32; ++static int max_read_thresh = OUTPUT_POOL_WORDS * 32; + static int max_write_thresh = INPUT_POOL_WORDS * 32; + static char sysctl_bootid[16]; + +@@ -1523,7 +1534,7 @@ static char sysctl_bootid[16]; + static int proc_do_uuid(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- struct ctl_table fake_table; ++ ctl_table_no_const fake_table; + unsigned char buf[64], tmp_uuid[16], *uuid; + + uuid = table->data; +@@ -1553,7 +1564,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, + static int proc_do_entropy(ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- ctl_table fake_table; ++ ctl_table_no_const fake_table; + int entropy_count; + + entropy_count = *(int *)table->data >> ENTROPY_SHIFT; +diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c +index 7cc1fe22..b602d6b 100644 +--- a/drivers/char/sonypi.c ++++ b/drivers/char/sonypi.c +@@ -54,6 +54,7 @@ + + #include + #include ++#include + + #include + +@@ -490,7 +491,7 @@ static struct sonypi_device { + spinlock_t fifo_lock; + wait_queue_head_t fifo_proc_list; + struct fasync_struct *fifo_async; +- int open_count; ++ local_t open_count; + int model; + struct input_dev *input_jog_dev; + struct input_dev *input_key_dev; +@@ -892,7 +893,7 @@ static int sonypi_misc_fasync(int fd, struct file *filp, int on) + static int sonypi_misc_release(struct inode *inode, struct file *file) + { + mutex_lock(&sonypi_device.lock); +- sonypi_device.open_count--; ++ local_dec(&sonypi_device.open_count); + mutex_unlock(&sonypi_device.lock); + return 0; + } +@@ -901,9 +902,9 @@ static int sonypi_misc_open(struct inode *inode, struct file *file) + { + mutex_lock(&sonypi_device.lock); + /* Flush input queue on first open */ +- if (!sonypi_device.open_count) ++ if (!local_read(&sonypi_device.open_count)) + kfifo_reset(&sonypi_device.fifo); +- sonypi_device.open_count++; ++ local_inc(&sonypi_device.open_count); + mutex_unlock(&sonypi_device.lock); + + return 0; +diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c +index b9a57fa..5bb9e38 100644 +--- a/drivers/char/tpm/tpm_acpi.c ++++ b/drivers/char/tpm/tpm_acpi.c +@@ -98,11 +98,12 @@ int read_log(struct tpm_bios_log *log) + virt = acpi_os_map_memory(start, len); + if (!virt) { + kfree(log->bios_event_log); ++ log->bios_event_log = NULL; + printk("%s: ERROR - Unable to map memory\n", __func__); + return -EIO; + } + +- memcpy_fromio(log->bios_event_log, virt, len); ++ memcpy_fromio(log->bios_event_log, (const char __force_kernel *)virt, len); + + acpi_os_unmap_memory(virt, len); + return 0; +diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c +index 59f7cb2..bac8b6d 100644 +--- a/drivers/char/tpm/tpm_eventlog.c ++++ b/drivers/char/tpm/tpm_eventlog.c +@@ -95,7 +95,7 @@ static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos) + event = addr; + + if ((event->event_type == 0 && event->event_size == 0) || +- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit)) ++ (event->event_size >= limit - addr - sizeof(struct tcpa_event))) + return NULL; + + return addr; +@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v, + return NULL; + + if ((event->event_type == 0 && event->event_size == 0) || +- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit)) ++ (event->event_size >= limit - v - sizeof(struct tcpa_event))) + return NULL; + + (*pos)++; +@@ -213,7 +213,8 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v) + int i; + + for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++) +- seq_putc(m, data[i]); ++ if (!seq_putc(m, data[i])) ++ return -EFAULT; + + return 0; + } +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 6928d09..ff6abe8 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -684,7 +684,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, + if (to_user) { + ssize_t ret; + +- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count); ++ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count); + if (ret) + return -EFAULT; + } else { +@@ -787,7 +787,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, + if (!port_has_data(port) && !port->host_connected) + return 0; + +- return fill_readbuf(port, ubuf, count, true); ++ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true); + } + + static int wait_port_writable(struct port *port, bool nonblock) +diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c +index 57a078e..c17cde8 100644 +--- a/drivers/clk/clk-composite.c ++++ b/drivers/clk/clk-composite.c +@@ -146,7 +146,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name, + struct clk *clk; + struct clk_init_data init; + struct clk_composite *composite; +- struct clk_ops *clk_composite_ops; ++ clk_ops_no_const *clk_composite_ops; + + composite = kzalloc(sizeof(*composite), GFP_KERNEL); + if (!composite) { +diff --git a/drivers/clk/socfpga/clk.c b/drivers/clk/socfpga/clk.c +index 5983a26..65d5f46 100644 +--- a/drivers/clk/socfpga/clk.c ++++ b/drivers/clk/socfpga/clk.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + /* Clock Manager offsets */ + #define CLKMGR_CTRL 0x0 +@@ -150,8 +151,10 @@ static __init struct clk *socfpga_clk_init(struct device_node *node, + streq(clk_name, "periph_pll") || + streq(clk_name, "sdram_pll")) { + socfpga_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA; +- clk_pll_ops.enable = clk_gate_ops.enable; +- clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_open_kernel(); ++ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable; ++ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_close_kernel(); + } + + clk = clk_register(NULL, &socfpga_clk->hw.hw); +@@ -242,7 +245,7 @@ static unsigned long socfpga_clk_recalc_rate(struct clk_hw *hwclk, + return parent_rate / div; + } + +-static struct clk_ops gateclk_ops = { ++static clk_ops_no_const gateclk_ops __read_only = { + .recalc_rate = socfpga_clk_recalc_rate, + .get_parent = socfpga_clk_get_parent, + .set_parent = socfpga_clk_set_parent, +diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c +index 18448a7..d5fad43 100644 +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -676,8 +676,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) + data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu); + per_cpu(acfreq_data, cpu) = data; + +- if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) +- acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS; ++ if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) { ++ pax_open_kernel(); ++ *(u8 *)&acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); ++ } + + result = acpi_processor_register_performance(data->acpi_data, cpu); + if (result) +@@ -810,7 +813,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) + policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu); + break; + case ACPI_ADR_SPACE_FIXED_HARDWARE: +- acpi_cpufreq_driver.get = get_cur_freq_on_cpu; ++ pax_open_kernel(); ++ *(void **)&acpi_cpufreq_driver.get = get_cur_freq_on_cpu; ++ pax_close_kernel(); + break; + default: + break; +@@ -905,8 +910,10 @@ static void __init acpi_cpufreq_boost_init(void) + if (!msrs) + return; + +- acpi_cpufreq_driver.boost_supported = true; +- acpi_cpufreq_driver.boost_enabled = boost_state(0); ++ pax_open_kernel(); ++ *(bool *)&acpi_cpufreq_driver.boost_supported = true; ++ *(bool *)&acpi_cpufreq_driver.boost_enabled = boost_state(0); ++ pax_close_kernel(); + get_online_cpus(); + + /* Force all MSRs to the same value */ +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 199b52b..e3503bb 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1970,7 +1970,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor) + #endif + + mutex_lock(&cpufreq_governor_mutex); +- list_del(&governor->governor_list); ++ pax_list_del(&governor->governor_list); + mutex_unlock(&cpufreq_governor_mutex); + return; + } +@@ -2200,7 +2200,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb, + return NOTIFY_OK; + } + +-static struct notifier_block __refdata cpufreq_cpu_notifier = { ++static struct notifier_block cpufreq_cpu_notifier = { + .notifier_call = cpufreq_cpu_callback, + }; + +@@ -2240,13 +2240,17 @@ int cpufreq_boost_trigger_state(int state) + return 0; + + write_lock_irqsave(&cpufreq_driver_lock, flags); +- cpufreq_driver->boost_enabled = state; ++ pax_open_kernel(); ++ *(bool *)&cpufreq_driver->boost_enabled = state; ++ pax_close_kernel(); + write_unlock_irqrestore(&cpufreq_driver_lock, flags); + + ret = cpufreq_driver->set_boost(state); + if (ret) { + write_lock_irqsave(&cpufreq_driver_lock, flags); +- cpufreq_driver->boost_enabled = !state; ++ pax_open_kernel(); ++ *(bool *)&cpufreq_driver->boost_enabled = !state; ++ pax_close_kernel(); + write_unlock_irqrestore(&cpufreq_driver_lock, flags); + + pr_err("%s: Cannot %s BOOST\n", __func__, +@@ -2300,8 +2304,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + + pr_debug("trying to register driver %s\n", driver_data->name); + +- if (driver_data->setpolicy) +- driver_data->flags |= CPUFREQ_CONST_LOOPS; ++ if (driver_data->setpolicy) { ++ pax_open_kernel(); ++ *(u8 *)&driver_data->flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); ++ } + + write_lock_irqsave(&cpufreq_driver_lock, flags); + if (cpufreq_driver) { +@@ -2316,8 +2323,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + * Check if driver provides function to enable boost - + * if not, use cpufreq_boost_set_sw as default + */ +- if (!cpufreq_driver->set_boost) +- cpufreq_driver->set_boost = cpufreq_boost_set_sw; ++ if (!cpufreq_driver->set_boost) { ++ pax_open_kernel(); ++ *(void **)&cpufreq_driver->set_boost = cpufreq_boost_set_sw; ++ pax_close_kernel(); ++ } + + ret = cpufreq_sysfs_create_file(&boost.attr); + if (ret) { +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c +index ba43991..23858ffb 100644 +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -191,7 +191,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + struct dbs_data *dbs_data; + struct od_cpu_dbs_info_s *od_dbs_info = NULL; + struct cs_cpu_dbs_info_s *cs_dbs_info = NULL; +- struct od_ops *od_ops = NULL; ++ const struct od_ops *od_ops = NULL; + struct od_dbs_tuners *od_tuners = NULL; + struct cs_dbs_tuners *cs_tuners = NULL; + struct cpu_dbs_common_info *cpu_cdbs; +@@ -257,7 +257,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + + if ((cdata->governor == GOV_CONSERVATIVE) && + (!policy->governor->initialized)) { +- struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; ++ const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; + + cpufreq_register_notifier(cs_ops->notifier_block, + CPUFREQ_TRANSITION_NOTIFIER); +@@ -277,7 +277,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, + + if ((dbs_data->cdata->governor == GOV_CONSERVATIVE) && + (policy->governor->initialized == 1)) { +- struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; ++ const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops; + + cpufreq_unregister_notifier(cs_ops->notifier_block, + CPUFREQ_TRANSITION_NOTIFIER); +diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h +index bfb9ae1..e1d3a7e 100644 +--- a/drivers/cpufreq/cpufreq_governor.h ++++ b/drivers/cpufreq/cpufreq_governor.h +@@ -205,7 +205,7 @@ struct common_dbs_data { + void (*exit)(struct dbs_data *dbs_data); + + /* Governor specific ops, see below */ +- void *gov_ops; ++ const void *gov_ops; + }; + + /* Governor Per policy data */ +@@ -225,7 +225,7 @@ struct od_ops { + unsigned int (*powersave_bias_target)(struct cpufreq_policy *policy, + unsigned int freq_next, unsigned int relation); + void (*freq_increase)(struct cpufreq_policy *policy, unsigned int freq); +-}; ++} __no_const; + + struct cs_ops { + struct notifier_block *notifier_block; +diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c +index 18d4091..434be15 100644 +--- a/drivers/cpufreq/cpufreq_ondemand.c ++++ b/drivers/cpufreq/cpufreq_ondemand.c +@@ -521,7 +521,7 @@ static void od_exit(struct dbs_data *dbs_data) + + define_get_cpu_dbs_routines(od_cpu_dbs_info); + +-static struct od_ops od_ops = { ++static struct od_ops od_ops __read_only = { + .powersave_bias_init_cpu = ondemand_powersave_bias_init_cpu, + .powersave_bias_target = generic_powersave_bias_target, + .freq_increase = dbs_freq_increase, +@@ -576,14 +576,18 @@ void od_register_powersave_bias_handler(unsigned int (*f) + (struct cpufreq_policy *, unsigned int, unsigned int), + unsigned int powersave_bias) + { +- od_ops.powersave_bias_target = f; ++ pax_open_kernel(); ++ *(void **)&od_ops.powersave_bias_target = f; ++ pax_close_kernel(); + od_set_powersave_bias(powersave_bias); + } + EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler); + + void od_unregister_powersave_bias_handler(void) + { +- od_ops.powersave_bias_target = generic_powersave_bias_target; ++ pax_open_kernel(); ++ *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target; ++ pax_close_kernel(); + od_set_powersave_bias(0); + } + EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 2cd36b9..8f07fae 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -124,10 +124,10 @@ struct pstate_funcs { + struct cpu_defaults { + struct pstate_adjust_policy pid_policy; + struct pstate_funcs funcs; +-}; ++} __do_const; + + static struct pstate_adjust_policy pid_params; +-static struct pstate_funcs pstate_funcs; ++static struct pstate_funcs *pstate_funcs; + + struct perf_limits { + int no_turbo; +@@ -518,7 +518,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) + + cpu->pstate.current_pstate = pstate; + +- pstate_funcs.set(cpu, pstate); ++ pstate_funcs->set(cpu, pstate); + } + + static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps) +@@ -540,12 +540,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) + { + sprintf(cpu->name, "Intel 2nd generation core"); + +- cpu->pstate.min_pstate = pstate_funcs.get_min(); +- cpu->pstate.max_pstate = pstate_funcs.get_max(); +- cpu->pstate.turbo_pstate = pstate_funcs.get_turbo(); ++ cpu->pstate.min_pstate = pstate_funcs->get_min(); ++ cpu->pstate.max_pstate = pstate_funcs->get_max(); ++ cpu->pstate.turbo_pstate = pstate_funcs->get_turbo(); + +- if (pstate_funcs.get_vid) +- pstate_funcs.get_vid(cpu); ++ if (pstate_funcs->get_vid) ++ pstate_funcs->get_vid(cpu); + + /* + * goto max pstate so we don't slow up boot if we are built-in if we are +@@ -832,9 +832,9 @@ static int intel_pstate_msrs_not_valid(void) + rdmsrl(MSR_IA32_APERF, aperf); + rdmsrl(MSR_IA32_MPERF, mperf); + +- if (!pstate_funcs.get_max() || +- !pstate_funcs.get_min() || +- !pstate_funcs.get_turbo()) ++ if (!pstate_funcs->get_max() || ++ !pstate_funcs->get_min() || ++ !pstate_funcs->get_turbo()) + return -ENODEV; + + rdmsrl(MSR_IA32_APERF, tmp); +@@ -848,7 +848,7 @@ static int intel_pstate_msrs_not_valid(void) + return 0; + } + +-static void copy_pid_params(struct pstate_adjust_policy *policy) ++static void copy_pid_params(const struct pstate_adjust_policy *policy) + { + pid_params.sample_rate_ms = policy->sample_rate_ms; + pid_params.p_gain_pct = policy->p_gain_pct; +@@ -860,11 +860,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) + + static void copy_cpu_funcs(struct pstate_funcs *funcs) + { +- pstate_funcs.get_max = funcs->get_max; +- pstate_funcs.get_min = funcs->get_min; +- pstate_funcs.get_turbo = funcs->get_turbo; +- pstate_funcs.set = funcs->set; +- pstate_funcs.get_vid = funcs->get_vid; ++ pstate_funcs = funcs; + } + + #if IS_ENABLED(CONFIG_ACPI) +diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c +index 3d1cba9..0ab21d2 100644 +--- a/drivers/cpufreq/p4-clockmod.c ++++ b/drivers/cpufreq/p4-clockmod.c +@@ -134,10 +134,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) + case 0x0F: /* Core Duo */ + case 0x16: /* Celeron Core */ + case 0x1C: /* Atom */ +- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_open_kernel(); ++ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); + return speedstep_get_frequency(SPEEDSTEP_CPU_PCORE); + case 0x0D: /* Pentium M (Dothan) */ +- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_open_kernel(); ++ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); + /* fall through */ + case 0x09: /* Pentium M (Banias) */ + return speedstep_get_frequency(SPEEDSTEP_CPU_PM); +@@ -149,7 +153,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c) + + /* on P-4s, the TSC runs with constant frequency independent whether + * throttling is active or not. */ +- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_open_kernel(); ++ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); + + if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) { + printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. " +diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c +index 724ffbd..ad83692 100644 +--- a/drivers/cpufreq/sparc-us3-cpufreq.c ++++ b/drivers/cpufreq/sparc-us3-cpufreq.c +@@ -18,14 +18,12 @@ + #include + #include + +-static struct cpufreq_driver *cpufreq_us3_driver; +- + struct us3_freq_percpu_info { + struct cpufreq_frequency_table table[4]; + }; + + /* Indexed by cpu number. */ +-static struct us3_freq_percpu_info *us3_freq_table; ++static struct us3_freq_percpu_info us3_freq_table[NR_CPUS]; + + /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled + * in the Safari config register. +@@ -156,14 +154,26 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy) + + static int us3_freq_cpu_exit(struct cpufreq_policy *policy) + { +- if (cpufreq_us3_driver) { +- cpufreq_frequency_table_put_attr(policy->cpu); +- us3_freq_target(policy, 0); +- } ++ cpufreq_frequency_table_put_attr(policy->cpu); ++ us3_freq_target(policy, 0); + + return 0; + } + ++static int __init us3_freq_init(void); ++static void __exit us3_freq_exit(void); ++ ++static struct cpufreq_driver cpufreq_us3_driver = { ++ .init = us3_freq_cpu_init, ++ .verify = cpufreq_generic_frequency_table_verify, ++ .target_index = us3_freq_target, ++ .get = us3_freq_get, ++ .exit = us3_freq_cpu_exit, ++ .owner = THIS_MODULE, ++ .name = "UltraSPARC-III", ++ ++}; ++ + static int __init us3_freq_init(void) + { + unsigned long manuf, impl, ver; +@@ -180,55 +190,15 @@ static int __init us3_freq_init(void) + (impl == CHEETAH_IMPL || + impl == CHEETAH_PLUS_IMPL || + impl == JAGUAR_IMPL || +- impl == PANTHER_IMPL)) { +- struct cpufreq_driver *driver; +- +- ret = -ENOMEM; +- driver = kzalloc(sizeof(*driver), GFP_KERNEL); +- if (!driver) +- goto err_out; +- +- us3_freq_table = kzalloc((NR_CPUS * sizeof(*us3_freq_table)), +- GFP_KERNEL); +- if (!us3_freq_table) +- goto err_out; +- +- driver->init = us3_freq_cpu_init; +- driver->verify = cpufreq_generic_frequency_table_verify; +- driver->target_index = us3_freq_target; +- driver->get = us3_freq_get; +- driver->exit = us3_freq_cpu_exit; +- strcpy(driver->name, "UltraSPARC-III"); +- +- cpufreq_us3_driver = driver; +- ret = cpufreq_register_driver(driver); +- if (ret) +- goto err_out; +- +- return 0; +- +-err_out: +- if (driver) { +- kfree(driver); +- cpufreq_us3_driver = NULL; +- } +- kfree(us3_freq_table); +- us3_freq_table = NULL; +- return ret; +- } ++ impl == PANTHER_IMPL)) ++ return cpufreq_register_driver(&cpufreq_us3_driver); + + return -ENODEV; + } + + static void __exit us3_freq_exit(void) + { +- if (cpufreq_us3_driver) { +- cpufreq_unregister_driver(cpufreq_us3_driver); +- kfree(cpufreq_us3_driver); +- cpufreq_us3_driver = NULL; +- kfree(us3_freq_table); +- us3_freq_table = NULL; +- } ++ cpufreq_unregister_driver(&cpufreq_us3_driver); + } + + MODULE_AUTHOR("David S. Miller "); +diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c +index 4e1daca..e707b61 100644 +--- a/drivers/cpufreq/speedstep-centrino.c ++++ b/drivers/cpufreq/speedstep-centrino.c +@@ -351,8 +351,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy) + !cpu_has(cpu, X86_FEATURE_EST)) + return -ENODEV; + +- if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) +- centrino_driver.flags |= CPUFREQ_CONST_LOOPS; ++ if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) { ++ pax_open_kernel(); ++ *(u8 *)¢rino_driver.flags |= CPUFREQ_CONST_LOOPS; ++ pax_close_kernel(); ++ } + + if (policy->cpu != 0) + return -ENODEV; +diff --git a/drivers/cpuidle/driver.c b/drivers/cpuidle/driver.c +index 06dbe7c..c2c8671 100644 +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -202,7 +202,7 @@ static int poll_idle(struct cpuidle_device *dev, + + static void poll_idle_init(struct cpuidle_driver *drv) + { +- struct cpuidle_state *state = &drv->states[0]; ++ cpuidle_state_no_const *state = &drv->states[0]; + + snprintf(state->name, CPUIDLE_NAME_LEN, "POLL"); + snprintf(state->desc, CPUIDLE_DESC_LEN, "CPUIDLE CORE POLL IDLE"); +diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c +index ca89412..a7b9c49 100644 +--- a/drivers/cpuidle/governor.c ++++ b/drivers/cpuidle/governor.c +@@ -87,7 +87,7 @@ int cpuidle_register_governor(struct cpuidle_governor *gov) + mutex_lock(&cpuidle_lock); + if (__cpuidle_find_governor(gov->name) == NULL) { + ret = 0; +- list_add_tail(&gov->governor_list, &cpuidle_governors); ++ pax_list_add_tail((struct list_head *)&gov->governor_list, &cpuidle_governors); + if (!cpuidle_curr_governor || + cpuidle_curr_governor->rating < gov->rating) + cpuidle_switch_governor(gov); +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index e918b6d..f87ea80 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -135,7 +135,7 @@ static struct attribute *cpuidle_switch_attrs[] = { + NULL + }; + +-static struct attribute_group cpuidle_attr_group = { ++static attribute_group_no_const cpuidle_attr_group = { + .attrs = cpuidle_default_attrs, + .name = "cpuidle", + }; +diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c +index 12fea3e..1e28f47 100644 +--- a/drivers/crypto/hifn_795x.c ++++ b/drivers/crypto/hifn_795x.c +@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444); + MODULE_PARM_DESC(hifn_pll_ref, + "PLL reference clock (pci[freq] or ext[freq], default ext)"); + +-static atomic_t hifn_dev_number; ++static atomic_unchecked_t hifn_dev_number; + + #define ACRYPTO_OP_DECRYPT 0 + #define ACRYPTO_OP_ENCRYPT 1 +@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_out_disable_pci_device; + + snprintf(name, sizeof(name), "hifn%d", +- atomic_inc_return(&hifn_dev_number)-1); ++ atomic_inc_return_unchecked(&hifn_dev_number)-1); + + err = pci_request_regions(pdev, name); + if (err) +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index a0b2f7e..1b6f028 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -607,7 +607,7 @@ int devfreq_add_governor(struct devfreq_governor *governor) + goto err_out; + } + +- list_add(&governor->node, &devfreq_governor_list); ++ pax_list_add((struct list_head *)&governor->node, &devfreq_governor_list); + + list_for_each_entry(devfreq, &devfreq_list, node) { + int ret = 0; +@@ -695,7 +695,7 @@ int devfreq_remove_governor(struct devfreq_governor *governor) + } + } + +- list_del(&governor->node); ++ pax_list_del((struct list_head *)&governor->node); + err_out: + mutex_unlock(&devfreq_list_lock); + +diff --git a/drivers/dma/sh/shdmac.c b/drivers/dma/sh/shdmac.c +index 0d765c0..60b7480 100644 +--- a/drivers/dma/sh/shdmac.c ++++ b/drivers/dma/sh/shdmac.c +@@ -511,7 +511,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self, + return ret; + } + +-static struct notifier_block sh_dmae_nmi_notifier __read_mostly = { ++static struct notifier_block sh_dmae_nmi_notifier = { + .notifier_call = sh_dmae_nmi_handler, + + /* Run before NMI debug handler and KGDB */ +diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c +index 592af5f..bb1d583 100644 +--- a/drivers/edac/edac_device.c ++++ b/drivers/edac/edac_device.c +@@ -477,9 +477,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev, + */ + int edac_device_alloc_index(void) + { +- static atomic_t device_indexes = ATOMIC_INIT(0); ++ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0); + +- return atomic_inc_return(&device_indexes) - 1; ++ return atomic_inc_return_unchecked(&device_indexes) - 1; + } + EXPORT_SYMBOL_GPL(edac_device_alloc_index); + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index b335c6a..db65b44 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -152,7 +152,7 @@ static const char * const edac_caps[] = { + struct dev_ch_attribute { + struct device_attribute attr; + int channel; +-}; ++} __do_const; + + #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \ + struct dev_ch_attribute dev_attr_legacy_##_name = \ +@@ -1009,14 +1009,16 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci) + } + + if (mci->set_sdram_scrub_rate || mci->get_sdram_scrub_rate) { ++ pax_open_kernel(); + if (mci->get_sdram_scrub_rate) { +- dev_attr_sdram_scrub_rate.attr.mode |= S_IRUGO; +- dev_attr_sdram_scrub_rate.show = &mci_sdram_scrub_rate_show; ++ *(umode_t *)&dev_attr_sdram_scrub_rate.attr.mode |= S_IRUGO; ++ *(void **)&dev_attr_sdram_scrub_rate.show = &mci_sdram_scrub_rate_show; + } + if (mci->set_sdram_scrub_rate) { +- dev_attr_sdram_scrub_rate.attr.mode |= S_IWUSR; +- dev_attr_sdram_scrub_rate.store = &mci_sdram_scrub_rate_store; ++ *(umode_t *)&dev_attr_sdram_scrub_rate.attr.mode |= S_IWUSR; ++ *(void **)&dev_attr_sdram_scrub_rate.store = &mci_sdram_scrub_rate_store; + } ++ pax_close_kernel(); + err = device_create_file(&mci->dev, + &dev_attr_sdram_scrub_rate); + if (err) { +diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c +index 2cf44b4d..6dd2dc7 100644 +--- a/drivers/edac/edac_pci.c ++++ b/drivers/edac/edac_pci.c +@@ -29,7 +29,7 @@ + + static DEFINE_MUTEX(edac_pci_ctls_mutex); + static LIST_HEAD(edac_pci_list); +-static atomic_t pci_indexes = ATOMIC_INIT(0); ++static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0); + + /* + * edac_pci_alloc_ctl_info +@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period); + */ + int edac_pci_alloc_index(void) + { +- return atomic_inc_return(&pci_indexes) - 1; ++ return atomic_inc_return_unchecked(&pci_indexes) - 1; + } + EXPORT_SYMBOL_GPL(edac_pci_alloc_index); + +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index e8658e4..22746d6 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */ + static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */ + static int edac_pci_poll_msec = 1000; /* one second workq period */ + +-static atomic_t pci_parity_count = ATOMIC_INIT(0); +-static atomic_t pci_nonparity_count = ATOMIC_INIT(0); ++static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0); ++static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0); + + static struct kobject *edac_pci_top_main_kobj; + static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0); +@@ -235,7 +235,7 @@ struct edac_pci_dev_attribute { + void *value; + ssize_t(*show) (void *, char *); + ssize_t(*store) (void *, const char *, size_t); +-}; ++} __do_const; + + /* Set of show/store abstract level functions for PCI Parity object */ + static ssize_t edac_pci_dev_show(struct kobject *kobj, struct attribute *attr, +@@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + edac_printk(KERN_CRIT, EDAC_PCI, + "Signaled System Error on %s\n", + pci_name(dev)); +- atomic_inc(&pci_nonparity_count); ++ atomic_inc_unchecked(&pci_nonparity_count); + } + + if (status & (PCI_STATUS_PARITY)) { +@@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + "Master Data Parity Error on %s\n", + pci_name(dev)); + +- atomic_inc(&pci_parity_count); ++ atomic_inc_unchecked(&pci_parity_count); + } + + if (status & (PCI_STATUS_DETECTED_PARITY)) { +@@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + "Detected Parity Error on %s\n", + pci_name(dev)); + +- atomic_inc(&pci_parity_count); ++ atomic_inc_unchecked(&pci_parity_count); + } + } + +@@ -618,7 +618,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + edac_printk(KERN_CRIT, EDAC_PCI, "Bridge " + "Signaled System Error on %s\n", + pci_name(dev)); +- atomic_inc(&pci_nonparity_count); ++ atomic_inc_unchecked(&pci_nonparity_count); + } + + if (status & (PCI_STATUS_PARITY)) { +@@ -626,7 +626,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + "Master Data Parity Error on " + "%s\n", pci_name(dev)); + +- atomic_inc(&pci_parity_count); ++ atomic_inc_unchecked(&pci_parity_count); + } + + if (status & (PCI_STATUS_DETECTED_PARITY)) { +@@ -634,7 +634,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) + "Detected Parity Error on %s\n", + pci_name(dev)); + +- atomic_inc(&pci_parity_count); ++ atomic_inc_unchecked(&pci_parity_count); + } + } + } +@@ -672,7 +672,7 @@ void edac_pci_do_parity_check(void) + if (!check_pci_errors) + return; + +- before_count = atomic_read(&pci_parity_count); ++ before_count = atomic_read_unchecked(&pci_parity_count); + + /* scan all PCI devices looking for a Parity Error on devices and + * bridges. +@@ -684,7 +684,7 @@ void edac_pci_do_parity_check(void) + /* Only if operator has selected panic on PCI Error */ + if (edac_pci_get_panic_on_pe()) { + /* If the count is different 'after' from 'before' */ +- if (before_count != atomic_read(&pci_parity_count)) ++ if (before_count != atomic_read_unchecked(&pci_parity_count)) + panic("EDAC: PCI Parity Error"); + } + } +diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h +index 51b7e3a..aa8a3e8 100644 +--- a/drivers/edac/mce_amd.h ++++ b/drivers/edac/mce_amd.h +@@ -77,7 +77,7 @@ struct amd_decoder_ops { + bool (*mc0_mce)(u16, u8); + bool (*mc1_mce)(u16, u8); + bool (*mc2_mce)(u16, u8); +-}; ++} __no_const; + + void amd_report_gart_errors(bool); + void amd_register_ecc_decoder(void (*f)(int, struct mce *)); +diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c +index 57ea7f4..af06b76 100644 +--- a/drivers/firewire/core-card.c ++++ b/drivers/firewire/core-card.c +@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card, + const struct fw_card_driver *driver, + struct device *device) + { +- static atomic_t index = ATOMIC_INIT(-1); ++ static atomic_unchecked_t index = ATOMIC_INIT(-1); + +- card->index = atomic_inc_return(&index); ++ card->index = atomic_inc_return_unchecked(&index); + card->driver = driver; + card->device = device; + card->current_tlabel = 0; +@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release); + + void fw_core_remove_card(struct fw_card *card) + { +- struct fw_card_driver dummy_driver = dummy_driver_template; ++ fw_card_driver_no_const dummy_driver = dummy_driver_template; + + card->driver->update_phy_reg(card, 4, + PHY_LINK_ACTIVE | PHY_CONTENDER, 0); +diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c +index 2c6d5e1..a2cca6b 100644 +--- a/drivers/firewire/core-device.c ++++ b/drivers/firewire/core-device.c +@@ -253,7 +253,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma); + struct config_rom_attribute { + struct device_attribute attr; + u32 key; +-}; ++} __do_const; + + static ssize_t show_immediate(struct device *dev, + struct device_attribute *dattr, char *buf) +diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c +index eb6935c..3cc2bfa 100644 +--- a/drivers/firewire/core-transaction.c ++++ b/drivers/firewire/core-transaction.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include + +diff --git a/drivers/firewire/core.h b/drivers/firewire/core.h +index c98764a..551b520 100644 +--- a/drivers/firewire/core.h ++++ b/drivers/firewire/core.h +@@ -111,6 +111,7 @@ struct fw_card_driver { + + int (*stop_iso)(struct fw_iso_context *ctx); + }; ++typedef struct fw_card_driver __no_const fw_card_driver_no_const; + + void fw_card_initialize(struct fw_card *card, + const struct fw_card_driver *driver, struct device *device); +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index 8db6632..9bbc8ca 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -2049,10 +2049,12 @@ static void bus_reset_work(struct work_struct *work) + be32_to_cpu(ohci->next_header)); + } + ++#ifndef CONFIG_GRKERNSEC + if (param_remote_dma) { + reg_write(ohci, OHCI1394_PhyReqFilterHiSet, ~0); + reg_write(ohci, OHCI1394_PhyReqFilterLoSet, ~0); + } ++#endif + + spin_unlock_irq(&ohci->lock); + +@@ -2584,8 +2586,10 @@ static int ohci_enable_phys_dma(struct fw_card *card, + unsigned long flags; + int n, ret = 0; + ++#ifndef CONFIG_GRKERNSEC + if (param_remote_dma) + return 0; ++#endif + + /* + * FIXME: Make sure this bitmask is cleared when we clear the busReset +diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c +index 94a58a0..f5eba42 100644 +--- a/drivers/firmware/dmi-id.c ++++ b/drivers/firmware/dmi-id.c +@@ -16,7 +16,7 @@ + struct dmi_device_attribute{ + struct device_attribute dev_attr; + int field; +-}; ++} __do_const; + #define to_dmi_dev_attr(_dev_attr) \ + container_of(_dev_attr, struct dmi_device_attribute, dev_attr) + +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index 17afc51..0ef90cd 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -835,7 +835,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), + if (buf == NULL) + return -1; + +- dmi_table(buf, dmi_len, dmi_num, decode, private_data); ++ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data); + + dmi_unmap(buf); + return 0; +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 1491dd4..aa910db 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -41,12 +41,12 @@ + */ + u64 cper_next_record_id(void) + { +- static atomic64_t seq; ++ static atomic64_unchecked_t seq; + +- if (!atomic64_read(&seq)) +- atomic64_set(&seq, ((u64)get_seconds()) << 32); ++ if (!atomic64_read_unchecked(&seq)) ++ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32); + +- return atomic64_inc_return(&seq); ++ return atomic64_inc_return_unchecked(&seq); + } + EXPORT_SYMBOL_GPL(cper_next_record_id); + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 4753bac..02861a2 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -120,14 +120,16 @@ static struct attribute_group efi_subsys_attr_group = { + }; + + static struct efivars generic_efivars; +-static struct efivar_operations generic_ops; ++static efivar_operations_no_const generic_ops __read_only; + + static int generic_ops_register(void) + { +- generic_ops.get_variable = efi.get_variable; +- generic_ops.set_variable = efi.set_variable; +- generic_ops.get_next_variable = efi.get_next_variable; +- generic_ops.query_variable_store = efi_query_variable_store; ++ pax_open_kernel(); ++ *(void **)&generic_ops.get_variable = efi.get_variable; ++ *(void **)&generic_ops.set_variable = efi.set_variable; ++ *(void **)&generic_ops.get_next_variable = efi.get_next_variable; ++ *(void **)&generic_ops.query_variable_store = efi_query_variable_store; ++ pax_close_kernel(); + + return efivars_register(&generic_efivars, &generic_ops, efi_kobj); + } +diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c +index 3dc2482..7bd2f61 100644 +--- a/drivers/firmware/efi/efivars.c ++++ b/drivers/firmware/efi/efivars.c +@@ -456,7 +456,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var) + static int + create_efivars_bin_attributes(void) + { +- struct bin_attribute *attr; ++ bin_attribute_no_const *attr; + int error; + + /* new_var */ +diff --git a/drivers/firmware/google/memconsole.c b/drivers/firmware/google/memconsole.c +index 2a90ba6..07f3733 100644 +--- a/drivers/firmware/google/memconsole.c ++++ b/drivers/firmware/google/memconsole.c +@@ -147,7 +147,9 @@ static int __init memconsole_init(void) + if (!found_memconsole()) + return -ENODEV; + +- memconsole_bin_attr.size = memconsole_length; ++ pax_open_kernel(); ++ *(size_t *)&memconsole_bin_attr.size = memconsole_length; ++ pax_close_kernel(); + + ret = sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr); + +diff --git a/drivers/gpio/gpio-em.c b/drivers/gpio/gpio-em.c +index 1e98a98..b444372 100644 +--- a/drivers/gpio/gpio-em.c ++++ b/drivers/gpio/gpio-em.c +@@ -278,7 +278,7 @@ static int em_gio_probe(struct platform_device *pdev) + struct em_gio_priv *p; + struct resource *io[2], *irq[2]; + struct gpio_chip *gpio_chip; +- struct irq_chip *irq_chip; ++ irq_chip_no_const *irq_chip; + const char *name = dev_name(&pdev->dev); + int ret; + +diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c +index f5bf3c3..7baaa59 100644 +--- a/drivers/gpio/gpio-ich.c ++++ b/drivers/gpio/gpio-ich.c +@@ -71,7 +71,7 @@ struct ichx_desc { + /* Some chipsets have quirks, let these use their own request/get */ + int (*request)(struct gpio_chip *chip, unsigned offset); + int (*get)(struct gpio_chip *chip, unsigned offset); +-}; ++} __do_const; + + static struct { + spinlock_t lock; +diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c +index ca76ce7..68b384b 100644 +--- a/drivers/gpio/gpio-rcar.c ++++ b/drivers/gpio/gpio-rcar.c +@@ -355,7 +355,7 @@ static int gpio_rcar_probe(struct platform_device *pdev) + struct gpio_rcar_priv *p; + struct resource *io, *irq; + struct gpio_chip *gpio_chip; +- struct irq_chip *irq_chip; ++ irq_chip_no_const *irq_chip; + const char *name = dev_name(&pdev->dev); + int ret; + +diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c +index 9902732..64b62dd 100644 +--- a/drivers/gpio/gpio-vr41xx.c ++++ b/drivers/gpio/gpio-vr41xx.c +@@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq) + printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n", + maskl, pendl, maskh, pendh); + +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + + return -EINVAL; + } +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 3b7d32d..05c2f74 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -3123,7 +3123,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, + goto done; + } + +- if (copy_to_user(&enum_ptr[copied].name, ++ if (copy_to_user(enum_ptr[copied].name, + &prop_enum->name, DRM_PROP_NAME_LEN)) { + ret = -EFAULT; + goto done; +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 345be03..158368d 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -233,7 +233,7 @@ module_exit(drm_core_exit); + /** + * Copy and IOCTL return string to user space + */ +-static int drm_copy_field(char *buf, size_t *buf_len, const char *value) ++static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + int len; + +@@ -303,7 +303,7 @@ long drm_ioctl(struct file *filp, + struct drm_file *file_priv = filp->private_data; + struct drm_device *dev; + const struct drm_ioctl_desc *ioctl = NULL; +- drm_ioctl_t *func; ++ drm_ioctl_no_const_t func; + unsigned int nr = DRM_IOCTL_NR(cmd); + int retcode = -EINVAL; + char stack_kdata[128]; +diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c +index 7f2af9a..1561914 100644 +--- a/drivers/gpu/drm/drm_fops.c ++++ b/drivers/gpu/drm/drm_fops.c +@@ -97,7 +97,7 @@ int drm_open(struct inode *inode, struct file *filp) + if (drm_device_is_unplugged(dev)) + return -ENODEV; + +- if (!dev->open_count++) ++ if (local_inc_return(&dev->open_count) == 1) + need_setup = 1; + mutex_lock(&dev->struct_mutex); + old_imapping = inode->i_mapping; +@@ -127,7 +127,7 @@ err_undo: + iput(container_of(dev->dev_mapping, struct inode, i_data)); + dev->dev_mapping = old_mapping; + mutex_unlock(&dev->struct_mutex); +- dev->open_count--; ++ local_dec(&dev->open_count); + return retcode; + } + EXPORT_SYMBOL(drm_open); +@@ -463,7 +463,7 @@ int drm_release(struct inode *inode, struct file *filp) + + mutex_lock(&drm_global_mutex); + +- DRM_DEBUG("open_count = %d\n", dev->open_count); ++ DRM_DEBUG("open_count = %ld\n", local_read(&dev->open_count)); + + if (dev->driver->preclose) + dev->driver->preclose(dev, file_priv); +@@ -472,10 +472,10 @@ int drm_release(struct inode *inode, struct file *filp) + * Begin inline drm_release + */ + +- DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n", ++ DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %ld\n", + task_pid_nr(current), + (long)old_encode_dev(file_priv->minor->device), +- dev->open_count); ++ local_read(&dev->open_count)); + + /* Release any auth tokens that might point to this file_priv, + (do that under the drm_global_mutex) */ +@@ -573,7 +573,7 @@ int drm_release(struct inode *inode, struct file *filp) + * End inline drm_release + */ + +- if (!--dev->open_count) { ++ if (local_dec_and_test(&dev->open_count)) { + retcode = drm_lastclose(dev); + if (drm_device_is_unplugged(dev)) + drm_put_dev(dev); +diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c +index 3d2e91c..d31c4c9 100644 +--- a/drivers/gpu/drm/drm_global.c ++++ b/drivers/gpu/drm/drm_global.c +@@ -36,7 +36,7 @@ + struct drm_global_item { + struct mutex mutex; + void *object; +- int refcount; ++ atomic_t refcount; + }; + + static struct drm_global_item glob[DRM_GLOBAL_NUM]; +@@ -49,7 +49,7 @@ void drm_global_init(void) + struct drm_global_item *item = &glob[i]; + mutex_init(&item->mutex); + item->object = NULL; +- item->refcount = 0; ++ atomic_set(&item->refcount, 0); + } + } + +@@ -59,7 +59,7 @@ void drm_global_release(void) + for (i = 0; i < DRM_GLOBAL_NUM; ++i) { + struct drm_global_item *item = &glob[i]; + BUG_ON(item->object != NULL); +- BUG_ON(item->refcount != 0); ++ BUG_ON(atomic_read(&item->refcount) != 0); + } + } + +@@ -69,7 +69,7 @@ int drm_global_item_ref(struct drm_global_reference *ref) + struct drm_global_item *item = &glob[ref->global_type]; + + mutex_lock(&item->mutex); +- if (item->refcount == 0) { ++ if (atomic_read(&item->refcount) == 0) { + item->object = kzalloc(ref->size, GFP_KERNEL); + if (unlikely(item->object == NULL)) { + ret = -ENOMEM; +@@ -82,7 +82,7 @@ int drm_global_item_ref(struct drm_global_reference *ref) + goto out_err; + + } +- ++item->refcount; ++ atomic_inc(&item->refcount); + ref->object = item->object; + mutex_unlock(&item->mutex); + return 0; +@@ -98,9 +98,9 @@ void drm_global_item_unref(struct drm_global_reference *ref) + struct drm_global_item *item = &glob[ref->global_type]; + + mutex_lock(&item->mutex); +- BUG_ON(item->refcount == 0); ++ BUG_ON(atomic_read(&item->refcount) == 0); + BUG_ON(ref->object != item->object); +- if (--item->refcount == 0) { ++ if (atomic_dec_and_test(&item->refcount)) { + ref->release(ref); + item->object = NULL; + } +diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c +index 7473035..a48b9c5 100644 +--- a/drivers/gpu/drm/drm_info.c ++++ b/drivers/gpu/drm/drm_info.c +@@ -75,10 +75,13 @@ int drm_vm_info(struct seq_file *m, void *data) + struct drm_local_map *map; + struct drm_map_list *r_list; + +- /* Hardcoded from _DRM_FRAME_BUFFER, +- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and +- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */ +- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" }; ++ static const char * const types[] = { ++ [_DRM_FRAME_BUFFER] = "FB", ++ [_DRM_REGISTERS] = "REG", ++ [_DRM_SHM] = "SHM", ++ [_DRM_AGP] = "AGP", ++ [_DRM_SCATTER_GATHER] = "SG", ++ [_DRM_CONSISTENT] = "PCI"}; + const char *type; + int i; + +@@ -89,7 +92,7 @@ int drm_vm_info(struct seq_file *m, void *data) + map = r_list->map; + if (!map) + continue; +- if (map->type < 0 || map->type > 5) ++ if (map->type >= ARRAY_SIZE(types)) + type = "??"; + else + type = types[map->type]; +@@ -261,7 +264,11 @@ int drm_vma_info(struct seq_file *m, void *data) + vma->vm_flags & VM_MAYSHARE ? 's' : 'p', + vma->vm_flags & VM_LOCKED ? 'l' : '-', + vma->vm_flags & VM_IO ? 'i' : '-', ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ 0); ++#else + vma->vm_pgoff); ++#endif + + #if defined(__i386__) + pgprot = pgprot_val(vma->vm_page_prot); +diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c +index 2f4c4343..dd12cd2 100644 +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -457,7 +457,7 @@ static int compat_drm_infobufs(struct file *file, unsigned int cmd, + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_desc *) (request + 1); ++ list = (struct drm_buf_desc __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) +@@ -518,7 +518,7 @@ static int compat_drm_mapbufs(struct file *file, unsigned int cmd, + request = compat_alloc_user_space(nbytes); + if (!access_ok(VERIFY_WRITE, request, nbytes)) + return -EFAULT; +- list = (struct drm_buf_pub *) (request + 1); ++ list = (struct drm_buf_pub __user *) (request + 1); + + if (__put_user(count, &request->count) + || __put_user(list, &request->list)) +@@ -1016,7 +1016,7 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd, + return 0; + } + +-drm_ioctl_compat_t *drm_compat_ioctls[] = { ++drm_ioctl_compat_t drm_compat_ioctls[] = { + [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version, + [DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE32)] = compat_drm_getunique, + [DRM_IOCTL_NR(DRM_IOCTL_GET_MAP32)] = compat_drm_getmap, +@@ -1062,7 +1062,6 @@ drm_ioctl_compat_t *drm_compat_ioctls[] = { + long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn; + int ret; + + /* Assume that ioctls without an explicit compat routine will just +@@ -1072,10 +1071,8 @@ long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + if (nr >= ARRAY_SIZE(drm_compat_ioctls)) + return drm_ioctl(filp, cmd, arg); + +- fn = drm_compat_ioctls[nr]; +- +- if (fn != NULL) +- ret = (*fn) (filp, cmd, arg); ++ if (drm_compat_ioctls[nr] != NULL) ++ ret = (*drm_compat_ioctls[nr]) (filp, cmd, arg); + else + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c +index 98a33c580..8fd1c2b 100644 +--- a/drivers/gpu/drm/drm_stub.c ++++ b/drivers/gpu/drm/drm_stub.c +@@ -409,7 +409,7 @@ void drm_unplug_dev(struct drm_device *dev) + + drm_device_set_unplugged(dev); + +- if (dev->open_count == 0) { ++ if (local_read(&dev->open_count) == 0) { + drm_put_dev(dev); + } + mutex_unlock(&drm_global_mutex); +diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c +index c22c309..ae758c3 100644 +--- a/drivers/gpu/drm/drm_sysfs.c ++++ b/drivers/gpu/drm/drm_sysfs.c +@@ -505,7 +505,7 @@ static void drm_sysfs_release(struct device *dev) + */ + int drm_sysfs_device_add(struct drm_minor *minor) + { +- char *minor_str; ++ const char *minor_str; + int r; + + if (minor->type == DRM_MINOR_CONTROL) +diff --git a/drivers/gpu/drm/i810/i810_drv.h b/drivers/gpu/drm/i810/i810_drv.h +index d4d16ed..8fb0b51 100644 +--- a/drivers/gpu/drm/i810/i810_drv.h ++++ b/drivers/gpu/drm/i810/i810_drv.h +@@ -108,8 +108,8 @@ typedef struct drm_i810_private { + int page_flipping; + + wait_queue_head_t irq_queue; +- atomic_t irq_received; +- atomic_t irq_emitted; ++ atomic_unchecked_t irq_received; ++ atomic_unchecked_t irq_emitted; + + int front_offset; + } drm_i810_private_t; +diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c +index b2b46c5..feb9fe7 100644 +--- a/drivers/gpu/drm/i915/i915_debugfs.c ++++ b/drivers/gpu/drm/i915/i915_debugfs.c +@@ -713,7 +713,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) + I915_READ(GTIMR)); + } + seq_printf(m, "Interrupts received: %d\n", +- atomic_read(&dev_priv->irq_received)); ++ atomic_read_unchecked(&dev_priv->irq_received)); + for_each_ring(ring, dev_priv, i) { + if (INTEL_INFO(dev)->gen >= 6) { + seq_printf(m, +diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c +index 15a74f9..4278889 100644 +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -1273,7 +1273,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) + bool can_switch; + + spin_lock(&dev->count_lock); +- can_switch = (dev->open_count == 0); ++ can_switch = (local_read(&dev->open_count) == 0); + spin_unlock(&dev->count_lock); + return can_switch; + } +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index df77e20..d3fda9f 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -1361,7 +1361,7 @@ typedef struct drm_i915_private { + drm_dma_handle_t *status_page_dmah; + struct resource mch_res; + +- atomic_t irq_received; ++ atomic_unchecked_t irq_received; + + /* protects the irq masks */ + spinlock_t irq_lock; +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index d269ecf..6d857bc 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -860,9 +860,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) + + static int + validate_exec_list(struct drm_i915_gem_exec_object2 *exec, +- int count) ++ unsigned int count) + { +- int i; ++ unsigned int i; + unsigned relocs_total = 0; + unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + +diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c +index 3c59584..500f2e9 100644 +--- a/drivers/gpu/drm/i915/i915_ioc32.c ++++ b/drivers/gpu/drm/i915/i915_ioc32.c +@@ -181,7 +181,7 @@ static int compat_i915_alloc(struct file *file, unsigned int cmd, + (unsigned long)request); + } + +-static drm_ioctl_compat_t *i915_compat_ioctls[] = { ++static drm_ioctl_compat_t i915_compat_ioctls[] = { + [DRM_I915_BATCHBUFFER] = compat_i915_batchbuffer, + [DRM_I915_CMDBUFFER] = compat_i915_cmdbuffer, + [DRM_I915_GETPARAM] = compat_i915_getparam, +@@ -202,18 +202,15 @@ static drm_ioctl_compat_t *i915_compat_ioctls[] = { + long i915_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn = NULL; + int ret; + + if (nr < DRM_COMMAND_BASE) + return drm_compat_ioctl(filp, cmd, arg); + +- if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(i915_compat_ioctls)) +- fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE]; +- +- if (fn != NULL) ++ if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(i915_compat_ioctls)) { ++ drm_ioctl_compat_t fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE]; + ret = (*fn) (filp, cmd, arg); +- else ++ } else + ret = drm_ioctl(filp, cmd, arg); + + return ret; +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index d554169..f4426bb 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -1438,7 +1438,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) + int pipe; + u32 pipe_stats[I915_MAX_PIPES]; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + while (true) { + iir = I915_READ(VLV_IIR); +@@ -1751,7 +1751,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) + u32 de_iir, gt_iir, de_ier, sde_ier = 0; + irqreturn_t ret = IRQ_NONE; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + /* We get interrupts on unclaimed registers, so check for this before we + * do any I915_{READ,WRITE}. */ +@@ -1821,7 +1821,7 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) + uint32_t tmp = 0; + enum pipe pipe; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + master_ctl = I915_READ(GEN8_MASTER_IRQ); + master_ctl &= ~GEN8_MASTER_IRQ_CONTROL; +@@ -2645,7 +2645,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) + { + drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + I915_WRITE(HWSTAM, 0xeffe); + +@@ -2663,7 +2663,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) + drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; + int pipe; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + /* VLV magic */ + I915_WRITE(VLV_IMR, 0); +@@ -2694,7 +2694,7 @@ static void gen8_irq_preinstall(struct drm_device *dev) + struct drm_i915_private *dev_priv = dev->dev_private; + int pipe; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + I915_WRITE(GEN8_MASTER_IRQ, 0); + POSTING_READ(GEN8_MASTER_IRQ); +@@ -3018,7 +3018,7 @@ static void gen8_irq_uninstall(struct drm_device *dev) + if (!dev_priv) + return; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + I915_WRITE(GEN8_MASTER_IRQ, 0); + +@@ -3112,7 +3112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) + drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; + int pipe; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + for_each_pipe(pipe) + I915_WRITE(PIPESTAT(pipe), 0); +@@ -3198,7 +3198,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) + I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | + I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + iir = I915_READ16(IIR); + if (iir == 0) +@@ -3277,7 +3277,7 @@ static void i915_irq_preinstall(struct drm_device * dev) + drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; + int pipe; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + if (I915_HAS_HOTPLUG(dev)) { + I915_WRITE(PORT_HOTPLUG_EN, 0); +@@ -3384,7 +3384,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) + I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; + int pipe, ret = IRQ_NONE; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + iir = I915_READ(IIR); + do { +@@ -3511,7 +3511,7 @@ static void i965_irq_preinstall(struct drm_device * dev) + drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; + int pipe; + +- atomic_set(&dev_priv->irq_received, 0); ++ atomic_set_unchecked(&dev_priv->irq_received, 0); + + I915_WRITE(PORT_HOTPLUG_EN, 0); + I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); +@@ -3627,7 +3627,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) + I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | + I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; + +- atomic_inc(&dev_priv->irq_received); ++ atomic_inc_unchecked(&dev_priv->irq_received); + + iir = I915_READ(IIR); + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 9b8a7c7..60f6003 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -10776,13 +10776,13 @@ struct intel_quirk { + int subsystem_vendor; + int subsystem_device; + void (*hook)(struct drm_device *dev); +-}; ++} __do_const; + + /* For systems that don't have a meaningful PCI subdevice/subvendor ID */ + struct intel_dmi_quirk { + void (*hook)(struct drm_device *dev); + const struct dmi_system_id (*dmi_id_list)[]; +-}; ++} __do_const; + + static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) + { +@@ -10790,18 +10790,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) + return 1; + } + +-static const struct intel_dmi_quirk intel_dmi_quirks[] = { ++static const struct dmi_system_id intel_dmi_quirks_table[] = { + { +- .dmi_id_list = &(const struct dmi_system_id[]) { +- { +- .callback = intel_dmi_reverse_brightness, +- .ident = "NCR Corporation", +- .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"), +- DMI_MATCH(DMI_PRODUCT_NAME, ""), +- }, +- }, +- { } /* terminating entry */ ++ .callback = intel_dmi_reverse_brightness, ++ .ident = "NCR Corporation", ++ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, ""), + }, ++ }, ++ { } /* terminating entry */ ++}; ++ ++static const struct intel_dmi_quirk intel_dmi_quirks[] = { ++ { ++ .dmi_id_list = &intel_dmi_quirks_table, + .hook = quirk_invert_brightness, + }, + }; +diff --git a/drivers/gpu/drm/mga/mga_drv.h b/drivers/gpu/drm/mga/mga_drv.h +index fe45321..836fdca 100644 +--- a/drivers/gpu/drm/mga/mga_drv.h ++++ b/drivers/gpu/drm/mga/mga_drv.h +@@ -120,9 +120,9 @@ typedef struct drm_mga_private { + u32 clear_cmd; + u32 maccess; + +- atomic_t vbl_received; /**< Number of vblanks received. */ ++ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */ + wait_queue_head_t fence_queue; +- atomic_t last_fence_retired; ++ atomic_unchecked_t last_fence_retired; + u32 next_fence_to_post; + + unsigned int fb_cpp; +diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c +index 86b4bb8..ae237ad 100644 +--- a/drivers/gpu/drm/mga/mga_ioc32.c ++++ b/drivers/gpu/drm/mga/mga_ioc32.c +@@ -190,7 +190,7 @@ static int compat_mga_dma_bootstrap(struct file *file, unsigned int cmd, + return 0; + } + +-drm_ioctl_compat_t *mga_compat_ioctls[] = { ++drm_ioctl_compat_t mga_compat_ioctls[] = { + [DRM_MGA_INIT] = compat_mga_init, + [DRM_MGA_GETPARAM] = compat_mga_getparam, + [DRM_MGA_DMA_BOOTSTRAP] = compat_mga_dma_bootstrap, +@@ -208,18 +208,15 @@ drm_ioctl_compat_t *mga_compat_ioctls[] = { + long mga_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn = NULL; + int ret; + + if (nr < DRM_COMMAND_BASE) + return drm_compat_ioctl(filp, cmd, arg); + +- if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(mga_compat_ioctls)) +- fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE]; +- +- if (fn != NULL) ++ if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(mga_compat_ioctls)) { ++ drm_ioctl_compat_t fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE]; + ret = (*fn) (filp, cmd, arg); +- else ++ } else + ret = drm_ioctl(filp, cmd, arg); + + return ret; +diff --git a/drivers/gpu/drm/mga/mga_irq.c b/drivers/gpu/drm/mga/mga_irq.c +index 1b071b8..de8601a 100644 +--- a/drivers/gpu/drm/mga/mga_irq.c ++++ b/drivers/gpu/drm/mga/mga_irq.c +@@ -43,7 +43,7 @@ u32 mga_get_vblank_counter(struct drm_device *dev, int crtc) + if (crtc != 0) + return 0; + +- return atomic_read(&dev_priv->vbl_received); ++ return atomic_read_unchecked(&dev_priv->vbl_received); + } + + +@@ -59,7 +59,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg) + /* VBLANK interrupt */ + if (status & MGA_VLINEPEN) { + MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR); +- atomic_inc(&dev_priv->vbl_received); ++ atomic_inc_unchecked(&dev_priv->vbl_received); + drm_handle_vblank(dev, 0); + handled = 1; + } +@@ -78,7 +78,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg) + if ((prim_start & ~0x03) != (prim_end & ~0x03)) + MGA_WRITE(MGA_PRIMEND, prim_end); + +- atomic_inc(&dev_priv->last_fence_retired); ++ atomic_inc_unchecked(&dev_priv->last_fence_retired); + wake_up(&dev_priv->fence_queue); + handled = 1; + } +@@ -129,7 +129,7 @@ int mga_driver_fence_wait(struct drm_device *dev, unsigned int *sequence) + * using fences. + */ + DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * HZ, +- (((cur_fence = atomic_read(&dev_priv->last_fence_retired)) ++ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired)) + - *sequence) <= (1 << 23))); + + *sequence = cur_fence; +diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c +index 4c3feaa..26391ce 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_bios.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bios.c +@@ -965,7 +965,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios, + struct bit_table { + const char id; + int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *); +-}; ++} __no_const; + + #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry }) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h +index 23ca7a5..b6c955d 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.h ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.h +@@ -97,7 +97,6 @@ struct nouveau_drm { + struct drm_global_reference mem_global_ref; + struct ttm_bo_global_ref bo_global_ref; + struct ttm_bo_device bdev; +- atomic_t validate_sequence; + int (*move)(struct nouveau_channel *, + struct ttm_buffer_object *, + struct ttm_mem_reg *, struct ttm_mem_reg *); +diff --git a/drivers/gpu/drm/nouveau/nouveau_ioc32.c b/drivers/gpu/drm/nouveau/nouveau_ioc32.c +index c1a7e5a..38b8539 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_ioc32.c ++++ b/drivers/gpu/drm/nouveau/nouveau_ioc32.c +@@ -50,7 +50,7 @@ long nouveau_compat_ioctl(struct file *filp, unsigned int cmd, + unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn = NULL; ++ drm_ioctl_compat_t fn = NULL; + int ret; + + if (nr < DRM_COMMAND_BASE) +diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c +index d45d50d..72a5dd2 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c +@@ -130,11 +130,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) + } + + const struct ttm_mem_type_manager_func nouveau_vram_manager = { +- nouveau_vram_manager_init, +- nouveau_vram_manager_fini, +- nouveau_vram_manager_new, +- nouveau_vram_manager_del, +- nouveau_vram_manager_debug ++ .init = nouveau_vram_manager_init, ++ .takedown = nouveau_vram_manager_fini, ++ .get_node = nouveau_vram_manager_new, ++ .put_node = nouveau_vram_manager_del, ++ .debug = nouveau_vram_manager_debug + }; + + static int +@@ -199,11 +199,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) + } + + const struct ttm_mem_type_manager_func nouveau_gart_manager = { +- nouveau_gart_manager_init, +- nouveau_gart_manager_fini, +- nouveau_gart_manager_new, +- nouveau_gart_manager_del, +- nouveau_gart_manager_debug ++ .init = nouveau_gart_manager_init, ++ .takedown = nouveau_gart_manager_fini, ++ .get_node = nouveau_gart_manager_new, ++ .put_node = nouveau_gart_manager_del, ++ .debug = nouveau_gart_manager_debug + }; + + #include +@@ -271,11 +271,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) + } + + const struct ttm_mem_type_manager_func nv04_gart_manager = { +- nv04_gart_manager_init, +- nv04_gart_manager_fini, +- nv04_gart_manager_new, +- nv04_gart_manager_del, +- nv04_gart_manager_debug ++ .init = nv04_gart_manager_init, ++ .takedown = nv04_gart_manager_fini, ++ .get_node = nv04_gart_manager_new, ++ .put_node = nv04_gart_manager_del, ++ .debug = nv04_gart_manager_debug + }; + + int +diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c +index 471347e..5adc6b9 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_vga.c ++++ b/drivers/gpu/drm/nouveau/nouveau_vga.c +@@ -67,7 +67,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev) + bool can_switch; + + spin_lock(&dev->count_lock); +- can_switch = (dev->open_count == 0); ++ can_switch = (local_read(&dev->open_count) == 0); + spin_unlock(&dev->count_lock); + return can_switch; + } +diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c +index eb89653..613cf71 100644 +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -285,27 +285,27 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port, + int ret; + + mutex_lock(&qdev->async_io_mutex); +- irq_num = atomic_read(&qdev->irq_received_io_cmd); ++ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd); + if (qdev->last_sent_io_cmd > irq_num) { + if (intr) + ret = wait_event_interruptible_timeout(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + else + ret = wait_event_timeout(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + /* 0 is timeout, just bail the "hw" has gone away */ + if (ret <= 0) + goto out; +- irq_num = atomic_read(&qdev->irq_received_io_cmd); ++ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd); + } + outb(val, addr); + qdev->last_sent_io_cmd = irq_num + 1; + if (intr) + ret = wait_event_interruptible_timeout(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + else + ret = wait_event_timeout(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + out: + if (ret > 0) + ret = 0; +diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c +index c3c2bbd..bc3c0fb 100644 +--- a/drivers/gpu/drm/qxl/qxl_debugfs.c ++++ b/drivers/gpu/drm/qxl/qxl_debugfs.c +@@ -42,10 +42,10 @@ qxl_debugfs_irq_received(struct seq_file *m, void *data) + struct drm_info_node *node = (struct drm_info_node *) m->private; + struct qxl_device *qdev = node->minor->dev->dev_private; + +- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received)); +- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_display)); +- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_cursor)); +- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_io_cmd)); ++ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received)); ++ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_display)); ++ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_cursor)); ++ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_io_cmd)); + seq_printf(m, "%d\n", qdev->irq_received_error); + return 0; + } +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 36ed40b..0397633 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -290,10 +290,10 @@ struct qxl_device { + unsigned int last_sent_io_cmd; + + /* interrupt handling */ +- atomic_t irq_received; +- atomic_t irq_received_display; +- atomic_t irq_received_cursor; +- atomic_t irq_received_io_cmd; ++ atomic_unchecked_t irq_received; ++ atomic_unchecked_t irq_received_display; ++ atomic_unchecked_t irq_received_cursor; ++ atomic_unchecked_t irq_received_io_cmd; + unsigned irq_received_error; + wait_queue_head_t display_event; + wait_queue_head_t cursor_event; +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index 0bb86e6..d41416d 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -181,7 +181,7 @@ static int qxl_process_single_command(struct qxl_device *qdev, + + /* TODO copy slow path code from i915 */ + fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); +- unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)cmd->command, cmd->command_size); ++ unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void __force_user *)(unsigned long)cmd->command, cmd->command_size); + + { + struct qxl_drawable *draw = fb_cmd; +@@ -201,7 +201,7 @@ static int qxl_process_single_command(struct qxl_device *qdev, + struct drm_qxl_reloc reloc; + + if (copy_from_user(&reloc, +- &((struct drm_qxl_reloc *)(uintptr_t)cmd->relocs)[i], ++ &((struct drm_qxl_reloc __force_user *)(uintptr_t)cmd->relocs)[i], + sizeof(reloc))) { + ret = -EFAULT; + goto out_free_bos; +@@ -294,10 +294,10 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + + for (cmd_num = 0; cmd_num < execbuffer->commands_num; ++cmd_num) { + +- struct drm_qxl_command *commands = +- (struct drm_qxl_command *)(uintptr_t)execbuffer->commands; ++ struct drm_qxl_command __user *commands = ++ (struct drm_qxl_command __user *)(uintptr_t)execbuffer->commands; + +- if (copy_from_user(&user_cmd, &commands[cmd_num], ++ if (copy_from_user(&user_cmd, (struct drm_qxl_command __force_user *)&commands[cmd_num], + sizeof(user_cmd))) + return -EFAULT; + +diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c +index 28f84b4..fb3e224 100644 +--- a/drivers/gpu/drm/qxl/qxl_irq.c ++++ b/drivers/gpu/drm/qxl/qxl_irq.c +@@ -33,19 +33,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg) + + pending = xchg(&qdev->ram_header->int_pending, 0); + +- atomic_inc(&qdev->irq_received); ++ atomic_inc_unchecked(&qdev->irq_received); + + if (pending & QXL_INTERRUPT_DISPLAY) { +- atomic_inc(&qdev->irq_received_display); ++ atomic_inc_unchecked(&qdev->irq_received_display); + wake_up_all(&qdev->display_event); + qxl_queue_garbage_collect(qdev, false); + } + if (pending & QXL_INTERRUPT_CURSOR) { +- atomic_inc(&qdev->irq_received_cursor); ++ atomic_inc_unchecked(&qdev->irq_received_cursor); + wake_up_all(&qdev->cursor_event); + } + if (pending & QXL_INTERRUPT_IO_CMD) { +- atomic_inc(&qdev->irq_received_io_cmd); ++ atomic_inc_unchecked(&qdev->irq_received_io_cmd); + wake_up_all(&qdev->io_cmd_event); + } + if (pending & QXL_INTERRUPT_ERROR) { +@@ -82,10 +82,10 @@ int qxl_irq_init(struct qxl_device *qdev) + init_waitqueue_head(&qdev->io_cmd_event); + INIT_WORK(&qdev->client_monitors_config_work, + qxl_client_monitors_config_work_func); +- atomic_set(&qdev->irq_received, 0); +- atomic_set(&qdev->irq_received_display, 0); +- atomic_set(&qdev->irq_received_cursor, 0); +- atomic_set(&qdev->irq_received_io_cmd, 0); ++ atomic_set_unchecked(&qdev->irq_received, 0); ++ atomic_set_unchecked(&qdev->irq_received_display, 0); ++ atomic_set_unchecked(&qdev->irq_received_cursor, 0); ++ atomic_set_unchecked(&qdev->irq_received_io_cmd, 0); + qdev->irq_received_error = 0; + ret = drm_irq_install(qdev->ddev); + qdev->ram_header->int_mask = QXL_INTERRUPT_MASK; +diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c +index c7e7e65..7dddd4d 100644 +--- a/drivers/gpu/drm/qxl/qxl_ttm.c ++++ b/drivers/gpu/drm/qxl/qxl_ttm.c +@@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev) + } + } + +-static struct vm_operations_struct qxl_ttm_vm_ops; ++static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only; + static const struct vm_operations_struct *ttm_vm_ops; + + static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -147,8 +147,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma) + return r; + if (unlikely(ttm_vm_ops == NULL)) { + ttm_vm_ops = vma->vm_ops; ++ pax_open_kernel(); + qxl_ttm_vm_ops = *ttm_vm_ops; + qxl_ttm_vm_ops.fault = &qxl_ttm_fault; ++ pax_close_kernel(); + } + vma->vm_ops = &qxl_ttm_vm_ops; + return 0; +@@ -560,25 +562,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data) + static int qxl_ttm_debugfs_init(struct qxl_device *qdev) + { + #if defined(CONFIG_DEBUG_FS) +- static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES]; +- static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32]; +- unsigned i; ++ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = { ++ { ++ .name = "qxl_mem_mm", ++ .show = &qxl_mm_dump_table, ++ }, ++ { ++ .name = "qxl_surf_mm", ++ .show = &qxl_mm_dump_table, ++ } ++ }; + +- for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) { +- if (i == 0) +- sprintf(qxl_mem_types_names[i], "qxl_mem_mm"); +- else +- sprintf(qxl_mem_types_names[i], "qxl_surf_mm"); +- qxl_mem_types_list[i].name = qxl_mem_types_names[i]; +- qxl_mem_types_list[i].show = &qxl_mm_dump_table; +- qxl_mem_types_list[i].driver_features = 0; +- if (i == 0) +- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv; +- else +- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv; ++ pax_open_kernel(); ++ *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv; ++ *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv; ++ pax_close_kernel(); + +- } +- return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i); ++ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES); + #else + return 0; + #endif +diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c +index 59459fe..be26b31 100644 +--- a/drivers/gpu/drm/r128/r128_cce.c ++++ b/drivers/gpu/drm/r128/r128_cce.c +@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_device *dev, drm_r128_init_t *init) + + /* GH: Simple idle check. + */ +- atomic_set(&dev_priv->idle_count, 0); ++ atomic_set_unchecked(&dev_priv->idle_count, 0); + + /* We don't support anything other than bus-mastering ring mode, + * but the ring can be in either AGP or PCI space for the ring +diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h +index 5bf3f5f..7000661 100644 +--- a/drivers/gpu/drm/r128/r128_drv.h ++++ b/drivers/gpu/drm/r128/r128_drv.h +@@ -90,14 +90,14 @@ typedef struct drm_r128_private { + int is_pci; + unsigned long cce_buffers_offset; + +- atomic_t idle_count; ++ atomic_unchecked_t idle_count; + + int page_flipping; + int current_page; + u32 crtc_offset; + u32 crtc_offset_cntl; + +- atomic_t vbl_received; ++ atomic_unchecked_t vbl_received; + + u32 color_fmt; + unsigned int front_offset; +diff --git a/drivers/gpu/drm/r128/r128_ioc32.c b/drivers/gpu/drm/r128/r128_ioc32.c +index b0d0fd3..a6fbbe4 100644 +--- a/drivers/gpu/drm/r128/r128_ioc32.c ++++ b/drivers/gpu/drm/r128/r128_ioc32.c +@@ -178,7 +178,7 @@ static int compat_r128_getparam(struct file *file, unsigned int cmd, + return drm_ioctl(file, DRM_IOCTL_R128_GETPARAM, (unsigned long)getparam); + } + +-drm_ioctl_compat_t *r128_compat_ioctls[] = { ++drm_ioctl_compat_t r128_compat_ioctls[] = { + [DRM_R128_INIT] = compat_r128_init, + [DRM_R128_DEPTH] = compat_r128_depth, + [DRM_R128_STIPPLE] = compat_r128_stipple, +@@ -197,18 +197,15 @@ drm_ioctl_compat_t *r128_compat_ioctls[] = { + long r128_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn = NULL; + int ret; + + if (nr < DRM_COMMAND_BASE) + return drm_compat_ioctl(filp, cmd, arg); + +- if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(r128_compat_ioctls)) +- fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE]; +- +- if (fn != NULL) ++ if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(r128_compat_ioctls)) { ++ drm_ioctl_compat_t fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE]; + ret = (*fn) (filp, cmd, arg); +- else ++ } else + ret = drm_ioctl(filp, cmd, arg); + + return ret; +diff --git a/drivers/gpu/drm/r128/r128_irq.c b/drivers/gpu/drm/r128/r128_irq.c +index c2ae496..30b5993 100644 +--- a/drivers/gpu/drm/r128/r128_irq.c ++++ b/drivers/gpu/drm/r128/r128_irq.c +@@ -41,7 +41,7 @@ u32 r128_get_vblank_counter(struct drm_device *dev, int crtc) + if (crtc != 0) + return 0; + +- return atomic_read(&dev_priv->vbl_received); ++ return atomic_read_unchecked(&dev_priv->vbl_received); + } + + irqreturn_t r128_driver_irq_handler(int irq, void *arg) +@@ -55,7 +55,7 @@ irqreturn_t r128_driver_irq_handler(int irq, void *arg) + /* VBLANK interrupt */ + if (status & R128_CRTC_VBLANK_INT) { + R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK); +- atomic_inc(&dev_priv->vbl_received); ++ atomic_inc_unchecked(&dev_priv->vbl_received); + drm_handle_vblank(dev, 0); + return IRQ_HANDLED; + } +diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c +index e806dac..f81d32f 100644 +--- a/drivers/gpu/drm/r128/r128_state.c ++++ b/drivers/gpu/drm/r128/r128_state.c +@@ -320,10 +320,10 @@ static void r128_clear_box(drm_r128_private_t *dev_priv, + + static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv) + { +- if (atomic_read(&dev_priv->idle_count) == 0) ++ if (atomic_read_unchecked(&dev_priv->idle_count) == 0) + r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0); + else +- atomic_set(&dev_priv->idle_count, 0); ++ atomic_set_unchecked(&dev_priv->idle_count, 0); + } + + #endif +diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c +index 4a85bb6..aaea819 100644 +--- a/drivers/gpu/drm/radeon/mkregtable.c ++++ b/drivers/gpu/drm/radeon/mkregtable.c +@@ -624,14 +624,14 @@ static int parser_auth(struct table *t, const char *filename) + regex_t mask_rex; + regmatch_t match[4]; + char buf[1024]; +- size_t end; ++ long end; + int len; + int done = 0; + int r; + unsigned o; + struct offset *offset; + char last_reg_s[10]; +- int last_reg; ++ unsigned long last_reg; + + if (regcomp + (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 044bc98..50ced9b 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1125,7 +1125,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) + bool can_switch; + + spin_lock(&dev->count_lock); +- can_switch = (dev->open_count == 0); ++ can_switch = (local_read(&dev->open_count) == 0); + spin_unlock(&dev->count_lock); + return can_switch; + } +diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h +index dafd812..1bf20c7 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.h ++++ b/drivers/gpu/drm/radeon/radeon_drv.h +@@ -262,7 +262,7 @@ typedef struct drm_radeon_private { + + /* SW interrupt */ + wait_queue_head_t swi_queue; +- atomic_t swi_emitted; ++ atomic_unchecked_t swi_emitted; + int vblank_crtc; + uint32_t irq_enable_reg; + uint32_t r500_disp_irq_reg; +diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c +index bdb0f93..5ff558f 100644 +--- a/drivers/gpu/drm/radeon/radeon_ioc32.c ++++ b/drivers/gpu/drm/radeon/radeon_ioc32.c +@@ -358,7 +358,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd, + request = compat_alloc_user_space(sizeof(*request)); + if (!access_ok(VERIFY_WRITE, request, sizeof(*request)) + || __put_user(req32.param, &request->param) +- || __put_user((void __user *)(unsigned long)req32.value, ++ || __put_user((unsigned long)req32.value, + &request->value)) + return -EFAULT; + +@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd, + #define compat_radeon_cp_setparam NULL + #endif /* X86_64 || IA64 */ + +-static drm_ioctl_compat_t *radeon_compat_ioctls[] = { ++static drm_ioctl_compat_t radeon_compat_ioctls[] = { + [DRM_RADEON_CP_INIT] = compat_radeon_cp_init, + [DRM_RADEON_CLEAR] = compat_radeon_cp_clear, + [DRM_RADEON_STIPPLE] = compat_radeon_cp_stipple, +@@ -393,18 +393,15 @@ static drm_ioctl_compat_t *radeon_compat_ioctls[] = { + long radeon_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { + unsigned int nr = DRM_IOCTL_NR(cmd); +- drm_ioctl_compat_t *fn = NULL; + int ret; + + if (nr < DRM_COMMAND_BASE) + return drm_compat_ioctl(filp, cmd, arg); + +- if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(radeon_compat_ioctls)) +- fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE]; +- +- if (fn != NULL) ++ if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(radeon_compat_ioctls)) { ++ drm_ioctl_compat_t fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE]; + ret = (*fn) (filp, cmd, arg); +- else ++ } else + ret = drm_ioctl(filp, cmd, arg); + + return ret; +diff --git a/drivers/gpu/drm/radeon/radeon_irq.c b/drivers/gpu/drm/radeon/radeon_irq.c +index 244b19b..c19226d 100644 +--- a/drivers/gpu/drm/radeon/radeon_irq.c ++++ b/drivers/gpu/drm/radeon/radeon_irq.c +@@ -226,8 +226,8 @@ static int radeon_emit_irq(struct drm_device * dev) + unsigned int ret; + RING_LOCALS; + +- atomic_inc(&dev_priv->swi_emitted); +- ret = atomic_read(&dev_priv->swi_emitted); ++ atomic_inc_unchecked(&dev_priv->swi_emitted); ++ ret = atomic_read_unchecked(&dev_priv->swi_emitted); + + BEGIN_RING(4); + OUT_RING_REG(RADEON_LAST_SWI_REG, ret); +@@ -353,7 +353,7 @@ int radeon_driver_irq_postinstall(struct drm_device *dev) + drm_radeon_private_t *dev_priv = + (drm_radeon_private_t *) dev->dev_private; + +- atomic_set(&dev_priv->swi_emitted, 0); ++ atomic_set_unchecked(&dev_priv->swi_emitted, 0); + init_waitqueue_head(&dev_priv->swi_queue); + + dev->max_vblank_count = 0x001fffff; +diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c +index 956ab7f..fbd36d8 100644 +--- a/drivers/gpu/drm/radeon/radeon_state.c ++++ b/drivers/gpu/drm/radeon/radeon_state.c +@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file * + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS) + sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS; + +- if (copy_from_user(&depth_boxes, clear->depth_boxes, ++ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || copy_from_user(&depth_boxes, clear->depth_boxes, + sarea_priv->nbox * sizeof(depth_boxes[0]))) + return -EFAULT; + +@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm_device *dev, void *data, struct drm_fil + { + drm_radeon_private_t *dev_priv = dev->dev_private; + drm_radeon_getparam_t *param = data; +- int value; ++ int value = 0; + + DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); + +diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c +index 040a2a1..eae4e54 100644 +--- a/drivers/gpu/drm/radeon/radeon_ttm.c ++++ b/drivers/gpu/drm/radeon/radeon_ttm.c +@@ -790,7 +790,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) + man->size = size >> PAGE_SHIFT; + } + +-static struct vm_operations_struct radeon_ttm_vm_ops; ++static vm_operations_struct_no_const radeon_ttm_vm_ops __read_only; + static const struct vm_operations_struct *ttm_vm_ops = NULL; + + static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -831,8 +831,10 @@ int radeon_mmap(struct file *filp, struct vm_area_struct *vma) + } + if (unlikely(ttm_vm_ops == NULL)) { + ttm_vm_ops = vma->vm_ops; ++ pax_open_kernel(); + radeon_ttm_vm_ops = *ttm_vm_ops; + radeon_ttm_vm_ops.fault = &radeon_ttm_fault; ++ pax_close_kernel(); + } + vma->vm_ops = &radeon_ttm_vm_ops; + return 0; +diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c +index 9336006..ce78aa7 100644 +--- a/drivers/gpu/drm/tegra/dc.c ++++ b/drivers/gpu/drm/tegra/dc.c +@@ -1057,7 +1057,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor) + } + + for (i = 0; i < ARRAY_SIZE(debugfs_files); i++) +- dc->debugfs_files[i].data = dc; ++ *(void **)&dc->debugfs_files[i].data = dc; + + err = drm_debugfs_create_files(dc->debugfs_files, + ARRAY_SIZE(debugfs_files), +diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c +index 6928015..c9853e7 100644 +--- a/drivers/gpu/drm/tegra/hdmi.c ++++ b/drivers/gpu/drm/tegra/hdmi.c +@@ -59,7 +59,7 @@ struct tegra_hdmi { + bool stereo; + bool dvi; + +- struct drm_info_list *debugfs_files; ++ drm_info_list_no_const *debugfs_files; + struct drm_minor *minor; + struct dentry *debugfs; + }; +diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c +index c58eba33..83c2728 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo_manager.c ++++ b/drivers/gpu/drm/ttm/ttm_bo_manager.c +@@ -141,10 +141,10 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man, + } + + const struct ttm_mem_type_manager_func ttm_bo_manager_func = { +- ttm_bo_man_init, +- ttm_bo_man_takedown, +- ttm_bo_man_get_node, +- ttm_bo_man_put_node, +- ttm_bo_man_debug ++ .init = ttm_bo_man_init, ++ .takedown = ttm_bo_man_takedown, ++ .get_node = ttm_bo_man_get_node, ++ .put_node = ttm_bo_man_put_node, ++ .debug = ttm_bo_man_debug + }; + EXPORT_SYMBOL(ttm_bo_manager_func); +diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c +index dbc2def..0a9f710 100644 +--- a/drivers/gpu/drm/ttm/ttm_memory.c ++++ b/drivers/gpu/drm/ttm/ttm_memory.c +@@ -264,7 +264,7 @@ static int ttm_mem_init_kernel_zone(struct ttm_mem_global *glob, + zone->glob = glob; + glob->zone_kernel = zone; + ret = kobject_init_and_add( +- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name); ++ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name); + if (unlikely(ret != 0)) { + kobject_put(&zone->kobj); + return ret; +@@ -347,7 +347,7 @@ static int ttm_mem_init_dma32_zone(struct ttm_mem_global *glob, + zone->glob = glob; + glob->zone_dma32 = zone; + ret = kobject_init_and_add( +- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name); ++ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name); + if (unlikely(ret != 0)) { + kobject_put(&zone->kobj); + return ret; +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c +index 863bef9..cba15cf 100644 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -391,9 +391,9 @@ out: + static unsigned long + ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) + { +- static atomic_t start_pool = ATOMIC_INIT(0); ++ static atomic_unchecked_t start_pool = ATOMIC_INIT(0); + unsigned i; +- unsigned pool_offset = atomic_add_return(1, &start_pool); ++ unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool); + struct ttm_page_pool *pool; + int shrink_pages = sc->nr_to_scan; + unsigned long freed = 0; +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index dbadd49..1b7457b 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user) + fb_deferred_io_cleanup(info); + kfree(info->fbdefio); + info->fbdefio = NULL; +- info->fbops->fb_mmap = udl_fb_mmap; + } + + pr_warn("released /dev/fb%d user=%d count=%d\n", +diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h +index ad02732..144f5ed 100644 +--- a/drivers/gpu/drm/via/via_drv.h ++++ b/drivers/gpu/drm/via/via_drv.h +@@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer { + typedef uint32_t maskarray_t[5]; + + typedef struct drm_via_irq { +- atomic_t irq_received; ++ atomic_unchecked_t irq_received; + uint32_t pending_mask; + uint32_t enable_mask; + wait_queue_head_t irq_queue; +@@ -75,7 +75,7 @@ typedef struct drm_via_private { + struct timeval last_vblank; + int last_vblank_valid; + unsigned usec_per_vblank; +- atomic_t vbl_received; ++ atomic_unchecked_t vbl_received; + drm_via_state_t hc_state; + char pci_buf[VIA_PCI_BUF_SIZE]; + const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE]; +diff --git a/drivers/gpu/drm/via/via_irq.c b/drivers/gpu/drm/via/via_irq.c +index 1319433..a993b0c 100644 +--- a/drivers/gpu/drm/via/via_irq.c ++++ b/drivers/gpu/drm/via/via_irq.c +@@ -101,7 +101,7 @@ u32 via_get_vblank_counter(struct drm_device *dev, int crtc) + if (crtc != 0) + return 0; + +- return atomic_read(&dev_priv->vbl_received); ++ return atomic_read_unchecked(&dev_priv->vbl_received); + } + + irqreturn_t via_driver_irq_handler(int irq, void *arg) +@@ -116,8 +116,8 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg) + + status = VIA_READ(VIA_REG_INTERRUPT); + if (status & VIA_IRQ_VBLANK_PENDING) { +- atomic_inc(&dev_priv->vbl_received); +- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) { ++ atomic_inc_unchecked(&dev_priv->vbl_received); ++ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) { + do_gettimeofday(&cur_vblank); + if (dev_priv->last_vblank_valid) { + dev_priv->usec_per_vblank = +@@ -127,7 +127,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg) + dev_priv->last_vblank = cur_vblank; + dev_priv->last_vblank_valid = 1; + } +- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) { ++ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) { + DRM_DEBUG("US per vblank is: %u\n", + dev_priv->usec_per_vblank); + } +@@ -137,7 +137,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg) + + for (i = 0; i < dev_priv->num_irqs; ++i) { + if (status & cur_irq->pending_mask) { +- atomic_inc(&cur_irq->irq_received); ++ atomic_inc_unchecked(&cur_irq->irq_received); + wake_up(&cur_irq->irq_queue); + handled = 1; + if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) +@@ -242,11 +242,11 @@ via_driver_irq_wait(struct drm_device *dev, unsigned int irq, int force_sequence + DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ, + ((VIA_READ(masks[irq][2]) & masks[irq][3]) == + masks[irq][4])); +- cur_irq_sequence = atomic_read(&cur_irq->irq_received); ++ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received); + } else { + DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ, + (((cur_irq_sequence = +- atomic_read(&cur_irq->irq_received)) - ++ atomic_read_unchecked(&cur_irq->irq_received)) - + *sequence) <= (1 << 23))); + } + *sequence = cur_irq_sequence; +@@ -284,7 +284,7 @@ void via_driver_irq_preinstall(struct drm_device *dev) + } + + for (i = 0; i < dev_priv->num_irqs; ++i) { +- atomic_set(&cur_irq->irq_received, 0); ++ atomic_set_unchecked(&cur_irq->irq_received, 0); + cur_irq->enable_mask = dev_priv->irq_masks[i][0]; + cur_irq->pending_mask = dev_priv->irq_masks[i][1]; + init_waitqueue_head(&cur_irq->irq_queue); +@@ -366,7 +366,7 @@ int via_wait_irq(struct drm_device *dev, void *data, struct drm_file *file_priv) + switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) { + case VIA_IRQ_RELATIVE: + irqwait->request.sequence += +- atomic_read(&cur_irq->irq_received); ++ atomic_read_unchecked(&cur_irq->irq_received); + irqwait->request.type &= ~_DRM_VBLANK_RELATIVE; + case VIA_IRQ_ABSOLUTE: + break; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +index 0783155..b29e18e 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +@@ -437,7 +437,7 @@ struct vmw_private { + * Fencing and IRQs. + */ + +- atomic_t marker_seq; ++ atomic_unchecked_t marker_seq; + wait_queue_head_t fence_queue; + wait_queue_head_t fifo_queue; + int fence_queue_waiters; /* Protected by hw_mutex */ +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +index 6ccd993..618d592 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +@@ -154,7 +154,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo) + (unsigned int) min, + (unsigned int) fifo->capabilities); + +- atomic_set(&dev_priv->marker_seq, dev_priv->last_read_seqno); ++ atomic_set_unchecked(&dev_priv->marker_seq, dev_priv->last_read_seqno); + iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE); + vmw_marker_queue_init(&fifo->marker_queue); + return vmw_fifo_send_fence(dev_priv, &dummy); +@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes) + if (reserveable) + iowrite32(bytes, fifo_mem + + SVGA_FIFO_RESERVED); +- return fifo_mem + (next_cmd >> 2); ++ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2); + } else { + need_bounce = true; + } +@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) + + fm = vmw_fifo_reserve(dev_priv, bytes); + if (unlikely(fm == NULL)) { +- *seqno = atomic_read(&dev_priv->marker_seq); ++ *seqno = atomic_read_unchecked(&dev_priv->marker_seq); + ret = -ENOMEM; + (void)vmw_fallback_wait(dev_priv, false, true, *seqno, + false, 3*HZ); +@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno) + } + + do { +- *seqno = atomic_add_return(1, &dev_priv->marker_seq); ++ *seqno = atomic_add_return_unchecked(1, &dev_priv->marker_seq); + } while (*seqno == 0); + + if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) { +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c +index b1273e8..9c274fd 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c +@@ -164,9 +164,9 @@ static void vmw_gmrid_man_debug(struct ttm_mem_type_manager *man, + } + + const struct ttm_mem_type_manager_func vmw_gmrid_manager_func = { +- vmw_gmrid_man_init, +- vmw_gmrid_man_takedown, +- vmw_gmrid_man_get_node, +- vmw_gmrid_man_put_node, +- vmw_gmrid_man_debug ++ .init = vmw_gmrid_man_init, ++ .takedown = vmw_gmrid_man_takedown, ++ .get_node = vmw_gmrid_man_get_node, ++ .put_node = vmw_gmrid_man_put_node, ++ .debug = vmw_gmrid_man_debug + }; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c +index 47b7094..698ba09 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c +@@ -236,7 +236,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data, + int ret; + + num_clips = arg->num_clips; +- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; ++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; + + if (unlikely(num_clips == 0)) + return 0; +@@ -320,7 +320,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data, + int ret; + + num_clips = arg->num_clips; +- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; ++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; + + if (unlikely(num_clips == 0)) + return 0; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c +index 0c42376..6febe77 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c +@@ -107,7 +107,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv, + * emitted. Then the fence is stale and signaled. + */ + +- ret = ((atomic_read(&dev_priv->marker_seq) - seqno) ++ ret = ((atomic_read_unchecked(&dev_priv->marker_seq) - seqno) + > VMW_FENCE_WRAP); + + return ret; +@@ -138,7 +138,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv, + + if (fifo_idle) + down_read(&fifo_state->rwsem); +- signal_seq = atomic_read(&dev_priv->marker_seq); ++ signal_seq = atomic_read_unchecked(&dev_priv->marker_seq); + ret = 0; + + for (;;) { +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c +index 8a8725c2..afed796 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c +@@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv, + while (!vmw_lag_lt(queue, us)) { + spin_lock(&queue->lock); + if (list_empty(&queue->head)) +- seqno = atomic_read(&dev_priv->marker_seq); ++ seqno = atomic_read_unchecked(&dev_priv->marker_seq); + else { + marker = list_first_entry(&queue->head, + struct vmw_marker, head); +diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c +index ec0ae2d..dc0780b 100644 +--- a/drivers/gpu/vga/vga_switcheroo.c ++++ b/drivers/gpu/vga/vga_switcheroo.c +@@ -643,7 +643,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev) + + /* this version is for the case where the power switch is separate + to the device being powered down. */ +-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain) ++int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain) + { + /* copy over all the bus versions */ + if (dev->bus && dev->bus->pm) { +@@ -688,7 +688,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev) + return ret; + } + +-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) ++int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain) + { + /* copy over all the bus versions */ + if (dev->bus && dev->bus->pm) { +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index cc32a6f..02a4b1c 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2421,7 +2421,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); + + int hid_add_device(struct hid_device *hdev) + { +- static atomic_t id = ATOMIC_INIT(0); ++ static atomic_unchecked_t id = ATOMIC_INIT(0); + int ret; + + if (WARN_ON(hdev->status & HID_STAT_ADDED)) +@@ -2455,7 +2455,7 @@ int hid_add_device(struct hid_device *hdev) + /* XXX hack, any other cleaner solution after the driver core + * is converted to allow more than 20 bytes as the device name? */ + dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, +- hdev->vendor, hdev->product, atomic_inc_return(&id)); ++ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id)); + + hid_debug_register(hdev, dev_name(&hdev->dev)); + ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c +index c13fb5b..55a3802 100644 +--- a/drivers/hid/hid-wiimote-debug.c ++++ b/drivers/hid/hid-wiimote-debug.c +@@ -66,7 +66,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s, + else if (size == 0) + return -EIO; + +- if (copy_to_user(u, buf, size)) ++ if (size > sizeof(buf) || copy_to_user(u, buf, size)) + return -EFAULT; + + *off += size; +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c +index cedc6da..2c3da2a 100644 +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -47,7 +47,7 @@ struct uhid_device { + struct mutex report_lock; + wait_queue_head_t report_wait; + atomic_t report_done; +- atomic_t report_id; ++ atomic_unchecked_t report_id; + struct uhid_event report_buf; + }; + +@@ -163,7 +163,7 @@ static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum, + + spin_lock_irqsave(&uhid->qlock, flags); + ev->type = UHID_FEATURE; +- ev->u.feature.id = atomic_inc_return(&uhid->report_id); ++ ev->u.feature.id = atomic_inc_return_unchecked(&uhid->report_id); + ev->u.feature.rnum = rnum; + ev->u.feature.rtype = report_type; + +@@ -446,7 +446,7 @@ static int uhid_dev_feature_answer(struct uhid_device *uhid, + spin_lock_irqsave(&uhid->qlock, flags); + + /* id for old report; drop it silently */ +- if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id) ++ if (atomic_read_unchecked(&uhid->report_id) != ev->u.feature_answer.id) + goto unlock; + if (atomic_read(&uhid->report_done)) + goto unlock; +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index 69ea36f..8dbf4bb 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -364,8 +364,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, + int ret = 0; + int t; + +- next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle); +- atomic_inc(&vmbus_connection.next_gpadl_handle); ++ next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle); ++ atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle); + + ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount); + if (ret) +diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c +index bcb4950..61dba6c 100644 +--- a/drivers/hv/hv.c ++++ b/drivers/hv/hv.c +@@ -112,7 +112,7 @@ static u64 do_hypercall(u64 control, void *input, void *output) + u64 output_address = (output) ? virt_to_phys(output) : 0; + u32 output_address_hi = output_address >> 32; + u32 output_address_lo = output_address & 0xFFFFFFFF; +- void *hypercall_page = hv_context.hypercall_page; ++ void *hypercall_page = ktva_ktla(hv_context.hypercall_page); + + __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi), + "=a"(hv_status_lo) : "d" (control_hi), +@@ -154,7 +154,7 @@ int hv_init(void) + /* See if the hypercall page is already set */ + rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); + +- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC); ++ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX); + + if (!virtaddr) + goto cleanup; +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index 7e17a54..a50a33d 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -464,7 +464,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add"); + + module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR)); + MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure"); +-static atomic_t trans_id = ATOMIC_INIT(0); ++static atomic_unchecked_t trans_id = ATOMIC_INIT(0); + + static int dm_ring_size = (5 * PAGE_SIZE); + +@@ -886,7 +886,7 @@ static void hot_add_req(struct work_struct *dummy) + pr_info("Memory hot add failed\n"); + + dm->state = DM_INITIALIZED; +- resp.hdr.trans_id = atomic_inc_return(&trans_id); ++ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + vmbus_sendpacket(dm->dev->channel, &resp, + sizeof(struct dm_hot_add_response), + (unsigned long)NULL, +@@ -960,7 +960,7 @@ static void post_status(struct hv_dynmem_device *dm) + memset(&status, 0, sizeof(struct dm_status)); + status.hdr.type = DM_STATUS_REPORT; + status.hdr.size = sizeof(struct dm_status); +- status.hdr.trans_id = atomic_inc_return(&trans_id); ++ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + + /* + * The host expects the guest to report free memory. +@@ -980,7 +980,7 @@ static void post_status(struct hv_dynmem_device *dm) + * send the status. This can happen if we were interrupted + * after we picked our transaction ID. + */ +- if (status.hdr.trans_id != atomic_read(&trans_id)) ++ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id)) + return; + + vmbus_sendpacket(dm->dev->channel, &status, +@@ -1108,7 +1108,7 @@ static void balloon_up(struct work_struct *dummy) + */ + + do { +- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id); ++ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + ret = vmbus_sendpacket(dm_device.dev->channel, + bl_resp, + bl_resp->hdr.size, +@@ -1152,7 +1152,7 @@ static void balloon_down(struct hv_dynmem_device *dm, + + memset(&resp, 0, sizeof(struct dm_unballoon_response)); + resp.hdr.type = DM_UNBALLOON_RESPONSE; +- resp.hdr.trans_id = atomic_inc_return(&trans_id); ++ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + resp.hdr.size = sizeof(struct dm_unballoon_response); + + vmbus_sendpacket(dm_device.dev->channel, &resp, +@@ -1215,7 +1215,7 @@ static void version_resp(struct hv_dynmem_device *dm, + memset(&version_req, 0, sizeof(struct dm_version_request)); + version_req.hdr.type = DM_VERSION_REQUEST; + version_req.hdr.size = sizeof(struct dm_version_request); +- version_req.hdr.trans_id = atomic_inc_return(&trans_id); ++ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7; + version_req.is_last_attempt = 1; + +@@ -1385,7 +1385,7 @@ static int balloon_probe(struct hv_device *dev, + memset(&version_req, 0, sizeof(struct dm_version_request)); + version_req.hdr.type = DM_VERSION_REQUEST; + version_req.hdr.size = sizeof(struct dm_version_request); +- version_req.hdr.trans_id = atomic_inc_return(&trans_id); ++ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8; + version_req.is_last_attempt = 0; + +@@ -1416,7 +1416,7 @@ static int balloon_probe(struct hv_device *dev, + memset(&cap_msg, 0, sizeof(struct dm_capabilities)); + cap_msg.hdr.type = DM_CAPABILITIES_REPORT; + cap_msg.hdr.size = sizeof(struct dm_capabilities); +- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id); ++ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + + cap_msg.caps.cap_bits.balloon = 1; + cap_msg.caps.cap_bits.hot_add = 1; +diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h +index e055176..c22ff1f 100644 +--- a/drivers/hv/hyperv_vmbus.h ++++ b/drivers/hv/hyperv_vmbus.h +@@ -602,7 +602,7 @@ enum vmbus_connect_state { + struct vmbus_connection { + enum vmbus_connect_state conn_state; + +- atomic_t next_gpadl_handle; ++ atomic_unchecked_t next_gpadl_handle; + + /* + * Represents channel interrupts. Each bit position represents a +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 077bb1b..d433d74 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -844,10 +844,10 @@ int vmbus_device_register(struct hv_device *child_device_obj) + { + int ret = 0; + +- static atomic_t device_num = ATOMIC_INIT(0); ++ static atomic_unchecked_t device_num = ATOMIC_INIT(0); + + dev_set_name(&child_device_obj->device, "vmbus_0_%d", +- atomic_inc_return(&device_num)); ++ atomic_inc_return_unchecked(&device_num)); + + child_device_obj->device.bus = &hv_bus; + child_device_obj->device.parent = &hv_acpi_dev->dev; +diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c +index 579bdf9..75118b5 100644 +--- a/drivers/hwmon/acpi_power_meter.c ++++ b/drivers/hwmon/acpi_power_meter.c +@@ -116,7 +116,7 @@ struct sensor_template { + struct device_attribute *devattr, + const char *buf, size_t count); + int index; +-}; ++} __do_const; + + /* Averaging interval */ + static int update_avg_interval(struct acpi_power_meter_resource *resource) +@@ -631,7 +631,7 @@ static int register_attrs(struct acpi_power_meter_resource *resource, + struct sensor_template *attrs) + { + struct device *dev = &resource->acpi_dev->dev; +- struct sensor_device_attribute *sensors = ++ sensor_device_attribute_no_const *sensors = + &resource->sensors[resource->num_sensors]; + int res = 0; + +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c +index 3288f13..71cfb4e 100644 +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -1106,7 +1106,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num) + { + struct applesmc_node_group *grp; + struct applesmc_dev_attr *node; +- struct attribute *attr; ++ attribute_no_const *attr; + int ret, i; + + for (grp = groups; grp->format; grp++) { +diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c +index ae208f6..48b6c5b 100644 +--- a/drivers/hwmon/asus_atk0110.c ++++ b/drivers/hwmon/asus_atk0110.c +@@ -147,10 +147,10 @@ MODULE_DEVICE_TABLE(acpi, atk_ids); + struct atk_sensor_data { + struct list_head list; + struct atk_data *data; +- struct device_attribute label_attr; +- struct device_attribute input_attr; +- struct device_attribute limit1_attr; +- struct device_attribute limit2_attr; ++ device_attribute_no_const label_attr; ++ device_attribute_no_const input_attr; ++ device_attribute_no_const limit1_attr; ++ device_attribute_no_const limit2_attr; + char label_attr_name[ATTR_NAME_SIZE]; + char input_attr_name[ATTR_NAME_SIZE]; + char limit1_attr_name[ATTR_NAME_SIZE]; +@@ -270,7 +270,7 @@ static ssize_t atk_name_show(struct device *dev, + static struct device_attribute atk_name_attr = + __ATTR(name, 0444, atk_name_show, NULL); + +-static void atk_init_attribute(struct device_attribute *attr, char *name, ++static void atk_init_attribute(device_attribute_no_const *attr, char *name, + sysfs_show_func show) + { + sysfs_attr_init(&attr->attr); +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index bbb0b0d..9fe1332 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -823,7 +823,7 @@ static int coretemp_cpu_callback(struct notifier_block *nfb, + return NOTIFY_OK; + } + +-static struct notifier_block coretemp_cpu_notifier __refdata = { ++static struct notifier_block coretemp_cpu_notifier = { + .notifier_call = coretemp_cpu_callback, + }; + +diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c +index 632f1dc..57e6a58 100644 +--- a/drivers/hwmon/ibmaem.c ++++ b/drivers/hwmon/ibmaem.c +@@ -926,7 +926,7 @@ static int aem_register_sensors(struct aem_data *data, + struct aem_rw_sensor_template *rw) + { + struct device *dev = &data->pdev->dev; +- struct sensor_device_attribute *sensors = data->sensors; ++ sensor_device_attribute_no_const *sensors = data->sensors; + int err; + + /* Set up read-only sensors */ +diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c +index 708081b..fe2d4ab 100644 +--- a/drivers/hwmon/iio_hwmon.c ++++ b/drivers/hwmon/iio_hwmon.c +@@ -73,7 +73,7 @@ static int iio_hwmon_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct iio_hwmon_state *st; +- struct sensor_device_attribute *a; ++ sensor_device_attribute_no_const *a; + int ret, i; + int in_i = 1, temp_i = 1, curr_i = 1; + enum iio_chan_type type; +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index 38d5a63..cf2c2ea 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -944,10 +944,10 @@ static struct attribute_group * + nct6775_create_attr_group(struct device *dev, struct sensor_template_group *tg, + int repeat) + { +- struct attribute_group *group; ++ attribute_group_no_const *group; + struct sensor_device_attr_u *su; +- struct sensor_device_attribute *a; +- struct sensor_device_attribute_2 *a2; ++ sensor_device_attribute_no_const *a; ++ sensor_device_attribute_2_no_const *a2; + struct attribute **attrs; + struct sensor_device_template **t; + int i, count; +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index 291d11f..3f0dbbd 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -783,7 +783,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr) + return 0; + } + +-static void pmbus_dev_attr_init(struct device_attribute *dev_attr, ++static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr, + const char *name, + umode_t mode, + ssize_t (*show)(struct device *dev, +@@ -800,7 +800,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr, + dev_attr->store = store; + } + +-static void pmbus_attr_init(struct sensor_device_attribute *a, ++static void pmbus_attr_init(sensor_device_attribute_no_const *a, + const char *name, + umode_t mode, + ssize_t (*show)(struct device *dev, +@@ -822,7 +822,7 @@ static int pmbus_add_boolean(struct pmbus_data *data, + u16 reg, u8 mask) + { + struct pmbus_boolean *boolean; +- struct sensor_device_attribute *a; ++ sensor_device_attribute_no_const *a; + + boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL); + if (!boolean) +@@ -847,7 +847,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data, + bool update, bool readonly) + { + struct pmbus_sensor *sensor; +- struct device_attribute *a; ++ device_attribute_no_const *a; + + sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL); + if (!sensor) +@@ -878,7 +878,7 @@ static int pmbus_add_label(struct pmbus_data *data, + const char *lstring, int index) + { + struct pmbus_label *label; +- struct device_attribute *a; ++ device_attribute_no_const *a; + + label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL); + if (!label) +diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c +index 97cd45a..ac54d8b 100644 +--- a/drivers/hwmon/sht15.c ++++ b/drivers/hwmon/sht15.c +@@ -169,7 +169,7 @@ struct sht15_data { + int supply_uv; + bool supply_uv_valid; + struct work_struct update_supply_work; +- atomic_t interrupt_handled; ++ atomic_unchecked_t interrupt_handled; + }; + + /** +@@ -542,13 +542,13 @@ static int sht15_measurement(struct sht15_data *data, + ret = gpio_direction_input(data->pdata->gpio_data); + if (ret) + return ret; +- atomic_set(&data->interrupt_handled, 0); ++ atomic_set_unchecked(&data->interrupt_handled, 0); + + enable_irq(gpio_to_irq(data->pdata->gpio_data)); + if (gpio_get_value(data->pdata->gpio_data) == 0) { + disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data)); + /* Only relevant if the interrupt hasn't occurred. */ +- if (!atomic_read(&data->interrupt_handled)) ++ if (!atomic_read_unchecked(&data->interrupt_handled)) + schedule_work(&data->read_work); + } + ret = wait_event_timeout(data->wait_queue, +@@ -820,7 +820,7 @@ static irqreturn_t sht15_interrupt_fired(int irq, void *d) + + /* First disable the interrupt */ + disable_irq_nosync(irq); +- atomic_inc(&data->interrupt_handled); ++ atomic_inc_unchecked(&data->interrupt_handled); + /* Then schedule a reading work struct */ + if (data->state != SHT15_READING_NOTHING) + schedule_work(&data->read_work); +@@ -842,11 +842,11 @@ static void sht15_bh_read_data(struct work_struct *work_s) + * If not, then start the interrupt again - care here as could + * have gone low in meantime so verify it hasn't! + */ +- atomic_set(&data->interrupt_handled, 0); ++ atomic_set_unchecked(&data->interrupt_handled, 0); + enable_irq(gpio_to_irq(data->pdata->gpio_data)); + /* If still not occurred or another handler was scheduled */ + if (gpio_get_value(data->pdata->gpio_data) +- || atomic_read(&data->interrupt_handled)) ++ || atomic_read_unchecked(&data->interrupt_handled)) + return; + } + +diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c +index 38944e9..ae9e5ed 100644 +--- a/drivers/hwmon/via-cputemp.c ++++ b/drivers/hwmon/via-cputemp.c +@@ -296,7 +296,7 @@ static int via_cputemp_cpu_callback(struct notifier_block *nfb, + return NOTIFY_OK; + } + +-static struct notifier_block via_cputemp_cpu_notifier __refdata = { ++static struct notifier_block via_cputemp_cpu_notifier = { + .notifier_call = via_cputemp_cpu_callback, + }; + +diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c +index 41fc683..a39cfea 100644 +--- a/drivers/i2c/busses/i2c-amd756-s4882.c ++++ b/drivers/i2c/busses/i2c-amd756-s4882.c +@@ -43,7 +43,7 @@ + extern struct i2c_adapter amd756_smbus; + + static struct i2c_adapter *s4882_adapter; +-static struct i2c_algorithm *s4882_algo; ++static i2c_algorithm_no_const *s4882_algo; + + /* Wrapper access functions for multiplexed SMBus */ + static DEFINE_MUTEX(amd756_lock); +diff --git a/drivers/i2c/busses/i2c-diolan-u2c.c b/drivers/i2c/busses/i2c-diolan-u2c.c +index 721f7eb..0fd2a09 100644 +--- a/drivers/i2c/busses/i2c-diolan-u2c.c ++++ b/drivers/i2c/busses/i2c-diolan-u2c.c +@@ -98,7 +98,7 @@ MODULE_PARM_DESC(frequency, "I2C clock frequency in hertz"); + /* usb layer */ + + /* Send command to device, and get response. */ +-static int diolan_usb_transfer(struct i2c_diolan_u2c *dev) ++static int __intentional_overflow(-1) diolan_usb_transfer(struct i2c_diolan_u2c *dev) + { + int ret = 0; + int actual; +diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c +index b170bdf..3c76427 100644 +--- a/drivers/i2c/busses/i2c-nforce2-s4985.c ++++ b/drivers/i2c/busses/i2c-nforce2-s4985.c +@@ -41,7 +41,7 @@ + extern struct i2c_adapter *nforce2_smbus; + + static struct i2c_adapter *s4985_adapter; +-static struct i2c_algorithm *s4985_algo; ++static i2c_algorithm_no_const *s4985_algo; + + /* Wrapper access functions for multiplexed SMBus */ + static DEFINE_MUTEX(nforce2_lock); +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 80b47e8..1a6040d9 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -277,7 +277,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client, + break; + } + +- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf; ++ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf; + rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len); + if (IS_ERR(rdwr_pa[i].buf)) { + res = PTR_ERR(rdwr_pa[i].buf); +diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c +index 0b510ba..4fbb5085 100644 +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq) + alignment = queue_dma_alignment(q) | q->dma_pad_mask; + if ((unsigned long)buf & alignment + || blk_rq_bytes(rq) & q->dma_pad_mask +- || object_is_on_stack(buf)) ++ || object_starts_on_stack(buf)) + drive->dma = 0; + } + } +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index acc911a..8700c3c 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -527,7 +527,7 @@ static ssize_t iio_write_channel_info(struct device *dev, + } + + static +-int __iio_device_attr_init(struct device_attribute *dev_attr, ++int __iio_device_attr_init(device_attribute_no_const *dev_attr, + const char *postfix, + struct iio_chan_spec const *chan, + ssize_t (*readfunc)(struct device *dev, +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 0601b9d..e9dc455 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS] + + struct cm_counter_group { + struct kobject obj; +- atomic_long_t counter[CM_ATTR_COUNT]; ++ atomic_long_unchecked_t counter[CM_ATTR_COUNT]; + }; + + struct cm_counter_attribute { +@@ -1415,7 +1415,7 @@ static void cm_dup_req_handler(struct cm_work *work, + struct ib_mad_send_buf *msg = NULL; + int ret; + +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_REQ_COUNTER]); + + /* Quick state check to discard duplicate REQs. */ +@@ -1802,7 +1802,7 @@ static void cm_dup_rep_handler(struct cm_work *work) + if (!cm_id_priv) + return; + +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_REP_COUNTER]); + ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg); + if (ret) +@@ -1969,7 +1969,7 @@ static int cm_rtu_handler(struct cm_work *work) + if (cm_id_priv->id.state != IB_CM_REP_SENT && + cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) { + spin_unlock_irq(&cm_id_priv->lock); +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_RTU_COUNTER]); + goto out; + } +@@ -2152,7 +2152,7 @@ static int cm_dreq_handler(struct cm_work *work) + cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id, + dreq_msg->local_comm_id); + if (!cm_id_priv) { +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_DREQ_COUNTER]); + cm_issue_drep(work->port, work->mad_recv_wc); + return -EINVAL; +@@ -2177,7 +2177,7 @@ static int cm_dreq_handler(struct cm_work *work) + case IB_CM_MRA_REP_RCVD: + break; + case IB_CM_TIMEWAIT: +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_DREQ_COUNTER]); + if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg)) + goto unlock; +@@ -2191,7 +2191,7 @@ static int cm_dreq_handler(struct cm_work *work) + cm_free_msg(msg); + goto deref; + case IB_CM_DREQ_RCVD: +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_DREQ_COUNTER]); + goto unlock; + default: +@@ -2558,7 +2558,7 @@ static int cm_mra_handler(struct cm_work *work) + ib_modify_mad(cm_id_priv->av.port->mad_agent, + cm_id_priv->msg, timeout)) { + if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD) +- atomic_long_inc(&work->port-> ++ atomic_long_inc_unchecked(&work->port-> + counter_group[CM_RECV_DUPLICATES]. + counter[CM_MRA_COUNTER]); + goto out; +@@ -2567,7 +2567,7 @@ static int cm_mra_handler(struct cm_work *work) + break; + case IB_CM_MRA_REQ_RCVD: + case IB_CM_MRA_REP_RCVD: +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_MRA_COUNTER]); + /* fall through */ + default: +@@ -2729,7 +2729,7 @@ static int cm_lap_handler(struct cm_work *work) + case IB_CM_LAP_IDLE: + break; + case IB_CM_MRA_LAP_SENT: +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_LAP_COUNTER]); + if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg)) + goto unlock; +@@ -2745,7 +2745,7 @@ static int cm_lap_handler(struct cm_work *work) + cm_free_msg(msg); + goto deref; + case IB_CM_LAP_RCVD: +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_LAP_COUNTER]); + goto unlock; + default: +@@ -3029,7 +3029,7 @@ static int cm_sidr_req_handler(struct cm_work *work) + cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv); + if (cur_cm_id_priv) { + spin_unlock_irq(&cm.lock); +- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES]. ++ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES]. + counter[CM_SIDR_REQ_COUNTER]); + goto out; /* Duplicate message. */ + } +@@ -3241,10 +3241,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent, + if (!msg->context[0] && (attr_index != CM_REJ_COUNTER)) + msg->retries = 1; + +- atomic_long_add(1 + msg->retries, ++ atomic_long_add_unchecked(1 + msg->retries, + &port->counter_group[CM_XMIT].counter[attr_index]); + if (msg->retries) +- atomic_long_add(msg->retries, ++ atomic_long_add_unchecked(msg->retries, + &port->counter_group[CM_XMIT_RETRIES]. + counter[attr_index]); + +@@ -3454,7 +3454,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent, + } + + attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id); +- atomic_long_inc(&port->counter_group[CM_RECV]. ++ atomic_long_inc_unchecked(&port->counter_group[CM_RECV]. + counter[attr_id - CM_ATTR_ID_OFFSET]); + + work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths, +@@ -3685,7 +3685,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr, + cm_attr = container_of(attr, struct cm_counter_attribute, attr); + + return sprintf(buf, "%ld\n", +- atomic_long_read(&group->counter[cm_attr->index])); ++ atomic_long_read_unchecked(&group->counter[cm_attr->index])); + } + + static const struct sysfs_ops cm_counter_ops = { +diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c +index 9f5ad7c..588cd84 100644 +--- a/drivers/infiniband/core/fmr_pool.c ++++ b/drivers/infiniband/core/fmr_pool.c +@@ -98,8 +98,8 @@ struct ib_fmr_pool { + + struct task_struct *thread; + +- atomic_t req_ser; +- atomic_t flush_ser; ++ atomic_unchecked_t req_ser; ++ atomic_unchecked_t flush_ser; + + wait_queue_head_t force_wait; + }; +@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *pool_ptr) + struct ib_fmr_pool *pool = pool_ptr; + + do { +- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) { ++ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) { + ib_fmr_batch_release(pool); + +- atomic_inc(&pool->flush_ser); ++ atomic_inc_unchecked(&pool->flush_ser); + wake_up_interruptible(&pool->force_wait); + + if (pool->flush_function) +@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *pool_ptr) + } + + set_current_state(TASK_INTERRUPTIBLE); +- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 && ++ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 && + !kthread_should_stop()) + schedule(); + __set_current_state(TASK_RUNNING); +@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(struct ib_pd *pd, + pool->dirty_watermark = params->dirty_watermark; + pool->dirty_len = 0; + spin_lock_init(&pool->pool_lock); +- atomic_set(&pool->req_ser, 0); +- atomic_set(&pool->flush_ser, 0); ++ atomic_set_unchecked(&pool->req_ser, 0); ++ atomic_set_unchecked(&pool->flush_ser, 0); + init_waitqueue_head(&pool->force_wait); + + pool->thread = kthread_run(ib_fmr_cleanup_thread, +@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool *pool) + } + spin_unlock_irq(&pool->pool_lock); + +- serial = atomic_inc_return(&pool->req_ser); ++ serial = atomic_inc_return_unchecked(&pool->req_ser); + wake_up_process(pool->thread); + + if (wait_event_interruptible(pool->force_wait, +- atomic_read(&pool->flush_ser) - serial >= 0)) ++ atomic_read_unchecked(&pool->flush_ser) - serial >= 0)) + return -EINTR; + + return 0; +@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr *fmr) + } else { + list_add_tail(&fmr->list, &pool->dirty_list); + if (++pool->dirty_len >= pool->dirty_watermark) { +- atomic_inc(&pool->req_ser); ++ atomic_inc_unchecked(&pool->req_ser); + wake_up_process(pool->thread); + } + } +diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c +index 41b1195..27971a0 100644 +--- a/drivers/infiniband/hw/cxgb4/mem.c ++++ b/drivers/infiniband/hw/cxgb4/mem.c +@@ -249,7 +249,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, + int err; + struct fw_ri_tpte tpt; + u32 stag_idx; +- static atomic_t key; ++ static atomic_unchecked_t key; + + if (c4iw_fatal_error(rdev)) + return -EIO; +@@ -266,7 +266,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry, + if (rdev->stats.stag.cur > rdev->stats.stag.max) + rdev->stats.stag.max = rdev->stats.stag.cur; + mutex_unlock(&rdev->stats.lock); +- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff); ++ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff); + } + PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n", + __func__, stag_state, type, pdid, stag_idx); +diff --git a/drivers/infiniband/hw/ipath/ipath_dma.c b/drivers/infiniband/hw/ipath/ipath_dma.c +index 644c2c7..ecf0879 100644 +--- a/drivers/infiniband/hw/ipath/ipath_dma.c ++++ b/drivers/infiniband/hw/ipath/ipath_dma.c +@@ -176,17 +176,17 @@ static void ipath_dma_free_coherent(struct ib_device *dev, size_t size, + } + + struct ib_dma_mapping_ops ipath_dma_mapping_ops = { +- ipath_mapping_error, +- ipath_dma_map_single, +- ipath_dma_unmap_single, +- ipath_dma_map_page, +- ipath_dma_unmap_page, +- ipath_map_sg, +- ipath_unmap_sg, +- ipath_sg_dma_address, +- ipath_sg_dma_len, +- ipath_sync_single_for_cpu, +- ipath_sync_single_for_device, +- ipath_dma_alloc_coherent, +- ipath_dma_free_coherent ++ .mapping_error = ipath_mapping_error, ++ .map_single = ipath_dma_map_single, ++ .unmap_single = ipath_dma_unmap_single, ++ .map_page = ipath_dma_map_page, ++ .unmap_page = ipath_dma_unmap_page, ++ .map_sg = ipath_map_sg, ++ .unmap_sg = ipath_unmap_sg, ++ .dma_address = ipath_sg_dma_address, ++ .dma_len = ipath_sg_dma_len, ++ .sync_single_for_cpu = ipath_sync_single_for_cpu, ++ .sync_single_for_device = ipath_sync_single_for_device, ++ .alloc_coherent = ipath_dma_alloc_coherent, ++ .free_coherent = ipath_dma_free_coherent + }; +diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c +index 79b3dbc..96e5fcc 100644 +--- a/drivers/infiniband/hw/ipath/ipath_rc.c ++++ b/drivers/infiniband/hw/ipath/ipath_rc.c +@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr, + struct ib_atomic_eth *ateth; + struct ipath_ack_entry *e; + u64 vaddr; +- atomic64_t *maddr; ++ atomic64_unchecked_t *maddr; + u64 sdata; + u32 rkey; + u8 next; +@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr, + IB_ACCESS_REMOTE_ATOMIC))) + goto nack_acc_unlck; + /* Perform atomic OP and save result. */ +- maddr = (atomic64_t *) qp->r_sge.sge.vaddr; ++ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr; + sdata = be64_to_cpu(ateth->swap_data); + e = &qp->s_ack_queue[qp->r_head_ack_queue]; + e->atomic_data = (opcode == OP(FETCH_ADD)) ? +- (u64) atomic64_add_return(sdata, maddr) - sdata : ++ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata : + (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr, + be64_to_cpu(ateth->compare_data), + sdata); +diff --git a/drivers/infiniband/hw/ipath/ipath_ruc.c b/drivers/infiniband/hw/ipath/ipath_ruc.c +index 1f95bba..9530f87 100644 +--- a/drivers/infiniband/hw/ipath/ipath_ruc.c ++++ b/drivers/infiniband/hw/ipath/ipath_ruc.c +@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ipath_qp *sqp) + unsigned long flags; + struct ib_wc wc; + u64 sdata; +- atomic64_t *maddr; ++ atomic64_unchecked_t *maddr; + enum ib_wc_status send_status; + + /* +@@ -382,11 +382,11 @@ again: + IB_ACCESS_REMOTE_ATOMIC))) + goto acc_err; + /* Perform atomic OP and save result. */ +- maddr = (atomic64_t *) qp->r_sge.sge.vaddr; ++ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr; + sdata = wqe->wr.wr.atomic.compare_add; + *(u64 *) sqp->s_sge.sge.vaddr = + (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ? +- (u64) atomic64_add_return(sdata, maddr) - sdata : ++ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata : + (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr, + sdata, wqe->wr.wr.atomic.swap); + goto send_comp; +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index f2a3f48..673ec79 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void) + + __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx) + { +- return cpu_to_be64(atomic_inc_return(&ctx->tid)) | ++ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) | + cpu_to_be64(0xff00000000000000LL); + } + +diff --git a/drivers/infiniband/hw/mlx4/mcg.c b/drivers/infiniband/hw/mlx4/mcg.c +index 25b2cdf..099ff97 100644 +--- a/drivers/infiniband/hw/mlx4/mcg.c ++++ b/drivers/infiniband/hw/mlx4/mcg.c +@@ -1040,7 +1040,7 @@ int mlx4_ib_mcg_port_init(struct mlx4_ib_demux_ctx *ctx) + { + char name[20]; + +- atomic_set(&ctx->tid, 0); ++ atomic_set_unchecked(&ctx->tid, 0); + sprintf(name, "mlx4_ib_mcg%d", ctx->port); + ctx->mcg_wq = create_singlethread_workqueue(name); + if (!ctx->mcg_wq) +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index a230683..3723f2d 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -408,7 +408,7 @@ struct mlx4_ib_demux_ctx { + struct list_head mcg_mgid0_list; + struct workqueue_struct *mcg_wq; + struct mlx4_ib_demux_pv_ctx **tun; +- atomic_t tid; ++ atomic_unchecked_t tid; + int flushing; /* flushing the work queue */ + }; + +diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c +index 9d3e5c1..6f166df 100644 +--- a/drivers/infiniband/hw/mthca/mthca_cmd.c ++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c +@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base) + mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n"); + } + +-int mthca_QUERY_FW(struct mthca_dev *dev) ++int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev) + { + struct mthca_mailbox *mailbox; + u32 *outbox; +@@ -1612,7 +1612,7 @@ int mthca_HW2SW_MPT(struct mthca_dev *dev, struct mthca_mailbox *mailbox, + CMD_TIME_CLASS_B); + } + +-int mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox, ++int __intentional_overflow(-1) mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox, + int num_mtt) + { + return mthca_cmd(dev, mailbox->dma, num_mtt, 0, CMD_WRITE_MTT, +@@ -1634,7 +1634,7 @@ int mthca_MAP_EQ(struct mthca_dev *dev, u64 event_mask, int unmap, + 0, CMD_MAP_EQ, CMD_TIME_CLASS_B); + } + +-int mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox, ++int __intentional_overflow(-1) mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox, + int eq_num) + { + return mthca_cmd(dev, mailbox->dma, eq_num, 0, CMD_SW2HW_EQ, +@@ -1857,7 +1857,7 @@ int mthca_CONF_SPECIAL_QP(struct mthca_dev *dev, int type, u32 qpn) + CMD_TIME_CLASS_B); + } + +-int mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey, ++int __intentional_overflow(-1) mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey, + int port, struct ib_wc *in_wc, struct ib_grh *in_grh, + void *in_mad, void *response_mad) + { +diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c +index 87897b9..7e79542 100644 +--- a/drivers/infiniband/hw/mthca/mthca_main.c ++++ b/drivers/infiniband/hw/mthca/mthca_main.c +@@ -692,7 +692,7 @@ err_close: + return err; + } + +-static int mthca_setup_hca(struct mthca_dev *dev) ++static int __intentional_overflow(-1) mthca_setup_hca(struct mthca_dev *dev) + { + int err; + +diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c +index ed9a989..6aa5dc2 100644 +--- a/drivers/infiniband/hw/mthca/mthca_mr.c ++++ b/drivers/infiniband/hw/mthca/mthca_mr.c +@@ -81,7 +81,7 @@ struct mthca_mpt_entry { + * through the bitmaps) + */ + +-static u32 mthca_buddy_alloc(struct mthca_buddy *buddy, int order) ++static u32 __intentional_overflow(-1) mthca_buddy_alloc(struct mthca_buddy *buddy, int order) + { + int o; + int m; +@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key) + return key; + } + +-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift, ++int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift, + u64 iova, u64 total_size, u32 access, struct mthca_mr *mr) + { + struct mthca_mailbox *mailbox; +@@ -516,7 +516,7 @@ int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd, + return mthca_mr_alloc(dev, pd, 12, 0, ~0ULL, access, mr); + } + +-int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd, ++int __intentional_overflow(-1) mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd, + u64 *buffer_list, int buffer_size_shift, + int list_len, u64 iova, u64 total_size, + u32 access, struct mthca_mr *mr) +diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c +index 5b71d43..35a9e14 100644 +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -763,7 +763,7 @@ unlock: + return 0; + } + +-static int mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata) ++static int __intentional_overflow(-1) mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata) + { + struct mthca_dev *dev = to_mdev(ibcq->device); + struct mthca_cq *cq = to_mcq(ibcq); +diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c +index 353c7b0..c6ce921 100644 +--- a/drivers/infiniband/hw/nes/nes.c ++++ b/drivers/infiniband/hw/nes/nes.c +@@ -98,7 +98,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limit max read request size to 256 Bytes"); + LIST_HEAD(nes_adapter_list); + static LIST_HEAD(nes_dev_list); + +-atomic_t qps_destroyed; ++atomic_unchecked_t qps_destroyed; + + static unsigned int ee_flsh_adapter; + static unsigned int sysfs_nonidx_addr; +@@ -269,7 +269,7 @@ static void nes_cqp_rem_ref_callback(struct nes_device *nesdev, struct nes_cqp_r + struct nes_qp *nesqp = cqp_request->cqp_callback_pointer; + struct nes_adapter *nesadapter = nesdev->nesadapter; + +- atomic_inc(&qps_destroyed); ++ atomic_inc_unchecked(&qps_destroyed); + + /* Free the control structures */ + +diff --git a/drivers/infiniband/hw/nes/nes.h b/drivers/infiniband/hw/nes/nes.h +index 33cc589..3bd6538 100644 +--- a/drivers/infiniband/hw/nes/nes.h ++++ b/drivers/infiniband/hw/nes/nes.h +@@ -177,17 +177,17 @@ extern unsigned int nes_debug_level; + extern unsigned int wqm_quanta; + extern struct list_head nes_adapter_list; + +-extern atomic_t cm_connects; +-extern atomic_t cm_accepts; +-extern atomic_t cm_disconnects; +-extern atomic_t cm_closes; +-extern atomic_t cm_connecteds; +-extern atomic_t cm_connect_reqs; +-extern atomic_t cm_rejects; +-extern atomic_t mod_qp_timouts; +-extern atomic_t qps_created; +-extern atomic_t qps_destroyed; +-extern atomic_t sw_qps_destroyed; ++extern atomic_unchecked_t cm_connects; ++extern atomic_unchecked_t cm_accepts; ++extern atomic_unchecked_t cm_disconnects; ++extern atomic_unchecked_t cm_closes; ++extern atomic_unchecked_t cm_connecteds; ++extern atomic_unchecked_t cm_connect_reqs; ++extern atomic_unchecked_t cm_rejects; ++extern atomic_unchecked_t mod_qp_timouts; ++extern atomic_unchecked_t qps_created; ++extern atomic_unchecked_t qps_destroyed; ++extern atomic_unchecked_t sw_qps_destroyed; + extern u32 mh_detected; + extern u32 mh_pauses_sent; + extern u32 cm_packets_sent; +@@ -196,16 +196,16 @@ extern u32 cm_packets_created; + extern u32 cm_packets_received; + extern u32 cm_packets_dropped; + extern u32 cm_packets_retrans; +-extern atomic_t cm_listens_created; +-extern atomic_t cm_listens_destroyed; ++extern atomic_unchecked_t cm_listens_created; ++extern atomic_unchecked_t cm_listens_destroyed; + extern u32 cm_backlog_drops; +-extern atomic_t cm_loopbacks; +-extern atomic_t cm_nodes_created; +-extern atomic_t cm_nodes_destroyed; +-extern atomic_t cm_accel_dropped_pkts; +-extern atomic_t cm_resets_recvd; +-extern atomic_t pau_qps_created; +-extern atomic_t pau_qps_destroyed; ++extern atomic_unchecked_t cm_loopbacks; ++extern atomic_unchecked_t cm_nodes_created; ++extern atomic_unchecked_t cm_nodes_destroyed; ++extern atomic_unchecked_t cm_accel_dropped_pkts; ++extern atomic_unchecked_t cm_resets_recvd; ++extern atomic_unchecked_t pau_qps_created; ++extern atomic_unchecked_t pau_qps_destroyed; + + extern u32 int_mod_timer_init; + extern u32 int_mod_cq_depth_256; +diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c +index 9c9f2f5..2559190 100644 +--- a/drivers/infiniband/hw/nes/nes_cm.c ++++ b/drivers/infiniband/hw/nes/nes_cm.c +@@ -68,14 +68,14 @@ u32 cm_packets_dropped; + u32 cm_packets_retrans; + u32 cm_packets_created; + u32 cm_packets_received; +-atomic_t cm_listens_created; +-atomic_t cm_listens_destroyed; ++atomic_unchecked_t cm_listens_created; ++atomic_unchecked_t cm_listens_destroyed; + u32 cm_backlog_drops; +-atomic_t cm_loopbacks; +-atomic_t cm_nodes_created; +-atomic_t cm_nodes_destroyed; +-atomic_t cm_accel_dropped_pkts; +-atomic_t cm_resets_recvd; ++atomic_unchecked_t cm_loopbacks; ++atomic_unchecked_t cm_nodes_created; ++atomic_unchecked_t cm_nodes_destroyed; ++atomic_unchecked_t cm_accel_dropped_pkts; ++atomic_unchecked_t cm_resets_recvd; + + static inline int mini_cm_accelerated(struct nes_cm_core *, struct nes_cm_node *); + static struct nes_cm_listener *mini_cm_listen(struct nes_cm_core *, struct nes_vnic *, struct nes_cm_info *); +@@ -133,28 +133,28 @@ static void print_core(struct nes_cm_core *core); + /* instance of function pointers for client API */ + /* set address of this instance to cm_core->cm_ops at cm_core alloc */ + static struct nes_cm_ops nes_cm_api = { +- mini_cm_accelerated, +- mini_cm_listen, +- mini_cm_del_listen, +- mini_cm_connect, +- mini_cm_close, +- mini_cm_accept, +- mini_cm_reject, +- mini_cm_recv_pkt, +- mini_cm_dealloc_core, +- mini_cm_get, +- mini_cm_set ++ .accelerated = mini_cm_accelerated, ++ .listen = mini_cm_listen, ++ .stop_listener = mini_cm_del_listen, ++ .connect = mini_cm_connect, ++ .close = mini_cm_close, ++ .accept = mini_cm_accept, ++ .reject = mini_cm_reject, ++ .recv_pkt = mini_cm_recv_pkt, ++ .destroy_cm_core = mini_cm_dealloc_core, ++ .get = mini_cm_get, ++ .set = mini_cm_set + }; + + static struct nes_cm_core *g_cm_core; + +-atomic_t cm_connects; +-atomic_t cm_accepts; +-atomic_t cm_disconnects; +-atomic_t cm_closes; +-atomic_t cm_connecteds; +-atomic_t cm_connect_reqs; +-atomic_t cm_rejects; ++atomic_unchecked_t cm_connects; ++atomic_unchecked_t cm_accepts; ++atomic_unchecked_t cm_disconnects; ++atomic_unchecked_t cm_closes; ++atomic_unchecked_t cm_connecteds; ++atomic_unchecked_t cm_connect_reqs; ++atomic_unchecked_t cm_rejects; + + int nes_add_ref_cm_node(struct nes_cm_node *cm_node) + { +@@ -1272,7 +1272,7 @@ static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core, + kfree(listener); + listener = NULL; + ret = 0; +- atomic_inc(&cm_listens_destroyed); ++ atomic_inc_unchecked(&cm_listens_destroyed); + } else { + spin_unlock_irqrestore(&cm_core->listen_list_lock, flags); + } +@@ -1465,7 +1465,7 @@ static struct nes_cm_node *make_cm_node(struct nes_cm_core *cm_core, + cm_node->rem_mac); + + add_hte_node(cm_core, cm_node); +- atomic_inc(&cm_nodes_created); ++ atomic_inc_unchecked(&cm_nodes_created); + + return cm_node; + } +@@ -1523,7 +1523,7 @@ static int rem_ref_cm_node(struct nes_cm_core *cm_core, + } + + atomic_dec(&cm_core->node_cnt); +- atomic_inc(&cm_nodes_destroyed); ++ atomic_inc_unchecked(&cm_nodes_destroyed); + nesqp = cm_node->nesqp; + if (nesqp) { + nesqp->cm_node = NULL; +@@ -1587,7 +1587,7 @@ static int process_options(struct nes_cm_node *cm_node, u8 *optionsloc, + + static void drop_packet(struct sk_buff *skb) + { +- atomic_inc(&cm_accel_dropped_pkts); ++ atomic_inc_unchecked(&cm_accel_dropped_pkts); + dev_kfree_skb_any(skb); + } + +@@ -1650,7 +1650,7 @@ static void handle_rst_pkt(struct nes_cm_node *cm_node, struct sk_buff *skb, + { + + int reset = 0; /* whether to send reset in case of err.. */ +- atomic_inc(&cm_resets_recvd); ++ atomic_inc_unchecked(&cm_resets_recvd); + nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u." + " refcnt=%d\n", cm_node, cm_node->state, + atomic_read(&cm_node->ref_count)); +@@ -2291,7 +2291,7 @@ static struct nes_cm_node *mini_cm_connect(struct nes_cm_core *cm_core, + rem_ref_cm_node(cm_node->cm_core, cm_node); + return NULL; + } +- atomic_inc(&cm_loopbacks); ++ atomic_inc_unchecked(&cm_loopbacks); + loopbackremotenode->loopbackpartner = cm_node; + loopbackremotenode->tcp_cntxt.rcv_wscale = + NES_CM_DEFAULT_RCV_WND_SCALE; +@@ -2566,7 +2566,7 @@ static int mini_cm_recv_pkt(struct nes_cm_core *cm_core, + nes_queue_mgt_skbs(skb, nesvnic, cm_node->nesqp); + else { + rem_ref_cm_node(cm_core, cm_node); +- atomic_inc(&cm_accel_dropped_pkts); ++ atomic_inc_unchecked(&cm_accel_dropped_pkts); + dev_kfree_skb_any(skb); + } + break; +@@ -2874,7 +2874,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp) + + if ((cm_id) && (cm_id->event_handler)) { + if (issue_disconn) { +- atomic_inc(&cm_disconnects); ++ atomic_inc_unchecked(&cm_disconnects); + cm_event.event = IW_CM_EVENT_DISCONNECT; + cm_event.status = disconn_status; + cm_event.local_addr = cm_id->local_addr; +@@ -2896,7 +2896,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp) + } + + if (issue_close) { +- atomic_inc(&cm_closes); ++ atomic_inc_unchecked(&cm_closes); + nes_disconnect(nesqp, 1); + + cm_id->provider_data = nesqp; +@@ -3034,7 +3034,7 @@ int nes_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + + nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n", + nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener); +- atomic_inc(&cm_accepts); ++ atomic_inc_unchecked(&cm_accepts); + + nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n", + netdev_refcnt_read(nesvnic->netdev)); +@@ -3223,7 +3223,7 @@ int nes_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len) + struct nes_cm_core *cm_core; + u8 *start_buff; + +- atomic_inc(&cm_rejects); ++ atomic_inc_unchecked(&cm_rejects); + cm_node = (struct nes_cm_node *)cm_id->provider_data; + loopback = cm_node->loopbackpartner; + cm_core = cm_node->cm_core; +@@ -3285,7 +3285,7 @@ int nes_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + ntohs(raddr->sin_port), ntohl(laddr->sin_addr.s_addr), + ntohs(laddr->sin_port)); + +- atomic_inc(&cm_connects); ++ atomic_inc_unchecked(&cm_connects); + nesqp->active_conn = 1; + + /* cache the cm_id in the qp */ +@@ -3397,7 +3397,7 @@ int nes_create_listen(struct iw_cm_id *cm_id, int backlog) + g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node); + return err; + } +- atomic_inc(&cm_listens_created); ++ atomic_inc_unchecked(&cm_listens_created); + } + + cm_id->add_ref(cm_id); +@@ -3504,7 +3504,7 @@ static void cm_event_connected(struct nes_cm_event *event) + + if (nesqp->destroyed) + return; +- atomic_inc(&cm_connecteds); ++ atomic_inc_unchecked(&cm_connecteds); + nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on" + " local port 0x%04X. jiffies = %lu.\n", + nesqp->hwqp.qp_id, ntohl(raddr->sin_addr.s_addr), +@@ -3685,7 +3685,7 @@ static void cm_event_reset(struct nes_cm_event *event) + + cm_id->add_ref(cm_id); + ret = cm_id->event_handler(cm_id, &cm_event); +- atomic_inc(&cm_closes); ++ atomic_inc_unchecked(&cm_closes); + cm_event.event = IW_CM_EVENT_CLOSE; + cm_event.status = 0; + cm_event.provider_data = cm_id->provider_data; +@@ -3725,7 +3725,7 @@ static void cm_event_mpa_req(struct nes_cm_event *event) + return; + cm_id = cm_node->cm_id; + +- atomic_inc(&cm_connect_reqs); ++ atomic_inc_unchecked(&cm_connect_reqs); + nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n", + cm_node, cm_id, jiffies); + +@@ -3769,7 +3769,7 @@ static void cm_event_mpa_reject(struct nes_cm_event *event) + return; + cm_id = cm_node->cm_id; + +- atomic_inc(&cm_connect_reqs); ++ atomic_inc_unchecked(&cm_connect_reqs); + nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n", + cm_node, cm_id, jiffies); + +diff --git a/drivers/infiniband/hw/nes/nes_mgt.c b/drivers/infiniband/hw/nes/nes_mgt.c +index 4166452..fc952c3 100644 +--- a/drivers/infiniband/hw/nes/nes_mgt.c ++++ b/drivers/infiniband/hw/nes/nes_mgt.c +@@ -40,8 +40,8 @@ + #include "nes.h" + #include "nes_mgt.h" + +-atomic_t pau_qps_created; +-atomic_t pau_qps_destroyed; ++atomic_unchecked_t pau_qps_created; ++atomic_unchecked_t pau_qps_destroyed; + + static void nes_replenish_mgt_rq(struct nes_vnic_mgt *mgtvnic) + { +@@ -621,7 +621,7 @@ void nes_destroy_pau_qp(struct nes_device *nesdev, struct nes_qp *nesqp) + { + struct sk_buff *skb; + unsigned long flags; +- atomic_inc(&pau_qps_destroyed); ++ atomic_inc_unchecked(&pau_qps_destroyed); + + /* Free packets that have not yet been forwarded */ + /* Lock is acquired by skb_dequeue when removing the skb */ +@@ -810,7 +810,7 @@ static void nes_mgt_ce_handler(struct nes_device *nesdev, struct nes_hw_nic_cq * + cq->cq_vbase[head].cqe_words[NES_NIC_CQE_HASH_RCVNXT]); + skb_queue_head_init(&nesqp->pau_list); + spin_lock_init(&nesqp->pau_lock); +- atomic_inc(&pau_qps_created); ++ atomic_inc_unchecked(&pau_qps_created); + nes_change_quad_hash(nesdev, mgtvnic->nesvnic, nesqp); + } + +diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c +index 49eb511..a774366 100644 +--- a/drivers/infiniband/hw/nes/nes_nic.c ++++ b/drivers/infiniband/hw/nes/nes_nic.c +@@ -1273,39 +1273,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev, + target_stat_values[++index] = mh_detected; + target_stat_values[++index] = mh_pauses_sent; + target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits; +- target_stat_values[++index] = atomic_read(&cm_connects); +- target_stat_values[++index] = atomic_read(&cm_accepts); +- target_stat_values[++index] = atomic_read(&cm_disconnects); +- target_stat_values[++index] = atomic_read(&cm_connecteds); +- target_stat_values[++index] = atomic_read(&cm_connect_reqs); +- target_stat_values[++index] = atomic_read(&cm_rejects); +- target_stat_values[++index] = atomic_read(&mod_qp_timouts); +- target_stat_values[++index] = atomic_read(&qps_created); +- target_stat_values[++index] = atomic_read(&sw_qps_destroyed); +- target_stat_values[++index] = atomic_read(&qps_destroyed); +- target_stat_values[++index] = atomic_read(&cm_closes); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_connects); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects); ++ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts); ++ target_stat_values[++index] = atomic_read_unchecked(&qps_created); ++ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed); ++ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_closes); + target_stat_values[++index] = cm_packets_sent; + target_stat_values[++index] = cm_packets_bounced; + target_stat_values[++index] = cm_packets_created; + target_stat_values[++index] = cm_packets_received; + target_stat_values[++index] = cm_packets_dropped; + target_stat_values[++index] = cm_packets_retrans; +- target_stat_values[++index] = atomic_read(&cm_listens_created); +- target_stat_values[++index] = atomic_read(&cm_listens_destroyed); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed); + target_stat_values[++index] = cm_backlog_drops; +- target_stat_values[++index] = atomic_read(&cm_loopbacks); +- target_stat_values[++index] = atomic_read(&cm_nodes_created); +- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed); +- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts); +- target_stat_values[++index] = atomic_read(&cm_resets_recvd); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts); ++ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd); + target_stat_values[++index] = nesadapter->free_4kpbl; + target_stat_values[++index] = nesadapter->free_256pbl; + target_stat_values[++index] = int_mod_timer_init; + target_stat_values[++index] = nesvnic->lro_mgr.stats.aggregated; + target_stat_values[++index] = nesvnic->lro_mgr.stats.flushed; + target_stat_values[++index] = nesvnic->lro_mgr.stats.no_desc; +- target_stat_values[++index] = atomic_read(&pau_qps_created); +- target_stat_values[++index] = atomic_read(&pau_qps_destroyed); ++ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_created); ++ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_destroyed); + } + + /** +diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c +index 8308e36..ae0d3b5 100644 +--- a/drivers/infiniband/hw/nes/nes_verbs.c ++++ b/drivers/infiniband/hw/nes/nes_verbs.c +@@ -46,9 +46,9 @@ + + #include + +-atomic_t mod_qp_timouts; +-atomic_t qps_created; +-atomic_t sw_qps_destroyed; ++atomic_unchecked_t mod_qp_timouts; ++atomic_unchecked_t qps_created; ++atomic_unchecked_t sw_qps_destroyed; + + static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev); + +@@ -1134,7 +1134,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd, + if (init_attr->create_flags) + return ERR_PTR(-EINVAL); + +- atomic_inc(&qps_created); ++ atomic_inc_unchecked(&qps_created); + switch (init_attr->qp_type) { + case IB_QPT_RC: + if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) { +@@ -1466,7 +1466,7 @@ static int nes_destroy_qp(struct ib_qp *ibqp) + struct iw_cm_event cm_event; + int ret = 0; + +- atomic_inc(&sw_qps_destroyed); ++ atomic_inc_unchecked(&sw_qps_destroyed); + nesqp->destroyed = 1; + + /* Blow away the connection if it exists. */ +diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h +index 1946101..09766d2 100644 +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + + #include "qib_common.h" + #include "qib_verbs.h" +diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c +index 24c41ba..102d71f 100644 +--- a/drivers/input/gameport/gameport.c ++++ b/drivers/input/gameport/gameport.c +@@ -490,14 +490,14 @@ EXPORT_SYMBOL(gameport_set_phys); + */ + static void gameport_init_port(struct gameport *gameport) + { +- static atomic_t gameport_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t gameport_no = ATOMIC_INIT(0); + + __module_get(THIS_MODULE); + + mutex_init(&gameport->drv_mutex); + device_initialize(&gameport->dev); + dev_set_name(&gameport->dev, "gameport%lu", +- (unsigned long)atomic_inc_return(&gameport_no) - 1); ++ (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1); + gameport->dev.bus = &gameport_bus; + gameport->dev.release = gameport_release_port; + if (gameport->parent) +diff --git a/drivers/input/input.c b/drivers/input/input.c +index 1c4c0db..6f7abe3 100644 +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -1772,7 +1772,7 @@ EXPORT_SYMBOL_GPL(input_class); + */ + struct input_dev *input_allocate_device(void) + { +- static atomic_t input_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t input_no = ATOMIC_INIT(0); + struct input_dev *dev; + + dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL); +@@ -1787,7 +1787,7 @@ struct input_dev *input_allocate_device(void) + INIT_LIST_HEAD(&dev->node); + + dev_set_name(&dev->dev, "input%ld", +- (unsigned long) atomic_inc_return(&input_no) - 1); ++ (unsigned long) atomic_inc_return_unchecked(&input_no) - 1); + + __module_get(THIS_MODULE); + } +diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c +index 4a95b22..874c182 100644 +--- a/drivers/input/joystick/sidewinder.c ++++ b/drivers/input/joystick/sidewinder.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 603fe0d..f63decc 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -737,7 +737,7 @@ static void xpad_led_set(struct led_classdev *led_cdev, + + static int xpad_led_probe(struct usb_xpad *xpad) + { +- static atomic_t led_seq = ATOMIC_INIT(0); ++ static atomic_unchecked_t led_seq = ATOMIC_INIT(0); + long led_no; + struct xpad_led *led; + struct led_classdev *led_cdev; +@@ -750,7 +750,7 @@ static int xpad_led_probe(struct usb_xpad *xpad) + if (!led) + return -ENOMEM; + +- led_no = (long)atomic_inc_return(&led_seq) - 1; ++ led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1; + + snprintf(led->name, sizeof(led->name), "xpad%ld", led_no); + led->xpad = xpad; +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index e204f26..8459f15 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1621,7 +1621,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id) + + static int ims_pcu_init_application_mode(struct ims_pcu *pcu) + { +- static atomic_t device_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t device_no = ATOMIC_INIT(0); + + const struct ims_pcu_device_info *info; + u8 device_id; +@@ -1653,7 +1653,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu) + } + + /* Device appears to be operable, complete initialization */ +- pcu->device_no = atomic_inc_return(&device_no) - 1; ++ pcu->device_no = atomic_inc_return_unchecked(&device_no) - 1; + + error = ims_pcu_setup_backlight(pcu); + if (error) +diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h +index 2f0b39d..7370f13 100644 +--- a/drivers/input/mouse/psmouse.h ++++ b/drivers/input/mouse/psmouse.h +@@ -116,7 +116,7 @@ struct psmouse_attribute { + ssize_t (*set)(struct psmouse *psmouse, void *data, + const char *buf, size_t count); + bool protect; +-}; ++} __do_const; + #define to_psmouse_attr(a) container_of((a), struct psmouse_attribute, dattr) + + ssize_t psmouse_attr_show_helper(struct device *dev, struct device_attribute *attr, +diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c +index b604564..3f14ae4 100644 +--- a/drivers/input/mousedev.c ++++ b/drivers/input/mousedev.c +@@ -744,7 +744,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer, + + spin_unlock_irq(&client->packet_lock); + +- if (copy_to_user(buffer, data, count)) ++ if (count > sizeof(data) || copy_to_user(buffer, data, count)) + return -EFAULT; + + return count; +diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c +index 8f4c4ab..5fc8a45 100644 +--- a/drivers/input/serio/serio.c ++++ b/drivers/input/serio/serio.c +@@ -505,7 +505,7 @@ static void serio_release_port(struct device *dev) + */ + static void serio_init_port(struct serio *serio) + { +- static atomic_t serio_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t serio_no = ATOMIC_INIT(0); + + __module_get(THIS_MODULE); + +@@ -516,7 +516,7 @@ static void serio_init_port(struct serio *serio) + mutex_init(&serio->drv_mutex); + device_initialize(&serio->dev); + dev_set_name(&serio->dev, "serio%ld", +- (long)atomic_inc_return(&serio_no) - 1); ++ (long)atomic_inc_return_unchecked(&serio_no) - 1); + serio->dev.bus = &serio_bus; + serio->dev.release = serio_release_port; + serio->dev.groups = serio_device_attr_groups; +diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c +index c9a02fe..0debc75 100644 +--- a/drivers/input/serio/serio_raw.c ++++ b/drivers/input/serio/serio_raw.c +@@ -292,7 +292,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data, + + static int serio_raw_connect(struct serio *serio, struct serio_driver *drv) + { +- static atomic_t serio_raw_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(0); + struct serio_raw *serio_raw; + int err; + +@@ -303,7 +303,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv) + } + + snprintf(serio_raw->name, sizeof(serio_raw->name), +- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no) - 1); ++ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no) - 1); + kref_init(&serio_raw->kref); + INIT_LIST_HEAD(&serio_raw->client_list); + init_waitqueue_head(&serio_raw->wait); +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index e5555fc..937986d 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -588,7 +588,7 @@ static struct notifier_block iommu_bus_nb = { + static void iommu_bus_init(struct bus_type *bus, struct iommu_ops *ops) + { + bus_register_notifier(bus, &iommu_bus_nb); +- bus_for_each_dev(bus, NULL, ops, add_iommu_group); ++ bus_for_each_dev(bus, NULL, (void *)ops, add_iommu_group); + } + + /** +diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c +index 228632c9..edfe331 100644 +--- a/drivers/iommu/irq_remapping.c ++++ b/drivers/iommu/irq_remapping.c +@@ -356,7 +356,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id) + void panic_if_irq_remap(const char *msg) + { + if (irq_remapping_enabled) +- panic(msg); ++ panic("%s", msg); + } + + static void ir_ack_apic_edge(struct irq_data *data) +@@ -377,10 +377,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p) + + void irq_remap_modify_chip_defaults(struct irq_chip *chip) + { +- chip->irq_print_chip = ir_print_prefix; +- chip->irq_ack = ir_ack_apic_edge; +- chip->irq_eoi = ir_ack_apic_level; +- chip->irq_set_affinity = x86_io_apic_ops.set_affinity; ++ pax_open_kernel(); ++ *(void **)&chip->irq_print_chip = ir_print_prefix; ++ *(void **)&chip->irq_ack = ir_ack_apic_edge; ++ *(void **)&chip->irq_eoi = ir_ack_apic_level; ++ *(void **)&chip->irq_set_affinity = x86_io_apic_ops.set_affinity; ++ pax_close_kernel(); + } + + bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip) +diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c +index 341c601..e5f407e 100644 +--- a/drivers/irqchip/irq-gic.c ++++ b/drivers/irqchip/irq-gic.c +@@ -84,7 +84,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly; + * Supported arch specific GIC irq extension. + * Default make them NULL. + */ +-struct irq_chip gic_arch_extn = { ++irq_chip_no_const gic_arch_extn = { + .irq_eoi = NULL, + .irq_mask = NULL, + .irq_unmask = NULL, +@@ -332,7 +332,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc) + chained_irq_exit(chip, desc); + } + +-static struct irq_chip gic_chip = { ++static irq_chip_no_const gic_chip __read_only = { + .name = "GIC", + .irq_mask = gic_mask_irq, + .irq_unmask = gic_unmask_irq, +diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c +index ac6f72b..81150f2 100644 +--- a/drivers/isdn/capi/capi.c ++++ b/drivers/isdn/capi/capi.c +@@ -81,8 +81,8 @@ struct capiminor { + + struct capi20_appl *ap; + u32 ncci; +- atomic_t datahandle; +- atomic_t msgid; ++ atomic_unchecked_t datahandle; ++ atomic_unchecked_t msgid; + + struct tty_port port; + int ttyinstop; +@@ -391,7 +391,7 @@ gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb) + capimsg_setu16(s, 2, mp->ap->applid); + capimsg_setu8 (s, 4, CAPI_DATA_B3); + capimsg_setu8 (s, 5, CAPI_RESP); +- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid)); ++ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid)); + capimsg_setu32(s, 8, mp->ncci); + capimsg_setu16(s, 12, datahandle); + } +@@ -512,14 +512,14 @@ static void handle_minor_send(struct capiminor *mp) + mp->outbytes -= len; + spin_unlock_bh(&mp->outlock); + +- datahandle = atomic_inc_return(&mp->datahandle); ++ datahandle = atomic_inc_return_unchecked(&mp->datahandle); + skb_push(skb, CAPI_DATA_B3_REQ_LEN); + memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN); + capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN); + capimsg_setu16(skb->data, 2, mp->ap->applid); + capimsg_setu8 (skb->data, 4, CAPI_DATA_B3); + capimsg_setu8 (skb->data, 5, CAPI_REQ); +- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid)); ++ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid)); + capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */ + capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */ + capimsg_setu16(skb->data, 16, len); /* Data length */ +diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c +index c44950d..10ac276 100644 +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -2564,22 +2564,22 @@ static int gigaset_post_reset(struct usb_interface *intf) + + + static const struct gigaset_ops gigops = { +- gigaset_write_cmd, +- gigaset_write_room, +- gigaset_chars_in_buffer, +- gigaset_brkchars, +- gigaset_init_bchannel, +- gigaset_close_bchannel, +- gigaset_initbcshw, +- gigaset_freebcshw, +- gigaset_reinitbcshw, +- gigaset_initcshw, +- gigaset_freecshw, +- gigaset_set_modem_ctrl, +- gigaset_baud_rate, +- gigaset_set_line_ctrl, +- gigaset_isoc_send_skb, +- gigaset_isoc_input, ++ .write_cmd = gigaset_write_cmd, ++ .write_room = gigaset_write_room, ++ .chars_in_buffer = gigaset_chars_in_buffer, ++ .brkchars = gigaset_brkchars, ++ .init_bchannel = gigaset_init_bchannel, ++ .close_bchannel = gigaset_close_bchannel, ++ .initbcshw = gigaset_initbcshw, ++ .freebcshw = gigaset_freebcshw, ++ .reinitbcshw = gigaset_reinitbcshw, ++ .initcshw = gigaset_initcshw, ++ .freecshw = gigaset_freecshw, ++ .set_modem_ctrl = gigaset_set_modem_ctrl, ++ .baud_rate = gigaset_baud_rate, ++ .set_line_ctrl = gigaset_set_line_ctrl, ++ .send_skb = gigaset_isoc_send_skb, ++ .handle_input = gigaset_isoc_input, + }; + + /* bas_gigaset_init +diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c +index 600c79b..3752bab 100644 +--- a/drivers/isdn/gigaset/interface.c ++++ b/drivers/isdn/gigaset/interface.c +@@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp) + } + tty->driver_data = cs; + +- ++cs->port.count; ++ atomic_inc(&cs->port.count); + +- if (cs->port.count == 1) { ++ if (atomic_read(&cs->port.count) == 1) { + tty_port_tty_set(&cs->port, tty); + cs->port.low_latency = 1; + } +@@ -156,9 +156,9 @@ static void if_close(struct tty_struct *tty, struct file *filp) + + if (!cs->connected) + gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */ +- else if (!cs->port.count) ++ else if (!atomic_read(&cs->port.count)) + dev_warn(cs->dev, "%s: device not opened\n", __func__); +- else if (!--cs->port.count) ++ else if (!atomic_dec_return(&cs->port.count)) + tty_port_tty_set(&cs->port, NULL); + + mutex_unlock(&cs->mutex); +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c +index 8c91fd5..14f13ce 100644 +--- a/drivers/isdn/gigaset/ser-gigaset.c ++++ b/drivers/isdn/gigaset/ser-gigaset.c +@@ -453,22 +453,22 @@ static int gigaset_set_line_ctrl(struct cardstate *cs, unsigned cflag) + } + + static const struct gigaset_ops ops = { +- gigaset_write_cmd, +- gigaset_write_room, +- gigaset_chars_in_buffer, +- gigaset_brkchars, +- gigaset_init_bchannel, +- gigaset_close_bchannel, +- gigaset_initbcshw, +- gigaset_freebcshw, +- gigaset_reinitbcshw, +- gigaset_initcshw, +- gigaset_freecshw, +- gigaset_set_modem_ctrl, +- gigaset_baud_rate, +- gigaset_set_line_ctrl, +- gigaset_m10x_send_skb, /* asyncdata.c */ +- gigaset_m10x_input, /* asyncdata.c */ ++ .write_cmd = gigaset_write_cmd, ++ .write_room = gigaset_write_room, ++ .chars_in_buffer = gigaset_chars_in_buffer, ++ .brkchars = gigaset_brkchars, ++ .init_bchannel = gigaset_init_bchannel, ++ .close_bchannel = gigaset_close_bchannel, ++ .initbcshw = gigaset_initbcshw, ++ .freebcshw = gigaset_freebcshw, ++ .reinitbcshw = gigaset_reinitbcshw, ++ .initcshw = gigaset_initcshw, ++ .freecshw = gigaset_freecshw, ++ .set_modem_ctrl = gigaset_set_modem_ctrl, ++ .baud_rate = gigaset_baud_rate, ++ .set_line_ctrl = gigaset_set_line_ctrl, ++ .send_skb = gigaset_m10x_send_skb, /* asyncdata.c */ ++ .handle_input = gigaset_m10x_input, /* asyncdata.c */ + }; + + +diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c +index d0a41cb..b953e50 100644 +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -547,7 +547,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6]) + gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf); + memcpy(cs->hw.usb->bchars, buf, 6); + return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41, +- 0, 0, &buf, 6, 2000); ++ 0, 0, buf, 6, 2000); + } + + static void gigaset_freebcshw(struct bc_state *bcs) +@@ -869,22 +869,22 @@ static int gigaset_pre_reset(struct usb_interface *intf) + } + + static const struct gigaset_ops ops = { +- gigaset_write_cmd, +- gigaset_write_room, +- gigaset_chars_in_buffer, +- gigaset_brkchars, +- gigaset_init_bchannel, +- gigaset_close_bchannel, +- gigaset_initbcshw, +- gigaset_freebcshw, +- gigaset_reinitbcshw, +- gigaset_initcshw, +- gigaset_freecshw, +- gigaset_set_modem_ctrl, +- gigaset_baud_rate, +- gigaset_set_line_ctrl, +- gigaset_m10x_send_skb, +- gigaset_m10x_input, ++ .write_cmd = gigaset_write_cmd, ++ .write_room = gigaset_write_room, ++ .chars_in_buffer = gigaset_chars_in_buffer, ++ .brkchars = gigaset_brkchars, ++ .init_bchannel = gigaset_init_bchannel, ++ .close_bchannel = gigaset_close_bchannel, ++ .initbcshw = gigaset_initbcshw, ++ .freebcshw = gigaset_freebcshw, ++ .reinitbcshw = gigaset_reinitbcshw, ++ .initcshw = gigaset_initcshw, ++ .freecshw = gigaset_freecshw, ++ .set_modem_ctrl = gigaset_set_modem_ctrl, ++ .baud_rate = gigaset_baud_rate, ++ .set_line_ctrl = gigaset_set_line_ctrl, ++ .send_skb = gigaset_m10x_send_skb, ++ .handle_input = gigaset_m10x_input, + }; + + /* +diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c +index 4d9b195..455075c 100644 +--- a/drivers/isdn/hardware/avm/b1.c ++++ b/drivers/isdn/hardware/avm/b1.c +@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file) + } + if (left) { + if (t4file->user) { +- if (copy_from_user(buf, dp, left)) ++ if (left > sizeof buf || copy_from_user(buf, dp, left)) + return -EFAULT; + } else { + memcpy(buf, dp, left); +@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capiloaddatapart *config) + } + if (left) { + if (config->user) { +- if (copy_from_user(buf, dp, left)) ++ if (left > sizeof buf || copy_from_user(buf, dp, left)) + return -EFAULT; + } else { + memcpy(buf, dp, left); +diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c +index 9bb12ba..d4262f7 100644 +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1651,6 +1651,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg) + } else + return -EINVAL; + case IIOCDBGVAR: ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + if (arg) { + if (copy_to_user(argp, &dev, sizeof(ulong))) + return -EFAULT; +diff --git a/drivers/isdn/i4l/isdn_concap.c b/drivers/isdn/i4l/isdn_concap.c +index 91d5730..336523e 100644 +--- a/drivers/isdn/i4l/isdn_concap.c ++++ b/drivers/isdn/i4l/isdn_concap.c +@@ -80,9 +80,9 @@ static int isdn_concap_dl_disconn_req(struct concap_proto *concap) + } + + struct concap_device_ops isdn_concap_reliable_dl_dops = { +- &isdn_concap_dl_data_req, +- &isdn_concap_dl_connect_req, +- &isdn_concap_dl_disconn_req ++ .data_req = &isdn_concap_dl_data_req, ++ .connect_req = &isdn_concap_dl_connect_req, ++ .disconn_req = &isdn_concap_dl_disconn_req + }; + + /* The following should better go into a dedicated source file such that +diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c +index 3c5f249..5fac4d0 100644 +--- a/drivers/isdn/i4l/isdn_tty.c ++++ b/drivers/isdn/i4l/isdn_tty.c +@@ -1508,9 +1508,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp) + + #ifdef ISDN_DEBUG_MODEM_OPEN + printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name, +- port->count); ++ atomic_read(&port->count)); + #endif +- port->count++; ++ atomic_inc(&port->count); + port->tty = tty; + /* + * Start up serial port +@@ -1554,7 +1554,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) + #endif + return; + } +- if ((tty->count == 1) && (port->count != 1)) { ++ if ((tty->count == 1) && (atomic_read(&port->count) != 1)) { + /* + * Uh, oh. tty->count is 1, which means that the tty + * structure will be freed. Info->count should always +@@ -1563,15 +1563,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp) + * serial port won't be shutdown. + */ + printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, " +- "info->count is %d\n", port->count); +- port->count = 1; ++ "info->count is %d\n", atomic_read(&port->count)); ++ atomic_set(&port->count, 1); + } +- if (--port->count < 0) { ++ if (atomic_dec_return(&port->count) < 0) { + printk(KERN_ERR "isdn_tty_close: bad port count for ttyi%d: %d\n", +- info->line, port->count); +- port->count = 0; ++ info->line, atomic_read(&port->count)); ++ atomic_set(&port->count, 0); + } +- if (port->count) { ++ if (atomic_read(&port->count)) { + #ifdef ISDN_DEBUG_MODEM_OPEN + printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n"); + #endif +@@ -1625,7 +1625,7 @@ isdn_tty_hangup(struct tty_struct *tty) + if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup")) + return; + isdn_tty_shutdown(info); +- port->count = 0; ++ atomic_set(&port->count, 0); + port->flags &= ~ASYNC_NORMAL_ACTIVE; + port->tty = NULL; + wake_up_interruptible(&port->open_wait); +@@ -1970,7 +1970,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup) + for (i = 0; i < ISDN_MAX_CHANNELS; i++) { + modem_info *info = &dev->mdm.info[i]; + +- if (info->port.count == 0) ++ if (atomic_read(&info->port.count) == 0) + continue; + if ((info->emu.mdmreg[REG_SI1] & si2bit[si1]) && /* SI1 is matching */ + (info->emu.mdmreg[REG_SI2] == si2)) { /* SI2 is matching */ +diff --git a/drivers/isdn/i4l/isdn_x25iface.c b/drivers/isdn/i4l/isdn_x25iface.c +index e2d4e58..40cd045 100644 +--- a/drivers/isdn/i4l/isdn_x25iface.c ++++ b/drivers/isdn/i4l/isdn_x25iface.c +@@ -53,14 +53,14 @@ static int isdn_x25iface_disconn_ind(struct concap_proto *); + + + static struct concap_proto_ops ix25_pops = { +- &isdn_x25iface_proto_new, +- &isdn_x25iface_proto_del, +- &isdn_x25iface_proto_restart, +- &isdn_x25iface_proto_close, +- &isdn_x25iface_xmit, +- &isdn_x25iface_receive, +- &isdn_x25iface_connect_ind, +- &isdn_x25iface_disconn_ind ++ .proto_new = &isdn_x25iface_proto_new, ++ .proto_del = &isdn_x25iface_proto_del, ++ .restart = &isdn_x25iface_proto_restart, ++ .close = &isdn_x25iface_proto_close, ++ .encap_and_xmit = &isdn_x25iface_xmit, ++ .data_ind = &isdn_x25iface_receive, ++ .connect_ind = &isdn_x25iface_connect_ind, ++ .disconn_ind = &isdn_x25iface_disconn_ind + }; + + /* error message helper function */ +diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c +index 53d487f..f020f41 100644 +--- a/drivers/isdn/icn/icn.c ++++ b/drivers/isdn/icn/icn.c +@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card) + if (count > len) + count = len; + if (user) { +- if (copy_from_user(msg, buf, count)) ++ if (count > sizeof msg || copy_from_user(msg, buf, count)) + return -EFAULT; + } else + memcpy(msg, buf, count); +diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c +index a4f05c5..1433bc5 100644 +--- a/drivers/isdn/mISDN/dsp_cmx.c ++++ b/drivers/isdn/mISDN/dsp_cmx.c +@@ -1628,7 +1628,7 @@ unsigned long dsp_spl_jiffies; /* calculate the next time to fire */ + static u16 dsp_count; /* last sample count */ + static int dsp_count_valid; /* if we have last sample count */ + +-void ++void __intentional_overflow(-1) + dsp_cmx_send(void *arg) + { + struct dsp_conf *conf; +diff --git a/drivers/leds/leds-clevo-mail.c b/drivers/leds/leds-clevo-mail.c +index d93e245..e7ece6b 100644 +--- a/drivers/leds/leds-clevo-mail.c ++++ b/drivers/leds/leds-clevo-mail.c +@@ -40,7 +40,7 @@ static int __init clevo_mail_led_dmi_callback(const struct dmi_system_id *id) + * detected as working, but in reality it is not) as low as + * possible. + */ +-static struct dmi_system_id clevo_mail_led_dmi_table[] __initdata = { ++static struct dmi_system_id clevo_mail_led_dmi_table[] __initconst = { + { + .callback = clevo_mail_led_dmi_callback, + .ident = "Clevo D410J", +diff --git a/drivers/leds/leds-ss4200.c b/drivers/leds/leds-ss4200.c +index 5b8f938..b73d657 100644 +--- a/drivers/leds/leds-ss4200.c ++++ b/drivers/leds/leds-ss4200.c +@@ -91,7 +91,7 @@ MODULE_PARM_DESC(nodetect, "Skip DMI-based hardware detection"); + * detected as working, but in reality it is not) as low as + * possible. + */ +-static struct dmi_system_id nas_led_whitelist[] __initdata = { ++static struct dmi_system_id nas_led_whitelist[] __initconst = { + { + .callback = ss4200_led_dmi_callback, + .ident = "Intel SS4200-E", +diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c +index 0bf1e4e..b4bf44e 100644 +--- a/drivers/lguest/core.c ++++ b/drivers/lguest/core.c +@@ -97,9 +97,17 @@ static __init int map_switcher(void) + * The end address needs +1 because __get_vm_area allocates an + * extra guard page, so we need space for that. + */ ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, ++ VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr ++ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE); ++#else + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, + VM_ALLOC, switcher_addr, switcher_addr + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE); ++#endif ++ + if (!switcher_vma) { + err = -ENOMEM; + printk("lguest: could not map switcher pages high\n"); +@@ -124,7 +132,7 @@ static __init int map_switcher(void) + * Now the Switcher is mapped at the right address, we can't fail! + * Copy in the compiled-in Switcher code (from x86/switcher_32.S). + */ +- memcpy(switcher_vma->addr, start_switcher_text, ++ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text), + end_switcher_text - start_switcher_text); + + printk(KERN_INFO "lguest: mapped switcher at %p\n", +diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c +index bfb39bb..08a603b 100644 +--- a/drivers/lguest/page_tables.c ++++ b/drivers/lguest/page_tables.c +@@ -559,7 +559,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr) + /*:*/ + + #ifdef CONFIG_X86_PAE +-static void release_pmd(pmd_t *spmd) ++static void __intentional_overflow(-1) release_pmd(pmd_t *spmd) + { + /* If the entry's not present, there's nothing to release. */ + if (pmd_flags(*spmd) & _PAGE_PRESENT) { +diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c +index 922a1ac..9dd0c2a 100644 +--- a/drivers/lguest/x86/core.c ++++ b/drivers/lguest/x86/core.c +@@ -59,7 +59,7 @@ static struct { + /* Offset from where switcher.S was compiled to where we've copied it */ + static unsigned long switcher_offset(void) + { +- return switcher_addr - (unsigned long)start_switcher_text; ++ return switcher_addr - (unsigned long)ktla_ktva(start_switcher_text); + } + + /* This cpu's struct lguest_pages (after the Switcher text page) */ +@@ -99,7 +99,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages) + * These copies are pretty cheap, so we do them unconditionally: */ + /* Save the current Host top-level page directory. + */ ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ pages->state.host_cr3 = read_cr3(); ++#else + pages->state.host_cr3 = __pa(current->mm->pgd); ++#endif ++ + /* + * Set up the Guest's page tables to see this CPU's pages (and no + * other CPU's pages). +@@ -477,7 +483,7 @@ void __init lguest_arch_host_init(void) + * compiled-in switcher code and the high-mapped copy we just made. + */ + for (i = 0; i < IDT_ENTRIES; i++) +- default_idt_entries[i] += switcher_offset(); ++ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset(); + + /* + * Set up the Switcher's per-cpu areas. +@@ -560,7 +566,7 @@ void __init lguest_arch_host_init(void) + * it will be undisturbed when we switch. To change %cs and jump we + * need this structure to feed to Intel's "lcall" instruction. + */ +- lguest_entry.offset = (long)switch_to_guest + switcher_offset(); ++ lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset(); + lguest_entry.segment = LGUEST_CS; + + /* +diff --git a/drivers/lguest/x86/switcher_32.S b/drivers/lguest/x86/switcher_32.S +index 40634b0..4f5855e 100644 +--- a/drivers/lguest/x86/switcher_32.S ++++ b/drivers/lguest/x86/switcher_32.S +@@ -87,6 +87,7 @@ + #include + #include + #include ++#include + + // We mark the start of the code to copy + // It's placed in .text tho it's never run here +@@ -149,6 +150,13 @@ ENTRY(switch_to_guest) + // Changes type when we load it: damn Intel! + // For after we switch over our page tables + // That entry will be read-only: we'd crash. ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ mov %cr0, %edx ++ xor $X86_CR0_WP, %edx ++ mov %edx, %cr0 ++#endif ++ + movl $(GDT_ENTRY_TSS*8), %edx + ltr %dx + +@@ -157,9 +165,15 @@ ENTRY(switch_to_guest) + // Let's clear it again for our return. + // The GDT descriptor of the Host + // Points to the table after two "size" bytes +- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx ++ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax + // Clear "used" from type field (byte 5, bit 2) +- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx) ++ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax) ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ mov %cr0, %eax ++ xor $X86_CR0_WP, %eax ++ mov %eax, %cr0 ++#endif + + // Once our page table's switched, the Guest is live! + // The Host fades as we run this final step. +@@ -295,13 +309,12 @@ deliver_to_host: + // I consulted gcc, and it gave + // These instructions, which I gladly credit: + leal (%edx,%ebx,8), %eax +- movzwl (%eax),%edx +- movl 4(%eax), %eax +- xorw %ax, %ax +- orl %eax, %edx ++ movl 4(%eax), %edx ++ movw (%eax), %dx + // Now the address of the handler's in %edx + // We call it now: its "iret" drops us home. +- jmp *%edx ++ ljmp $__KERNEL_CS, $1f ++1: jmp *%edx + + // Every interrupt can come to us here + // But we must truly tell each apart. +diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h +index 7ef7461..5a09dac 100644 +--- a/drivers/md/bcache/closure.h ++++ b/drivers/md/bcache/closure.h +@@ -238,7 +238,7 @@ static inline void closure_set_stopped(struct closure *cl) + static inline void set_closure_fn(struct closure *cl, closure_fn *fn, + struct workqueue_struct *wq) + { +- BUG_ON(object_is_on_stack(cl)); ++ BUG_ON(object_starts_on_stack(cl)); + closure_set_ip(cl); + cl->fn = fn; + cl->wq = wq; +diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c +index 4195a01..42527ac 100644 +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -1779,7 +1779,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap) + chunk_kb ? "KB" : "B"); + if (bitmap->storage.file) { + seq_printf(seq, ", file: "); +- seq_path(seq, &bitmap->storage.file->f_path, " \t\n"); ++ seq_path(seq, &bitmap->storage.file->f_path, " \t\n\\"); + } + + seq_printf(seq, "\n"); +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c +index 5152142..623d141 100644 +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1769,7 +1769,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param) + cmd == DM_LIST_VERSIONS_CMD) + return 0; + +- if ((cmd == DM_DEV_CREATE_CMD)) { ++ if (cmd == DM_DEV_CREATE_CMD) { + if (!*param->name) { + DMWARN("name not supplied when creating device"); + return -EINVAL; +diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c +index 7dfdb5c..4caada6 100644 +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -40,7 +40,7 @@ enum dm_raid1_error { + + struct mirror { + struct mirror_set *ms; +- atomic_t error_count; ++ atomic_unchecked_t error_count; + unsigned long error_type; + struct dm_dev *dev; + sector_t offset; +@@ -186,7 +186,7 @@ static struct mirror *get_valid_mirror(struct mirror_set *ms) + struct mirror *m; + + for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++) +- if (!atomic_read(&m->error_count)) ++ if (!atomic_read_unchecked(&m->error_count)) + return m; + + return NULL; +@@ -218,7 +218,7 @@ static void fail_mirror(struct mirror *m, enum dm_raid1_error error_type) + * simple way to tell if a device has encountered + * errors. + */ +- atomic_inc(&m->error_count); ++ atomic_inc_unchecked(&m->error_count); + + if (test_and_set_bit(error_type, &m->error_type)) + return; +@@ -409,7 +409,7 @@ static struct mirror *choose_mirror(struct mirror_set *ms, sector_t sector) + struct mirror *m = get_default_mirror(ms); + + do { +- if (likely(!atomic_read(&m->error_count))) ++ if (likely(!atomic_read_unchecked(&m->error_count))) + return m; + + if (m-- == ms->mirror) +@@ -423,7 +423,7 @@ static int default_ok(struct mirror *m) + { + struct mirror *default_mirror = get_default_mirror(m->ms); + +- return !atomic_read(&default_mirror->error_count); ++ return !atomic_read_unchecked(&default_mirror->error_count); + } + + static int mirror_available(struct mirror_set *ms, struct bio *bio) +@@ -560,7 +560,7 @@ static void do_reads(struct mirror_set *ms, struct bio_list *reads) + */ + if (likely(region_in_sync(ms, region, 1))) + m = choose_mirror(ms, bio->bi_iter.bi_sector); +- else if (m && atomic_read(&m->error_count)) ++ else if (m && atomic_read_unchecked(&m->error_count)) + m = NULL; + + if (likely(m)) +@@ -927,7 +927,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, + } + + ms->mirror[mirror].ms = ms; +- atomic_set(&(ms->mirror[mirror].error_count), 0); ++ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0); + ms->mirror[mirror].error_type = 0; + ms->mirror[mirror].offset = offset; + +@@ -1342,7 +1342,7 @@ static void mirror_resume(struct dm_target *ti) + */ + static char device_status_char(struct mirror *m) + { +- if (!atomic_read(&(m->error_count))) ++ if (!atomic_read_unchecked(&(m->error_count))) + return 'A'; + + return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' : +diff --git a/drivers/md/dm-stats.c b/drivers/md/dm-stats.c +index 28a9012..9c0f6a5 100644 +--- a/drivers/md/dm-stats.c ++++ b/drivers/md/dm-stats.c +@@ -382,7 +382,7 @@ do_sync_free: + synchronize_rcu_expedited(); + dm_stat_free(&s->rcu_head); + } else { +- ACCESS_ONCE(dm_stat_need_rcu_barrier) = 1; ++ ACCESS_ONCE_RW(dm_stat_need_rcu_barrier) = 1; + call_rcu(&s->rcu_head, dm_stat_free); + } + return 0; +@@ -554,8 +554,8 @@ void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw, + ((bi_rw & (REQ_WRITE | REQ_DISCARD)) == + (ACCESS_ONCE(last->last_rw) & (REQ_WRITE | REQ_DISCARD))) + )); +- ACCESS_ONCE(last->last_sector) = end_sector; +- ACCESS_ONCE(last->last_rw) = bi_rw; ++ ACCESS_ONCE_RW(last->last_sector) = end_sector; ++ ACCESS_ONCE_RW(last->last_rw) = bi_rw; + } + + rcu_read_lock(); +diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c +index d1600d2..4c3af3a 100644 +--- a/drivers/md/dm-stripe.c ++++ b/drivers/md/dm-stripe.c +@@ -21,7 +21,7 @@ struct stripe { + struct dm_dev *dev; + sector_t physical_start; + +- atomic_t error_count; ++ atomic_unchecked_t error_count; + }; + + struct stripe_c { +@@ -186,7 +186,7 @@ static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv) + kfree(sc); + return r; + } +- atomic_set(&(sc->stripe[i].error_count), 0); ++ atomic_set_unchecked(&(sc->stripe[i].error_count), 0); + } + + ti->private = sc; +@@ -330,7 +330,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type, + DMEMIT("%d ", sc->stripes); + for (i = 0; i < sc->stripes; i++) { + DMEMIT("%s ", sc->stripe[i].dev->name); +- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ? ++ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ? + 'D' : 'A'; + } + buffer[i] = '\0'; +@@ -375,8 +375,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error) + */ + for (i = 0; i < sc->stripes; i++) + if (!strcmp(sc->stripe[i].dev->name, major_minor)) { +- atomic_inc(&(sc->stripe[i].error_count)); +- if (atomic_read(&(sc->stripe[i].error_count)) < ++ atomic_inc_unchecked(&(sc->stripe[i].error_count)); ++ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) < + DM_IO_ERROR_THRESHOLD) + schedule_work(&sc->trigger_event); + } +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 6a7f2b8..fea0bde 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -274,7 +274,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev) + static int open_dev(struct dm_dev_internal *d, dev_t dev, + struct mapped_device *md) + { +- static char *_claim_ptr = "I belong to device-mapper"; ++ static char _claim_ptr[] = "I belong to device-mapper"; + struct block_device *bdev; + + int r; +@@ -342,7 +342,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev, + if (!dev_size) + return 0; + +- if ((start >= dev_size) || (start + len > dev_size)) { ++ if ((start >= dev_size) || (len > dev_size - start)) { + DMWARN("%s: %s too small for target: " + "start=%llu, len=%llu, dev_size=%llu", + dm_device_name(ti->table->md), bdevname(bdev, b), +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index fb9efc8..81e8986 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -397,7 +397,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd) + { + pmd->info.tm = pmd->tm; + pmd->info.levels = 2; +- pmd->info.value_type.context = pmd->data_sm; ++ pmd->info.value_type.context = (dm_space_map_no_const *)pmd->data_sm; + pmd->info.value_type.size = sizeof(__le64); + pmd->info.value_type.inc = data_block_inc; + pmd->info.value_type.dec = data_block_dec; +@@ -416,7 +416,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd) + + pmd->bl_info.tm = pmd->tm; + pmd->bl_info.levels = 1; +- pmd->bl_info.value_type.context = pmd->data_sm; ++ pmd->bl_info.value_type.context = (dm_space_map_no_const *)pmd->data_sm; + pmd->bl_info.value_type.size = sizeof(__le64); + pmd->bl_info.value_type.inc = data_block_inc; + pmd->bl_info.value_type.dec = data_block_dec; +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 8c53b09..f1fb2b0 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -185,9 +185,9 @@ struct mapped_device { + /* + * Event handling. + */ +- atomic_t event_nr; ++ atomic_unchecked_t event_nr; + wait_queue_head_t eventq; +- atomic_t uevent_seq; ++ atomic_unchecked_t uevent_seq; + struct list_head uevent_list; + spinlock_t uevent_lock; /* Protect access to uevent_list */ + +@@ -1888,8 +1888,8 @@ static struct mapped_device *alloc_dev(int minor) + spin_lock_init(&md->deferred_lock); + atomic_set(&md->holders, 1); + atomic_set(&md->open_count, 0); +- atomic_set(&md->event_nr, 0); +- atomic_set(&md->uevent_seq, 0); ++ atomic_set_unchecked(&md->event_nr, 0); ++ atomic_set_unchecked(&md->uevent_seq, 0); + INIT_LIST_HEAD(&md->uevent_list); + spin_lock_init(&md->uevent_lock); + +@@ -2043,7 +2043,7 @@ static void event_callback(void *context) + + dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); + +- atomic_inc(&md->event_nr); ++ atomic_inc_unchecked(&md->event_nr); + wake_up(&md->eventq); + } + +@@ -2736,18 +2736,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, + + uint32_t dm_next_uevent_seq(struct mapped_device *md) + { +- return atomic_add_return(1, &md->uevent_seq); ++ return atomic_add_return_unchecked(1, &md->uevent_seq); + } + + uint32_t dm_get_event_nr(struct mapped_device *md) + { +- return atomic_read(&md->event_nr); ++ return atomic_read_unchecked(&md->event_nr); + } + + int dm_wait_event(struct mapped_device *md, int event_nr) + { + return wait_event_interruptible(md->eventq, +- (event_nr != atomic_read(&md->event_nr))); ++ (event_nr != atomic_read_unchecked(&md->event_nr))); + } + + void dm_uevent_add(struct mapped_device *md, struct list_head *elist) +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 4ad5cc4..0f19664 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); + * start build, activate spare + */ + static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters); +-static atomic_t md_event_count; ++static atomic_unchecked_t md_event_count; + void md_new_event(struct mddev *mddev) + { +- atomic_inc(&md_event_count); ++ atomic_inc_unchecked(&md_event_count); + wake_up(&md_event_waiters); + } + EXPORT_SYMBOL_GPL(md_new_event); +@@ -207,7 +207,7 @@ EXPORT_SYMBOL_GPL(md_new_event); + */ + static void md_new_event_inintr(struct mddev *mddev) + { +- atomic_inc(&md_event_count); ++ atomic_inc_unchecked(&md_event_count); + wake_up(&md_event_waiters); + } + +@@ -1462,7 +1462,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ + if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) && + (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET)) + rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset); +- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read)); ++ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read)); + + rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256; + bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1; +@@ -1713,7 +1713,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev) + else + sb->resync_offset = cpu_to_le64(0); + +- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors)); ++ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors)); + + sb->raid_disks = cpu_to_le32(mddev->raid_disks); + sb->size = cpu_to_le64(mddev->dev_sectors); +@@ -2725,7 +2725,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store); + static ssize_t + errors_show(struct md_rdev *rdev, char *page) + { +- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors)); ++ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors)); + } + + static ssize_t +@@ -2734,7 +2734,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len) + char *e; + unsigned long n = simple_strtoul(buf, &e, 10); + if (*buf && (*e == 0 || *e == '\n')) { +- atomic_set(&rdev->corrected_errors, n); ++ atomic_set_unchecked(&rdev->corrected_errors, n); + return len; + } + return -EINVAL; +@@ -3183,8 +3183,8 @@ int md_rdev_init(struct md_rdev *rdev) + rdev->sb_loaded = 0; + rdev->bb_page = NULL; + atomic_set(&rdev->nr_pending, 0); +- atomic_set(&rdev->read_errors, 0); +- atomic_set(&rdev->corrected_errors, 0); ++ atomic_set_unchecked(&rdev->read_errors, 0); ++ atomic_set_unchecked(&rdev->corrected_errors, 0); + + INIT_LIST_HEAD(&rdev->same_set); + init_waitqueue_head(&rdev->blocked_wait); +@@ -7075,7 +7075,7 @@ static int md_seq_show(struct seq_file *seq, void *v) + + spin_unlock(&pers_lock); + seq_printf(seq, "\n"); +- seq->poll_event = atomic_read(&md_event_count); ++ seq->poll_event = atomic_read_unchecked(&md_event_count); + return 0; + } + if (v == (void*)2) { +@@ -7178,7 +7178,7 @@ static int md_seq_open(struct inode *inode, struct file *file) + return error; + + seq = file->private_data; +- seq->poll_event = atomic_read(&md_event_count); ++ seq->poll_event = atomic_read_unchecked(&md_event_count); + return error; + } + +@@ -7192,7 +7192,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) + /* always allow read */ + mask = POLLIN | POLLRDNORM; + +- if (seq->poll_event != atomic_read(&md_event_count)) ++ if (seq->poll_event != atomic_read_unchecked(&md_event_count)) + mask |= POLLERR | POLLPRI; + return mask; + } +@@ -7236,7 +7236,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) + struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; + curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + + (int)part_stat_read(&disk->part0, sectors[1]) - +- atomic_read(&disk->sync_io); ++ atomic_read_unchecked(&disk->sync_io); + /* sync IO will cause sync_io to increase before the disk_stats + * as sync_io is counted when a request starts, and + * disk_stats is counted when it completes. +diff --git a/drivers/md/md.h b/drivers/md/md.h +index 07bba96..2d6788c 100644 +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -94,13 +94,13 @@ struct md_rdev { + * only maintained for arrays that + * support hot removal + */ +- atomic_t read_errors; /* number of consecutive read errors that ++ atomic_unchecked_t read_errors; /* number of consecutive read errors that + * we have tried to ignore. + */ + struct timespec last_read_error; /* monotonic time since our + * last read error + */ +- atomic_t corrected_errors; /* number of corrected read errors, ++ atomic_unchecked_t corrected_errors; /* number of corrected read errors, + * for reporting to userspace and storing + * in superblock. + */ +@@ -449,7 +449,7 @@ static inline void rdev_dec_pending(struct md_rdev *rdev, struct mddev *mddev) + + static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors) + { +- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io); ++ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io); + } + + struct md_personality +diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c +index 786b689..ea8c956 100644 +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -679,7 +679,7 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks) + * Flick into a mode where all blocks get allocated in the new area. + */ + smm->begin = old_len; +- memcpy(sm, &bootstrap_ops, sizeof(*sm)); ++ memcpy((void *)sm, &bootstrap_ops, sizeof(*sm)); + + /* + * Extend. +@@ -710,7 +710,7 @@ out: + /* + * Switch back to normal behaviour. + */ +- memcpy(sm, &ops, sizeof(*sm)); ++ memcpy((void *)sm, &ops, sizeof(*sm)); + return r; + } + +diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h +index 3e6d115..ffecdeb 100644 +--- a/drivers/md/persistent-data/dm-space-map.h ++++ b/drivers/md/persistent-data/dm-space-map.h +@@ -71,6 +71,7 @@ struct dm_space_map { + dm_sm_threshold_fn fn, + void *context); + }; ++typedef struct dm_space_map __no_const dm_space_map_no_const; + + /*----------------------------------------------------------------*/ + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 4a6ca1c..e952750 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1922,7 +1922,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) + if (r1_sync_page_io(rdev, sect, s, + bio->bi_io_vec[idx].bv_page, + READ) != 0) +- atomic_add(s, &rdev->corrected_errors); ++ atomic_add_unchecked(s, &rdev->corrected_errors); + } + sectors -= s; + sect += s; +@@ -2156,7 +2156,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, + test_bit(In_sync, &rdev->flags)) { + if (r1_sync_page_io(rdev, sect, s, + conf->tmppage, READ)) { +- atomic_add(s, &rdev->corrected_errors); ++ atomic_add_unchecked(s, &rdev->corrected_errors); + printk(KERN_INFO + "md/raid1:%s: read error corrected " + "(%d sectors at %llu on %s)\n", +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 33fc408..fc61709 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1948,7 +1948,7 @@ static void end_sync_read(struct bio *bio, int error) + /* The write handler will notice the lack of + * R10BIO_Uptodate and record any errors etc + */ +- atomic_add(r10_bio->sectors, ++ atomic_add_unchecked(r10_bio->sectors, + &conf->mirrors[d].rdev->corrected_errors); + + /* for reconstruct, we always reschedule after a read. +@@ -2306,7 +2306,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) + { + struct timespec cur_time_mon; + unsigned long hours_since_last; +- unsigned int read_errors = atomic_read(&rdev->read_errors); ++ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors); + + ktime_get_ts(&cur_time_mon); + +@@ -2328,9 +2328,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) + * overflowing the shift of read_errors by hours_since_last. + */ + if (hours_since_last >= 8 * sizeof(read_errors)) +- atomic_set(&rdev->read_errors, 0); ++ atomic_set_unchecked(&rdev->read_errors, 0); + else +- atomic_set(&rdev->read_errors, read_errors >> hours_since_last); ++ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last); + } + + static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, +@@ -2384,8 +2384,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 + return; + + check_decay_read_errors(mddev, rdev); +- atomic_inc(&rdev->read_errors); +- if (atomic_read(&rdev->read_errors) > max_read_errors) { ++ atomic_inc_unchecked(&rdev->read_errors); ++ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) { + char b[BDEVNAME_SIZE]; + bdevname(rdev->bdev, b); + +@@ -2393,7 +2393,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 + "md/raid10:%s: %s: Raid device exceeded " + "read_error threshold [cur %d:max %d]\n", + mdname(mddev), b, +- atomic_read(&rdev->read_errors), max_read_errors); ++ atomic_read_unchecked(&rdev->read_errors), max_read_errors); + printk(KERN_NOTICE + "md/raid10:%s: %s: Failing raid device\n", + mdname(mddev), b); +@@ -2548,7 +2548,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 + sect + + choose_data_offset(r10_bio, rdev)), + bdevname(rdev->bdev, b)); +- atomic_add(s, &rdev->corrected_errors); ++ atomic_add_unchecked(s, &rdev->corrected_errors); + } + + rdev_dec_pending(rdev, mddev); +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 16f5c21..4df20dc 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -1991,21 +1991,21 @@ static void raid5_end_read_request(struct bio * bi, int error) + mdname(conf->mddev), STRIPE_SECTORS, + (unsigned long long)s, + bdevname(rdev->bdev, b)); +- atomic_add(STRIPE_SECTORS, &rdev->corrected_errors); ++ atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors); + clear_bit(R5_ReadError, &sh->dev[i].flags); + clear_bit(R5_ReWrite, &sh->dev[i].flags); + } else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags)) + clear_bit(R5_ReadNoMerge, &sh->dev[i].flags); + +- if (atomic_read(&rdev->read_errors)) +- atomic_set(&rdev->read_errors, 0); ++ if (atomic_read_unchecked(&rdev->read_errors)) ++ atomic_set_unchecked(&rdev->read_errors, 0); + } else { + const char *bdn = bdevname(rdev->bdev, b); + int retry = 0; + int set_bad = 0; + + clear_bit(R5_UPTODATE, &sh->dev[i].flags); +- atomic_inc(&rdev->read_errors); ++ atomic_inc_unchecked(&rdev->read_errors); + if (test_bit(R5_ReadRepl, &sh->dev[i].flags)) + printk_ratelimited( + KERN_WARNING +@@ -2033,7 +2033,7 @@ static void raid5_end_read_request(struct bio * bi, int error) + mdname(conf->mddev), + (unsigned long long)s, + bdn); +- } else if (atomic_read(&rdev->read_errors) ++ } else if (atomic_read_unchecked(&rdev->read_errors) + > conf->max_nr_stripes) + printk(KERN_WARNING + "md/raid:%s: Too many read errors, failing device %s.\n", +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 983db75..ef9248c 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -185,7 +185,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + const struct dvb_device *template, void *priv, int type) + { + struct dvb_device *dvbdev; +- struct file_operations *dvbdevfops; ++ file_operations_no_const *dvbdevfops; + struct device *clsdev; + int minor; + int id; +diff --git a/drivers/media/dvb-frontends/dib3000.h b/drivers/media/dvb-frontends/dib3000.h +index 9b6c3bb..baeb5c7 100644 +--- a/drivers/media/dvb-frontends/dib3000.h ++++ b/drivers/media/dvb-frontends/dib3000.h +@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops + int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff); + int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff); + int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl); +-}; ++} __no_const; + + #if IS_ENABLED(CONFIG_DVB_DIB3000MB) + extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config, +diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c +index ed8cb90..5ef7f79 100644 +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION); + + /* ------------------------------------------------------------------ */ + +-static unsigned int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; +-static unsigned int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; +-static unsigned int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; ++static int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; ++static int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; ++static int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET }; + + module_param_array(video_nr, int, NULL, 0444); + module_param_array(vbi_nr, int, NULL, 0444); +diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c +index 802642d..5534900 100644 +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -83,7 +83,7 @@ static struct pci_device_id ivtv_pci_tbl[] = { + MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl); + + /* ivtv instance counter */ +-static atomic_t ivtv_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0); + + /* Parameter declarations */ + static int cardtype[IVTV_MAX_CARDS]; +diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c +index dfd0a21..6bbb465 100644 +--- a/drivers/media/platform/omap/omap_vout.c ++++ b/drivers/media/platform/omap/omap_vout.c +@@ -63,7 +63,6 @@ enum omap_vout_channels { + OMAP_VIDEO2, + }; + +-static struct videobuf_queue_ops video_vbq_ops; + /* Variables configurable through module params*/ + static u32 video1_numbuffers = 3; + static u32 video2_numbuffers = 3; +@@ -1014,6 +1013,12 @@ static int omap_vout_open(struct file *file) + { + struct videobuf_queue *q; + struct omap_vout_device *vout = NULL; ++ static struct videobuf_queue_ops video_vbq_ops = { ++ .buf_setup = omap_vout_buffer_setup, ++ .buf_prepare = omap_vout_buffer_prepare, ++ .buf_release = omap_vout_buffer_release, ++ .buf_queue = omap_vout_buffer_queue, ++ }; + + vout = video_drvdata(file); + v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__); +@@ -1031,10 +1036,6 @@ static int omap_vout_open(struct file *file) + vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT; + + q = &vout->vbq; +- video_vbq_ops.buf_setup = omap_vout_buffer_setup; +- video_vbq_ops.buf_prepare = omap_vout_buffer_prepare; +- video_vbq_ops.buf_release = omap_vout_buffer_release; +- video_vbq_ops.buf_queue = omap_vout_buffer_queue; + spin_lock_init(&vout->vbq_lock); + + videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev, +diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h +index fb2acc5..a2fcbdc4 100644 +--- a/drivers/media/platform/s5p-tv/mixer.h ++++ b/drivers/media/platform/s5p-tv/mixer.h +@@ -156,7 +156,7 @@ struct mxr_layer { + /** layer index (unique identifier) */ + int idx; + /** callbacks for layer methods */ +- struct mxr_layer_ops ops; ++ struct mxr_layer_ops *ops; + /** format array */ + const struct mxr_format **fmt_array; + /** size of format array */ +diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c +index 74344c7..a39e70e 100644 +--- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c ++++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c +@@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx) + { + struct mxr_layer *layer; + int ret; +- struct mxr_layer_ops ops = { ++ static struct mxr_layer_ops ops = { + .release = mxr_graph_layer_release, + .buffer_set = mxr_graph_buffer_set, + .stream_set = mxr_graph_stream_set, +diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c +index b713403..53cb5ad 100644 +--- a/drivers/media/platform/s5p-tv/mixer_reg.c ++++ b/drivers/media/platform/s5p-tv/mixer_reg.c +@@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer) + layer->update_buf = next; + } + +- layer->ops.buffer_set(layer, layer->update_buf); ++ layer->ops->buffer_set(layer, layer->update_buf); + + if (done && done != layer->shadow_buf) + vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE); +diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c +index c5059ba..2649f28 100644 +--- a/drivers/media/platform/s5p-tv/mixer_video.c ++++ b/drivers/media/platform/s5p-tv/mixer_video.c +@@ -210,7 +210,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer) + layer->geo.src.height = layer->geo.src.full_height; + + mxr_geometry_dump(mdev, &layer->geo); +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0); + mxr_geometry_dump(mdev, &layer->geo); + } + +@@ -228,7 +228,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer) + layer->geo.dst.full_width = mbus_fmt.width; + layer->geo.dst.full_height = mbus_fmt.height; + layer->geo.dst.field = mbus_fmt.field; +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0); + + mxr_geometry_dump(mdev, &layer->geo); + } +@@ -334,7 +334,7 @@ static int mxr_s_fmt(struct file *file, void *priv, + /* set source size to highest accepted value */ + geo->src.full_width = max(geo->dst.full_width, pix->width); + geo->src.full_height = max(geo->dst.full_height, pix->height); +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); + mxr_geometry_dump(mdev, &layer->geo); + /* set cropping to total visible screen */ + geo->src.width = pix->width; +@@ -342,12 +342,12 @@ static int mxr_s_fmt(struct file *file, void *priv, + geo->src.x_offset = 0; + geo->src.y_offset = 0; + /* assure consistency of geometry */ +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET); + mxr_geometry_dump(mdev, &layer->geo); + /* set full size to lowest possible value */ + geo->src.full_width = 0; + geo->src.full_height = 0; +- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); ++ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0); + mxr_geometry_dump(mdev, &layer->geo); + + /* returning results */ +@@ -474,7 +474,7 @@ static int mxr_s_selection(struct file *file, void *fh, + target->width = s->r.width; + target->height = s->r.height; + +- layer->ops.fix_geometry(layer, stage, s->flags); ++ layer->ops->fix_geometry(layer, stage, s->flags); + + /* retrieve update selection rectangle */ + res.left = target->x_offset; +@@ -955,13 +955,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) + mxr_output_get(mdev); + + mxr_layer_update_output(layer); +- layer->ops.format_set(layer); ++ layer->ops->format_set(layer); + /* enabling layer in hardware */ + spin_lock_irqsave(&layer->enq_slock, flags); + layer->state = MXR_LAYER_STREAMING; + spin_unlock_irqrestore(&layer->enq_slock, flags); + +- layer->ops.stream_set(layer, MXR_ENABLE); ++ layer->ops->stream_set(layer, MXR_ENABLE); + mxr_streamer_get(mdev); + + return 0; +@@ -1031,7 +1031,7 @@ static int stop_streaming(struct vb2_queue *vq) + spin_unlock_irqrestore(&layer->enq_slock, flags); + + /* disabling layer in hardware */ +- layer->ops.stream_set(layer, MXR_DISABLE); ++ layer->ops->stream_set(layer, MXR_DISABLE); + /* remove one streamer */ + mxr_streamer_put(mdev); + /* allow changes in output configuration */ +@@ -1070,8 +1070,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer) + + void mxr_layer_release(struct mxr_layer *layer) + { +- if (layer->ops.release) +- layer->ops.release(layer); ++ if (layer->ops->release) ++ layer->ops->release(layer); + } + + void mxr_base_layer_release(struct mxr_layer *layer) +@@ -1097,7 +1097,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev, + + layer->mdev = mdev; + layer->idx = idx; +- layer->ops = *ops; ++ layer->ops = ops; + + spin_lock_init(&layer->enq_slock); + INIT_LIST_HEAD(&layer->enq_list); +diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c +index c9388c4..ce71ece 100644 +--- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c ++++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c +@@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx) + { + struct mxr_layer *layer; + int ret; +- struct mxr_layer_ops ops = { ++ static struct mxr_layer_ops ops = { + .release = mxr_vp_layer_release, + .buffer_set = mxr_vp_buffer_set, + .stream_set = mxr_vp_stream_set, +diff --git a/drivers/media/platform/vivi.c b/drivers/media/platform/vivi.c +index 2d4e73b..8b4d5b6 100644 +--- a/drivers/media/platform/vivi.c ++++ b/drivers/media/platform/vivi.c +@@ -58,8 +58,8 @@ MODULE_AUTHOR("Mauro Carvalho Chehab, Ted Walther and John Sokol"); + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_VERSION(VIVI_VERSION); + +-static unsigned video_nr = -1; +-module_param(video_nr, uint, 0644); ++static int video_nr = -1; ++module_param(video_nr, int, 0644); + MODULE_PARM_DESC(video_nr, "videoX start number, -1 is autodetect"); + + static unsigned n_devs = 1; +diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c +index 545c04c..a14bded 100644 +--- a/drivers/media/radio/radio-cadet.c ++++ b/drivers/media/radio/radio-cadet.c +@@ -324,6 +324,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo + unsigned char readbuf[RDS_BUFFER]; + int i = 0; + ++ if (count > RDS_BUFFER) ++ return -EFAULT; + mutex_lock(&dev->lock); + if (dev->rdsstat == 0) + cadet_start_rds(dev); +@@ -339,7 +341,7 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo + while (i < count && dev->rdsin != dev->rdsout) + readbuf[i++] = dev->rdsbuf[dev->rdsout++]; + +- if (i && copy_to_user(data, readbuf, i)) ++ if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i)) + i = -EFAULT; + unlock: + mutex_unlock(&dev->lock); +diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c +index 5236035..c622c74 100644 +--- a/drivers/media/radio/radio-maxiradio.c ++++ b/drivers/media/radio/radio-maxiradio.c +@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number"); + /* TEA5757 pin mappings */ + static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16; + +-static atomic_t maxiradio_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0); + + #define PCI_VENDOR_ID_GUILLEMOT 0x5046 + #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001 +diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c +index 050b3bb..79f62b9 100644 +--- a/drivers/media/radio/radio-shark.c ++++ b/drivers/media/radio/radio-shark.c +@@ -79,7 +79,7 @@ struct shark_device { + u32 last_val; + }; + +-static atomic_t shark_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t shark_instance = ATOMIC_INIT(0); + + static void shark_write_val(struct snd_tea575x *tea, u32 val) + { +diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c +index 8654e0d..0608a64 100644 +--- a/drivers/media/radio/radio-shark2.c ++++ b/drivers/media/radio/radio-shark2.c +@@ -74,7 +74,7 @@ struct shark_device { + u8 *transfer_buffer; + }; + +-static atomic_t shark_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t shark_instance = ATOMIC_INIT(0); + + static int shark_write_reg(struct radio_tea5777 *tea, u64 reg) + { +diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c +index 2fd9009..278cc1e 100644 +--- a/drivers/media/radio/radio-si476x.c ++++ b/drivers/media/radio/radio-si476x.c +@@ -1445,7 +1445,7 @@ static int si476x_radio_probe(struct platform_device *pdev) + struct si476x_radio *radio; + struct v4l2_ctrl *ctrl; + +- static atomic_t instance = ATOMIC_INIT(0); ++ static atomic_unchecked_t instance = ATOMIC_INIT(0); + + radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL); + if (!radio) +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index a1c641e..3007da9 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -1112,7 +1112,7 @@ static struct dib0070_config dib7070p_dib0070_config = { + + struct dib0700_adapter_state { + int (*set_param_save) (struct dvb_frontend *); +-}; ++} __no_const; + + static int dib7070_set_param_override(struct dvb_frontend *fe) + { +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index ae0f56a..ec71784 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -118,7 +118,7 @@ struct su3000_state { + + struct s6x0_state { + int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v); +-}; ++} __no_const; + + /* debug */ + static int dvb_usb_dw2102_debug; +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index 8f7a6a4..eb0e1d4 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -326,7 +326,7 @@ struct v4l2_buffer32 { + __u32 reserved; + }; + +-static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, ++static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, + enum v4l2_memory memory) + { + void __user *up_pln; +@@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, + return 0; + } + +-static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, ++static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, + enum v4l2_memory memory) + { + if (copy_in_user(up32, up, 2 * sizeof(__u32)) || +@@ -425,7 +425,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + * by passing a very big num_planes value */ + uplane = compat_alloc_user_space(num_planes * + sizeof(struct v4l2_plane)); +- kp->m.planes = uplane; ++ kp->m.planes = (struct v4l2_plane __force_kernel *)uplane; + + while (--num_planes >= 0) { + ret = get_v4l2_plane32(uplane, uplane32, kp->memory); +@@ -496,7 +496,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user + if (num_planes == 0) + return 0; + +- uplane = kp->m.planes; ++ uplane = (struct v4l2_plane __force_user *)kp->m.planes; + if (get_user(p, &up->m.planes)) + return -EFAULT; + uplane32 = compat_ptr(p); +@@ -550,7 +550,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame + get_user(kp->capability, &up->capability) || + get_user(kp->flags, &up->flags)) + return -EFAULT; +- kp->base = compat_ptr(tmp); ++ kp->base = (void __force_kernel *)compat_ptr(tmp); + get_v4l2_pix_format(&kp->fmt, &up->fmt); + return 0; + } +@@ -656,7 +656,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext + n * sizeof(struct v4l2_ext_control32))) + return -EFAULT; + kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control)); +- kp->controls = kcontrols; ++ kp->controls = (struct v4l2_ext_control __force_kernel *)kcontrols; + while (--n >= 0) { + if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols))) + return -EFAULT; +@@ -678,7 +678,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext + static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up) + { + struct v4l2_ext_control32 __user *ucontrols; +- struct v4l2_ext_control __user *kcontrols = kp->controls; ++ struct v4l2_ext_control __user *kcontrols = (struct v4l2_ext_control __force_user *)kp->controls; + int n = kp->count; + compat_caddr_t p; + +@@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde + put_user(kp->start_block, &up->start_block) || + put_user(kp->blocks, &up->blocks) || + put_user(tmp, &up->edid) || +- copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved))) ++ copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) + return -EFAULT; + return 0; + } +diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c +index 6ff002b..6b9316b 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -1401,8 +1401,8 @@ static int validate_new(const struct v4l2_ctrl *ctrl, + return 0; + + case V4L2_CTRL_TYPE_STRING: +- len = strlen(c->string); +- if (len < ctrl->minimum) ++ len = strlen_user(c->string); ++ if (!len || len < ctrl->minimum) + return -ERANGE; + if ((len - ctrl->minimum) % ctrl->step) + return -ERANGE; +diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c +index 02d1b63..5fd6b16 100644 +--- a/drivers/media/v4l2-core/v4l2-device.c ++++ b/drivers/media/v4l2-core/v4l2-device.c +@@ -75,9 +75,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev) + EXPORT_SYMBOL_GPL(v4l2_device_put); + + int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename, +- atomic_t *instance) ++ atomic_unchecked_t *instance) + { +- int num = atomic_inc_return(instance) - 1; ++ int num = atomic_inc_return_unchecked(instance) - 1; + int len = strlen(basename); + + if (basename[len - 1] >= '0' && basename[len - 1] <= '9') +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index 707aef7..93b8ac0 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -1942,7 +1942,8 @@ struct v4l2_ioctl_info { + struct file *file, void *fh, void *p); + } u; + void (*debug)(const void *arg, bool write_only); +-}; ++} __do_const; ++typedef struct v4l2_ioctl_info __no_const v4l2_ioctl_info_no_const; + + /* This control needs a priority check */ + #define INFO_FL_PRIO (1 << 0) +@@ -2123,7 +2124,7 @@ static long __video_do_ioctl(struct file *file, + struct video_device *vfd = video_devdata(file); + const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; + bool write_only = false; +- struct v4l2_ioctl_info default_info; ++ v4l2_ioctl_info_no_const default_info; + const struct v4l2_ioctl_info *info; + void *fh = file->private_data; + struct v4l2_fh *vfh = NULL; +@@ -2197,7 +2198,7 @@ done: + } + + static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, +- void * __user *user_ptr, void ***kernel_ptr) ++ void __user **user_ptr, void ***kernel_ptr) + { + int ret = 0; + +@@ -2213,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, + ret = -EINVAL; + break; + } +- *user_ptr = (void __user *)buf->m.planes; ++ *user_ptr = (void __force_user *)buf->m.planes; + *kernel_ptr = (void *)&buf->m.planes; + *array_size = sizeof(struct v4l2_plane) * buf->length; + ret = 1; +@@ -2248,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, + ret = -EINVAL; + break; + } +- *user_ptr = (void __user *)ctrls->controls; ++ *user_ptr = (void __force_user *)ctrls->controls; + *kernel_ptr = (void *)&ctrls->controls; + *array_size = sizeof(struct v4l2_ext_control) + * ctrls->count; +@@ -2349,7 +2350,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + } + + if (has_array_args) { +- *kernel_ptr = user_ptr; ++ *kernel_ptr = (void __force_kernel *)user_ptr; + if (copy_to_user(user_ptr, mbuf, array_size)) + err = -EFAULT; + goto out_array_args; +diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c +index 570b18a..f880314 100644 +--- a/drivers/message/fusion/mptbase.c ++++ b/drivers/message/fusion/mptbase.c +@@ -6755,8 +6755,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) + seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth); + seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize); + ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL); ++#else + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", + (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma); ++#endif ++ + /* + * Rounding UP to nearest 4-kB boundary here... + */ +@@ -6769,7 +6774,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v) + ioc->facts.GlobalCredits); + + seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n", ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, NULL); ++#else + (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma); ++#endif + sz = (ioc->reply_sz * ioc->reply_depth) + 128; + seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", + ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); +diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c +index 00d339c..2ea899d 100644 +--- a/drivers/message/fusion/mptsas.c ++++ b/drivers/message/fusion/mptsas.c +@@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached) + return 0; + } + ++static inline void ++mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy) ++{ ++ if (phy_info->port_details) { ++ phy_info->port_details->rphy = rphy; ++ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n", ++ ioc->name, rphy)); ++ } ++ ++ if (rphy) { ++ dsaswideprintk(ioc, dev_printk(KERN_DEBUG, ++ &rphy->dev, MYIOC_s_FMT "add:", ioc->name)); ++ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n", ++ ioc->name, rphy, rphy->dev.release)); ++ } ++} ++ + /* no mutex */ + static void + mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details) +@@ -484,23 +501,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *phy_info) + return NULL; + } + +-static inline void +-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy) +-{ +- if (phy_info->port_details) { +- phy_info->port_details->rphy = rphy; +- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n", +- ioc->name, rphy)); +- } +- +- if (rphy) { +- dsaswideprintk(ioc, dev_printk(KERN_DEBUG, +- &rphy->dev, MYIOC_s_FMT "add:", ioc->name)); +- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n", +- ioc->name, rphy, rphy->dev.release)); +- } +-} +- + static inline struct sas_port * + mptsas_get_port(struct mptsas_phyinfo *phy_info) + { +diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c +index 727819c..ad74694 100644 +--- a/drivers/message/fusion/mptscsih.c ++++ b/drivers/message/fusion/mptscsih.c +@@ -1271,15 +1271,16 @@ mptscsih_info(struct Scsi_Host *SChost) + + h = shost_priv(SChost); + +- if (h) { +- if (h->info_kbuf == NULL) +- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL) +- return h->info_kbuf; +- h->info_kbuf[0] = '\0'; ++ if (!h) ++ return NULL; + +- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0); +- h->info_kbuf[size-1] = '\0'; +- } ++ if (h->info_kbuf == NULL) ++ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL) ++ return h->info_kbuf; ++ h->info_kbuf[0] = '\0'; ++ ++ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0); ++ h->info_kbuf[size-1] = '\0'; + + return h->info_kbuf; + } +diff --git a/drivers/message/i2o/i2o_proc.c b/drivers/message/i2o/i2o_proc.c +index b7d87cd..3fb36da 100644 +--- a/drivers/message/i2o/i2o_proc.c ++++ b/drivers/message/i2o/i2o_proc.c +@@ -255,12 +255,6 @@ static char *scsi_devices[] = { + "Array Controller Device" + }; + +-static char *chtostr(char *tmp, u8 *chars, int n) +-{ +- tmp[0] = 0; +- return strncat(tmp, (char *)chars, n); +-} +- + static int i2o_report_query_status(struct seq_file *seq, int block_status, + char *group) + { +@@ -707,9 +701,9 @@ static int i2o_seq_show_status(struct seq_file *seq, void *v) + static int i2o_seq_show_hw(struct seq_file *seq, void *v) + { + struct i2o_controller *c = (struct i2o_controller *)seq->private; +- static u32 work32[5]; +- static u8 *work8 = (u8 *) work32; +- static u16 *work16 = (u16 *) work32; ++ u32 work32[5]; ++ u8 *work8 = (u8 *) work32; ++ u16 *work16 = (u16 *) work32; + int token; + u32 hwcap; + +@@ -790,7 +784,6 @@ static int i2o_seq_show_ddm_table(struct seq_file *seq, void *v) + } *result; + + i2o_exec_execute_ddm_table ddm_table; +- char tmp[28 + 1]; + + result = kmalloc(sizeof(*result), GFP_KERNEL); + if (!result) +@@ -825,8 +818,7 @@ static int i2o_seq_show_ddm_table(struct seq_file *seq, void *v) + + seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id); + seq_printf(seq, "%-#8x", ddm_table.module_id); +- seq_printf(seq, "%-29s", +- chtostr(tmp, ddm_table.module_name_version, 28)); ++ seq_printf(seq, "%-.28s", ddm_table.module_name_version); + seq_printf(seq, "%9d ", ddm_table.data_size); + seq_printf(seq, "%8d", ddm_table.code_size); + +@@ -893,7 +885,6 @@ static int i2o_seq_show_drivers_stored(struct seq_file *seq, void *v) + + i2o_driver_result_table *result; + i2o_driver_store_table *dst; +- char tmp[28 + 1]; + + result = kmalloc(sizeof(i2o_driver_result_table), GFP_KERNEL); + if (result == NULL) +@@ -928,9 +919,8 @@ static int i2o_seq_show_drivers_stored(struct seq_file *seq, void *v) + + seq_printf(seq, "%-#7x", dst->i2o_vendor_id); + seq_printf(seq, "%-#8x", dst->module_id); +- seq_printf(seq, "%-29s", +- chtostr(tmp, dst->module_name_version, 28)); +- seq_printf(seq, "%-9s", chtostr(tmp, dst->date, 8)); ++ seq_printf(seq, "%-.28s", dst->module_name_version); ++ seq_printf(seq, "%-.8s", dst->date); + seq_printf(seq, "%8d ", dst->module_size); + seq_printf(seq, "%8d ", dst->mpb_size); + seq_printf(seq, "0x%04x", dst->module_flags); +@@ -1246,11 +1236,10 @@ static int i2o_seq_show_authorized_users(struct seq_file *seq, void *v) + static int i2o_seq_show_dev_identity(struct seq_file *seq, void *v) + { + struct i2o_device *d = (struct i2o_device *)seq->private; +- static u32 work32[128]; // allow for "stuff" + up to 256 byte (max) serial number ++ u32 work32[128]; // allow for "stuff" + up to 256 byte (max) serial number + // == (allow) 512d bytes (max) +- static u16 *work16 = (u16 *) work32; ++ u16 *work16 = (u16 *) work32; + int token; +- char tmp[16 + 1]; + + token = i2o_parm_field_get(d, 0xF100, -1, &work32, sizeof(work32)); + +@@ -1262,14 +1251,10 @@ static int i2o_seq_show_dev_identity(struct seq_file *seq, void *v) + seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0])); + seq_printf(seq, "Owner TID : %0#5x\n", work16[2]); + seq_printf(seq, "Parent TID : %0#5x\n", work16[3]); +- seq_printf(seq, "Vendor info : %s\n", +- chtostr(tmp, (u8 *) (work32 + 2), 16)); +- seq_printf(seq, "Product info : %s\n", +- chtostr(tmp, (u8 *) (work32 + 6), 16)); +- seq_printf(seq, "Description : %s\n", +- chtostr(tmp, (u8 *) (work32 + 10), 16)); +- seq_printf(seq, "Product rev. : %s\n", +- chtostr(tmp, (u8 *) (work32 + 14), 8)); ++ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2)); ++ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6)); ++ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10)); ++ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14)); + + seq_printf(seq, "Serial number : "); + print_serial_number(seq, (u8 *) (work32 + 16), +@@ -1306,8 +1291,6 @@ static int i2o_seq_show_ddm_identity(struct seq_file *seq, void *v) + u8 pad[256]; // allow up to 256 byte (max) serial number + } result; + +- char tmp[24 + 1]; +- + token = i2o_parm_field_get(d, 0xF101, -1, &result, sizeof(result)); + + if (token < 0) { +@@ -1316,10 +1299,8 @@ static int i2o_seq_show_ddm_identity(struct seq_file *seq, void *v) + } + + seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid); +- seq_printf(seq, "Module name : %s\n", +- chtostr(tmp, result.module_name, 24)); +- seq_printf(seq, "Module revision : %s\n", +- chtostr(tmp, result.module_rev, 8)); ++ seq_printf(seq, "Module name : %.24s\n", result.module_name); ++ seq_printf(seq, "Module revision : %.8s\n", result.module_rev); + + seq_printf(seq, "Serial number : "); + print_serial_number(seq, result.serial_number, sizeof(result) - 36); +@@ -1343,8 +1324,6 @@ static int i2o_seq_show_uinfo(struct seq_file *seq, void *v) + u8 instance_number[4]; + } result; + +- char tmp[64 + 1]; +- + token = i2o_parm_field_get(d, 0xF102, -1, &result, sizeof(result)); + + if (token < 0) { +@@ -1352,14 +1331,10 @@ static int i2o_seq_show_uinfo(struct seq_file *seq, void *v) + return 0; + } + +- seq_printf(seq, "Device name : %s\n", +- chtostr(tmp, result.device_name, 64)); +- seq_printf(seq, "Service name : %s\n", +- chtostr(tmp, result.service_name, 64)); +- seq_printf(seq, "Physical name : %s\n", +- chtostr(tmp, result.physical_location, 64)); +- seq_printf(seq, "Instance number : %s\n", +- chtostr(tmp, result.instance_number, 4)); ++ seq_printf(seq, "Device name : %.64s\n", result.device_name); ++ seq_printf(seq, "Service name : %.64s\n", result.service_name); ++ seq_printf(seq, "Physical name : %.64s\n", result.physical_location); ++ seq_printf(seq, "Instance number : %.4s\n", result.instance_number); + + return 0; + } +@@ -1368,9 +1343,9 @@ static int i2o_seq_show_uinfo(struct seq_file *seq, void *v) + static int i2o_seq_show_sgl_limits(struct seq_file *seq, void *v) + { + struct i2o_device *d = (struct i2o_device *)seq->private; +- static u32 work32[12]; +- static u16 *work16 = (u16 *) work32; +- static u8 *work8 = (u8 *) work32; ++ u32 work32[12]; ++ u16 *work16 = (u16 *) work32; ++ u8 *work8 = (u8 *) work32; + int token; + + token = i2o_parm_field_get(d, 0xF103, -1, &work32, sizeof(work32)); +diff --git a/drivers/message/i2o/iop.c b/drivers/message/i2o/iop.c +index a8c08f3..155fe3d 100644 +--- a/drivers/message/i2o/iop.c ++++ b/drivers/message/i2o/iop.c +@@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_controller * c, void *ptr) + + spin_lock_irqsave(&c->context_list_lock, flags); + +- if (unlikely(atomic_inc_and_test(&c->context_list_counter))) +- atomic_inc(&c->context_list_counter); ++ if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter))) ++ atomic_inc_unchecked(&c->context_list_counter); + +- entry->context = atomic_read(&c->context_list_counter); ++ entry->context = atomic_read_unchecked(&c->context_list_counter); + + list_add(&entry->list, &c->context_list); + +@@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(void) + + #if BITS_PER_LONG == 64 + spin_lock_init(&c->context_list_lock); +- atomic_set(&c->context_list_counter, 0); ++ atomic_set_unchecked(&c->context_list_counter, 0); + INIT_LIST_HEAD(&c->context_list); + #endif + +diff --git a/drivers/mfd/ab8500-debugfs.c b/drivers/mfd/ab8500-debugfs.c +index d1a22aa..d0f7bf7 100644 +--- a/drivers/mfd/ab8500-debugfs.c ++++ b/drivers/mfd/ab8500-debugfs.c +@@ -100,7 +100,7 @@ static int irq_last; + static u32 *irq_count; + static int num_irqs; + +-static struct device_attribute **dev_attr; ++static device_attribute_no_const **dev_attr; + static char **event_name; + + static u8 avg_sample = SAMPLE_16; +diff --git a/drivers/mfd/janz-cmodio.c b/drivers/mfd/janz-cmodio.c +index 81b7d88..95ae998 100644 +--- a/drivers/mfd/janz-cmodio.c ++++ b/drivers/mfd/janz-cmodio.c +@@ -13,6 +13,7 @@ + + #include + #include ++#include + #include + #include + #include +diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c +index 176aa26..27811b2 100644 +--- a/drivers/mfd/max8925-i2c.c ++++ b/drivers/mfd/max8925-i2c.c +@@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { + struct max8925_platform_data *pdata = dev_get_platdata(&client->dev); +- static struct max8925_chip *chip; ++ struct max8925_chip *chip; + struct device_node *node = client->dev.of_node; + + if (node && !pdata) { +diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c +index 1f142d7..cc52c2a 100644 +--- a/drivers/mfd/tps65910.c ++++ b/drivers/mfd/tps65910.c +@@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq, + struct tps65910_platform_data *pdata) + { + int ret = 0; +- static struct regmap_irq_chip *tps6591x_irqs_chip; ++ struct regmap_irq_chip *tps6591x_irqs_chip; + + if (!irq) { + dev_warn(tps65910->dev, "No interrupt support, no core IRQ\n"); +diff --git a/drivers/mfd/twl4030-irq.c b/drivers/mfd/twl4030-irq.c +index 9aa6d1e..1631bfc 100644 +--- a/drivers/mfd/twl4030-irq.c ++++ b/drivers/mfd/twl4030-irq.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #include "twl-core.h" + +@@ -726,10 +727,12 @@ int twl4030_init_irq(struct device *dev, int irq_num) + * Install an irq handler for each of the SIH modules; + * clone dummy irq_chip since PIH can't *do* anything + */ +- twl4030_irq_chip = dummy_irq_chip; +- twl4030_irq_chip.name = "twl4030"; ++ pax_open_kernel(); ++ memcpy((void *)&twl4030_irq_chip, &dummy_irq_chip, sizeof twl4030_irq_chip); ++ *(const char **)&twl4030_irq_chip.name = "twl4030"; + +- twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack; ++ *(void **)&twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack; ++ pax_close_kernel(); + + for (i = irq_base; i < irq_end; i++) { + irq_set_chip_and_handler(i, &twl4030_irq_chip, +diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c +index 464419b..64bae8d 100644 +--- a/drivers/misc/c2port/core.c ++++ b/drivers/misc/c2port/core.c +@@ -922,7 +922,9 @@ struct c2port_device *c2port_device_register(char *name, + goto error_idr_alloc; + c2dev->id = ret; + +- bin_attr_flash_data.size = ops->blocks_num * ops->block_size; ++ pax_open_kernel(); ++ *(size_t *)&bin_attr_flash_data.size = ops->blocks_num * ops->block_size; ++ pax_close_kernel(); + + c2dev->dev = device_create(c2port_class, NULL, 0, c2dev, + "c2port%d", c2dev->id); +diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c +index 9c34e57..b981cda 100644 +--- a/drivers/misc/eeprom/sunxi_sid.c ++++ b/drivers/misc/eeprom/sunxi_sid.c +@@ -127,7 +127,9 @@ static int sunxi_sid_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, sid_data); + +- sid_bin_attr.size = sid_data->keysize; ++ pax_open_kernel(); ++ *(size_t *)&sid_bin_attr.size = sid_data->keysize; ++ pax_close_kernel(); + if (device_create_bin_file(&pdev->dev, &sid_bin_attr)) + return -ENODEV; + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index 36f5d52..32311c3 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -834,7 +834,7 @@ static void run_plant_and_detach_test(int is_early) + char before[BREAK_INSTR_SIZE]; + char after[BREAK_INSTR_SIZE]; + +- probe_kernel_read(before, (char *)kgdbts_break_test, ++ probe_kernel_read(before, ktla_ktva((char *)kgdbts_break_test), + BREAK_INSTR_SIZE); + init_simple_test(); + ts.tst = plant_and_detach_test; +@@ -842,7 +842,7 @@ static void run_plant_and_detach_test(int is_early) + /* Activate test with initial breakpoint */ + if (!is_early) + kgdb_breakpoint(); +- probe_kernel_read(after, (char *)kgdbts_break_test, ++ probe_kernel_read(after, ktla_ktva((char *)kgdbts_break_test), + BREAK_INSTR_SIZE); + if (memcmp(before, after, BREAK_INSTR_SIZE)) { + printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n"); +diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c +index 036effe..b3a6336 100644 +--- a/drivers/misc/lis3lv02d/lis3lv02d.c ++++ b/drivers/misc/lis3lv02d/lis3lv02d.c +@@ -498,7 +498,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data) + * the lid is closed. This leads to interrupts as soon as a little move + * is done. + */ +- atomic_inc(&lis3->count); ++ atomic_inc_unchecked(&lis3->count); + + wake_up_interruptible(&lis3->misc_wait); + kill_fasync(&lis3->async_queue, SIGIO, POLL_IN); +@@ -584,7 +584,7 @@ static int lis3lv02d_misc_open(struct inode *inode, struct file *file) + if (lis3->pm_dev) + pm_runtime_get_sync(lis3->pm_dev); + +- atomic_set(&lis3->count, 0); ++ atomic_set_unchecked(&lis3->count, 0); + return 0; + } + +@@ -616,7 +616,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf, + add_wait_queue(&lis3->misc_wait, &wait); + while (true) { + set_current_state(TASK_INTERRUPTIBLE); +- data = atomic_xchg(&lis3->count, 0); ++ data = atomic_xchg_unchecked(&lis3->count, 0); + if (data) + break; + +@@ -657,7 +657,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait) + struct lis3lv02d, miscdev); + + poll_wait(file, &lis3->misc_wait, wait); +- if (atomic_read(&lis3->count)) ++ if (atomic_read_unchecked(&lis3->count)) + return POLLIN | POLLRDNORM; + return 0; + } +diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h +index c439c82..1f20f57 100644 +--- a/drivers/misc/lis3lv02d/lis3lv02d.h ++++ b/drivers/misc/lis3lv02d/lis3lv02d.h +@@ -297,7 +297,7 @@ struct lis3lv02d { + struct input_polled_dev *idev; /* input device */ + struct platform_device *pdev; /* platform device */ + struct regulator_bulk_data regulators[2]; +- atomic_t count; /* interrupt count after last read */ ++ atomic_unchecked_t count; /* interrupt count after last read */ + union axis_conversion ac; /* hw -> logical axis */ + int mapped_btns[3]; + +diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c +index 2f30bad..c4c13d0 100644 +--- a/drivers/misc/sgi-gru/gruhandles.c ++++ b/drivers/misc/sgi-gru/gruhandles.c +@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op op, unsigned long clks) + unsigned long nsec; + + nsec = CLKS2NSEC(clks); +- atomic_long_inc(&mcs_op_statistics[op].count); +- atomic_long_add(nsec, &mcs_op_statistics[op].total); ++ atomic_long_inc_unchecked(&mcs_op_statistics[op].count); ++ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total); + if (mcs_op_statistics[op].max < nsec) + mcs_op_statistics[op].max = nsec; + } +diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c +index 4f76359..cdfcb2e 100644 +--- a/drivers/misc/sgi-gru/gruprocfs.c ++++ b/drivers/misc/sgi-gru/gruprocfs.c +@@ -32,9 +32,9 @@ + + #define printstat(s, f) printstat_val(s, &gru_stats.f, #f) + +-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id) ++static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id) + { +- unsigned long val = atomic_long_read(v); ++ unsigned long val = atomic_long_read_unchecked(v); + + seq_printf(s, "%16lu %s\n", val, id); + } +@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct seq_file *s, void *p) + + seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks"); + for (op = 0; op < mcsop_last; op++) { +- count = atomic_long_read(&mcs_op_statistics[op].count); +- total = atomic_long_read(&mcs_op_statistics[op].total); ++ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count); ++ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total); + max = mcs_op_statistics[op].max; + seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count, + count ? total / count : 0, max); +diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h +index 5c3ce24..4915ccb 100644 +--- a/drivers/misc/sgi-gru/grutables.h ++++ b/drivers/misc/sgi-gru/grutables.h +@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids; + * GRU statistics. + */ + struct gru_stats_s { +- atomic_long_t vdata_alloc; +- atomic_long_t vdata_free; +- atomic_long_t gts_alloc; +- atomic_long_t gts_free; +- atomic_long_t gms_alloc; +- atomic_long_t gms_free; +- atomic_long_t gts_double_allocate; +- atomic_long_t assign_context; +- atomic_long_t assign_context_failed; +- atomic_long_t free_context; +- atomic_long_t load_user_context; +- atomic_long_t load_kernel_context; +- atomic_long_t lock_kernel_context; +- atomic_long_t unlock_kernel_context; +- atomic_long_t steal_user_context; +- atomic_long_t steal_kernel_context; +- atomic_long_t steal_context_failed; +- atomic_long_t nopfn; +- atomic_long_t asid_new; +- atomic_long_t asid_next; +- atomic_long_t asid_wrap; +- atomic_long_t asid_reuse; +- atomic_long_t intr; +- atomic_long_t intr_cbr; +- atomic_long_t intr_tfh; +- atomic_long_t intr_spurious; +- atomic_long_t intr_mm_lock_failed; +- atomic_long_t call_os; +- atomic_long_t call_os_wait_queue; +- atomic_long_t user_flush_tlb; +- atomic_long_t user_unload_context; +- atomic_long_t user_exception; +- atomic_long_t set_context_option; +- atomic_long_t check_context_retarget_intr; +- atomic_long_t check_context_unload; +- atomic_long_t tlb_dropin; +- atomic_long_t tlb_preload_page; +- atomic_long_t tlb_dropin_fail_no_asid; +- atomic_long_t tlb_dropin_fail_upm; +- atomic_long_t tlb_dropin_fail_invalid; +- atomic_long_t tlb_dropin_fail_range_active; +- atomic_long_t tlb_dropin_fail_idle; +- atomic_long_t tlb_dropin_fail_fmm; +- atomic_long_t tlb_dropin_fail_no_exception; +- atomic_long_t tfh_stale_on_fault; +- atomic_long_t mmu_invalidate_range; +- atomic_long_t mmu_invalidate_page; +- atomic_long_t flush_tlb; +- atomic_long_t flush_tlb_gru; +- atomic_long_t flush_tlb_gru_tgh; +- atomic_long_t flush_tlb_gru_zero_asid; ++ atomic_long_unchecked_t vdata_alloc; ++ atomic_long_unchecked_t vdata_free; ++ atomic_long_unchecked_t gts_alloc; ++ atomic_long_unchecked_t gts_free; ++ atomic_long_unchecked_t gms_alloc; ++ atomic_long_unchecked_t gms_free; ++ atomic_long_unchecked_t gts_double_allocate; ++ atomic_long_unchecked_t assign_context; ++ atomic_long_unchecked_t assign_context_failed; ++ atomic_long_unchecked_t free_context; ++ atomic_long_unchecked_t load_user_context; ++ atomic_long_unchecked_t load_kernel_context; ++ atomic_long_unchecked_t lock_kernel_context; ++ atomic_long_unchecked_t unlock_kernel_context; ++ atomic_long_unchecked_t steal_user_context; ++ atomic_long_unchecked_t steal_kernel_context; ++ atomic_long_unchecked_t steal_context_failed; ++ atomic_long_unchecked_t nopfn; ++ atomic_long_unchecked_t asid_new; ++ atomic_long_unchecked_t asid_next; ++ atomic_long_unchecked_t asid_wrap; ++ atomic_long_unchecked_t asid_reuse; ++ atomic_long_unchecked_t intr; ++ atomic_long_unchecked_t intr_cbr; ++ atomic_long_unchecked_t intr_tfh; ++ atomic_long_unchecked_t intr_spurious; ++ atomic_long_unchecked_t intr_mm_lock_failed; ++ atomic_long_unchecked_t call_os; ++ atomic_long_unchecked_t call_os_wait_queue; ++ atomic_long_unchecked_t user_flush_tlb; ++ atomic_long_unchecked_t user_unload_context; ++ atomic_long_unchecked_t user_exception; ++ atomic_long_unchecked_t set_context_option; ++ atomic_long_unchecked_t check_context_retarget_intr; ++ atomic_long_unchecked_t check_context_unload; ++ atomic_long_unchecked_t tlb_dropin; ++ atomic_long_unchecked_t tlb_preload_page; ++ atomic_long_unchecked_t tlb_dropin_fail_no_asid; ++ atomic_long_unchecked_t tlb_dropin_fail_upm; ++ atomic_long_unchecked_t tlb_dropin_fail_invalid; ++ atomic_long_unchecked_t tlb_dropin_fail_range_active; ++ atomic_long_unchecked_t tlb_dropin_fail_idle; ++ atomic_long_unchecked_t tlb_dropin_fail_fmm; ++ atomic_long_unchecked_t tlb_dropin_fail_no_exception; ++ atomic_long_unchecked_t tfh_stale_on_fault; ++ atomic_long_unchecked_t mmu_invalidate_range; ++ atomic_long_unchecked_t mmu_invalidate_page; ++ atomic_long_unchecked_t flush_tlb; ++ atomic_long_unchecked_t flush_tlb_gru; ++ atomic_long_unchecked_t flush_tlb_gru_tgh; ++ atomic_long_unchecked_t flush_tlb_gru_zero_asid; + +- atomic_long_t copy_gpa; +- atomic_long_t read_gpa; ++ atomic_long_unchecked_t copy_gpa; ++ atomic_long_unchecked_t read_gpa; + +- atomic_long_t mesq_receive; +- atomic_long_t mesq_receive_none; +- atomic_long_t mesq_send; +- atomic_long_t mesq_send_failed; +- atomic_long_t mesq_noop; +- atomic_long_t mesq_send_unexpected_error; +- atomic_long_t mesq_send_lb_overflow; +- atomic_long_t mesq_send_qlimit_reached; +- atomic_long_t mesq_send_amo_nacked; +- atomic_long_t mesq_send_put_nacked; +- atomic_long_t mesq_page_overflow; +- atomic_long_t mesq_qf_locked; +- atomic_long_t mesq_qf_noop_not_full; +- atomic_long_t mesq_qf_switch_head_failed; +- atomic_long_t mesq_qf_unexpected_error; +- atomic_long_t mesq_noop_unexpected_error; +- atomic_long_t mesq_noop_lb_overflow; +- atomic_long_t mesq_noop_qlimit_reached; +- atomic_long_t mesq_noop_amo_nacked; +- atomic_long_t mesq_noop_put_nacked; +- atomic_long_t mesq_noop_page_overflow; ++ atomic_long_unchecked_t mesq_receive; ++ atomic_long_unchecked_t mesq_receive_none; ++ atomic_long_unchecked_t mesq_send; ++ atomic_long_unchecked_t mesq_send_failed; ++ atomic_long_unchecked_t mesq_noop; ++ atomic_long_unchecked_t mesq_send_unexpected_error; ++ atomic_long_unchecked_t mesq_send_lb_overflow; ++ atomic_long_unchecked_t mesq_send_qlimit_reached; ++ atomic_long_unchecked_t mesq_send_amo_nacked; ++ atomic_long_unchecked_t mesq_send_put_nacked; ++ atomic_long_unchecked_t mesq_page_overflow; ++ atomic_long_unchecked_t mesq_qf_locked; ++ atomic_long_unchecked_t mesq_qf_noop_not_full; ++ atomic_long_unchecked_t mesq_qf_switch_head_failed; ++ atomic_long_unchecked_t mesq_qf_unexpected_error; ++ atomic_long_unchecked_t mesq_noop_unexpected_error; ++ atomic_long_unchecked_t mesq_noop_lb_overflow; ++ atomic_long_unchecked_t mesq_noop_qlimit_reached; ++ atomic_long_unchecked_t mesq_noop_amo_nacked; ++ atomic_long_unchecked_t mesq_noop_put_nacked; ++ atomic_long_unchecked_t mesq_noop_page_overflow; + + }; + +@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start, cchop_interrupt, cchop_interrupt_sync, + tghop_invalidate, mcsop_last}; + + struct mcs_op_statistic { +- atomic_long_t count; +- atomic_long_t total; ++ atomic_long_unchecked_t count; ++ atomic_long_unchecked_t total; + unsigned long max; + }; + +@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_statistics[mcsop_last]; + + #define STAT(id) do { \ + if (gru_options & OPT_STATS) \ +- atomic_long_inc(&gru_stats.id); \ ++ atomic_long_inc_unchecked(&gru_stats.id); \ + } while (0) + + #ifdef CONFIG_SGI_GRU_DEBUG +diff --git a/drivers/misc/sgi-xp/xp.h b/drivers/misc/sgi-xp/xp.h +index c862cd4..0d176fe 100644 +--- a/drivers/misc/sgi-xp/xp.h ++++ b/drivers/misc/sgi-xp/xp.h +@@ -288,7 +288,7 @@ struct xpc_interface { + xpc_notify_func, void *); + void (*received) (short, int, void *); + enum xp_retval (*partid_to_nasids) (short, void *); +-}; ++} __no_const; + + extern struct xpc_interface xpc_interface; + +diff --git a/drivers/misc/sgi-xp/xp_main.c b/drivers/misc/sgi-xp/xp_main.c +index 01be66d..e3a0c7e 100644 +--- a/drivers/misc/sgi-xp/xp_main.c ++++ b/drivers/misc/sgi-xp/xp_main.c +@@ -78,13 +78,13 @@ xpc_notloaded(void) + } + + struct xpc_interface xpc_interface = { +- (void (*)(int))xpc_notloaded, +- (void (*)(int))xpc_notloaded, +- (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded, +- (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func, ++ .connect = (void (*)(int))xpc_notloaded, ++ .disconnect = (void (*)(int))xpc_notloaded, ++ .send = (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded, ++ .send_notify = (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func, + void *))xpc_notloaded, +- (void (*)(short, int, void *))xpc_notloaded, +- (enum xp_retval(*)(short, void *))xpc_notloaded ++ .received = (void (*)(short, int, void *))xpc_notloaded, ++ .partid_to_nasids = (enum xp_retval(*)(short, void *))xpc_notloaded + }; + EXPORT_SYMBOL_GPL(xpc_interface); + +diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h +index b94d5f7..7f494c5 100644 +--- a/drivers/misc/sgi-xp/xpc.h ++++ b/drivers/misc/sgi-xp/xpc.h +@@ -835,6 +835,7 @@ struct xpc_arch_operations { + void (*received_payload) (struct xpc_channel *, void *); + void (*notify_senders_of_disconnect) (struct xpc_channel *); + }; ++typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const; + + /* struct xpc_partition act_state values (for XPC HB) */ + +@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_registrations[]; + /* found in xpc_main.c */ + extern struct device *xpc_part; + extern struct device *xpc_chan; +-extern struct xpc_arch_operations xpc_arch_ops; ++extern xpc_arch_operations_no_const xpc_arch_ops; + extern int xpc_disengage_timelimit; + extern int xpc_disengage_timedout; + extern int xpc_activate_IRQ_rcvd; +diff --git a/drivers/misc/sgi-xp/xpc_main.c b/drivers/misc/sgi-xp/xpc_main.c +index 82dc574..8539ab2 100644 +--- a/drivers/misc/sgi-xp/xpc_main.c ++++ b/drivers/misc/sgi-xp/xpc_main.c +@@ -166,7 +166,7 @@ static struct notifier_block xpc_die_notifier = { + .notifier_call = xpc_system_die, + }; + +-struct xpc_arch_operations xpc_arch_ops; ++xpc_arch_operations_no_const xpc_arch_ops; + + /* + * Timer function to enforce the timelimit on the partition disengage. +@@ -1210,7 +1210,7 @@ xpc_system_die(struct notifier_block *nb, unsigned long event, void *_die_args) + + if (((die_args->trapnr == X86_TRAP_MF) || + (die_args->trapnr == X86_TRAP_XF)) && +- !user_mode_vm(die_args->regs)) ++ !user_mode(die_args->regs)) + xpc_die_deactivate(); + + break; +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index 7b5424f..ed1d6ac 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -575,7 +575,7 @@ static int mmc_blk_ioctl_cmd(struct block_device *bdev, + if (idata->ic.postsleep_min_us) + usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us); + +- if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) { ++ if (copy_to_user(ic_ptr->response, cmd.resp, sizeof(cmd.resp))) { + err = -EFAULT; + goto cmd_rel_host; + } +diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c +index e5b5eeb..7bf2212 100644 +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -247,7 +247,7 @@ mmc_send_cxd_data(struct mmc_card *card, struct mmc_host *host, + void *data_buf; + int is_on_stack; + +- is_on_stack = object_is_on_stack(buf); ++ is_on_stack = object_starts_on_stack(buf); + if (is_on_stack) { + /* + * dma onto stack is unsafe/nonportable, but callers to this +diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h +index 6bf24ab..13d0293b 100644 +--- a/drivers/mmc/host/dw_mmc.h ++++ b/drivers/mmc/host/dw_mmc.h +@@ -258,5 +258,5 @@ struct dw_mci_drv_data { + int (*parse_dt)(struct dw_mci *host); + int (*execute_tuning)(struct dw_mci_slot *slot, u32 opcode, + struct dw_mci_tuning_data *tuning_data); +-}; ++} __do_const; + #endif /* _DW_MMC_H_ */ +diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c +index b931226..df6a085 100644 +--- a/drivers/mmc/host/mmci.c ++++ b/drivers/mmc/host/mmci.c +@@ -1504,7 +1504,9 @@ static int mmci_probe(struct amba_device *dev, + } + + if (variant->busy_detect) { +- mmci_ops.card_busy = mmci_card_busy; ++ pax_open_kernel(); ++ *(void **)&mmci_ops.card_busy = mmci_card_busy; ++ pax_close_kernel(); + mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE); + } + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index b841bb7..d82712f5 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1031,9 +1031,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev) + host->mmc->caps |= MMC_CAP_1_8V_DDR; + } + +- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) +- sdhci_esdhc_ops.platform_execute_tuning = ++ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) { ++ pax_open_kernel(); ++ *(void **)&sdhci_esdhc_ops.platform_execute_tuning = + esdhc_executing_tuning; ++ pax_close_kernel(); ++ } + + if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) + writel(readl(host->ioaddr + ESDHC_TUNING_CTRL) | +diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c +index 6debda9..2ba7427 100644 +--- a/drivers/mmc/host/sdhci-s3c.c ++++ b/drivers/mmc/host/sdhci-s3c.c +@@ -668,9 +668,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev) + * we can use overriding functions instead of default. + */ + if (host->quirks & SDHCI_QUIRK_NONSTANDARD_CLOCK) { +- sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock; +- sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock; +- sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock; ++ pax_open_kernel(); ++ *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock; ++ *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock; ++ *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock; ++ pax_close_kernel(); + } + + /* It supports additional host capabilities if needed */ +diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c +index 096993f..f02c23b 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0020.c ++++ b/drivers/mtd/chips/cfi_cmdset_0020.c +@@ -669,7 +669,7 @@ cfi_staa_writev(struct mtd_info *mtd, const struct kvec *vecs, + size_t totlen = 0, thislen; + int ret = 0; + size_t buflen = 0; +- static char *buffer; ++ char *buffer; + + if (!ECCBUF_SIZE) { + /* We should fall back to a general writev implementation. +diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c +index c07cd57..61c4fbd 100644 +--- a/drivers/mtd/nand/denali.c ++++ b/drivers/mtd/nand/denali.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include "denali.h" + +diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c +index 51b9d6a..52af9a7 100644 +--- a/drivers/mtd/nftlmount.c ++++ b/drivers/mtd/nftlmount.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c +index 4b8e895..6b3c498 100644 +--- a/drivers/mtd/sm_ftl.c ++++ b/drivers/mtd/sm_ftl.c +@@ -56,7 +56,7 @@ static ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr, + #define SM_CIS_VENDOR_OFFSET 0x59 + static struct attribute_group *sm_create_sysfs_attributes(struct sm_ftl *ftl) + { +- struct attribute_group *attr_group; ++ attribute_group_no_const *attr_group; + struct attribute **attributes; + struct sm_sysfs_attribute *vendor_attribute; + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index e5628fc..ffe54d1 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4551,6 +4551,7 @@ static void __exit bonding_exit(void) + + bond_netlink_fini(); + unregister_pernet_subsys(&bond_net_ops); ++ rtnl_link_unregister(&bond_link_ops); + + #ifdef CONFIG_NET_POLL_CONTROLLER + /* +diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c +index 70651f8..7eb1bdf 100644 +--- a/drivers/net/bonding/bond_netlink.c ++++ b/drivers/net/bonding/bond_netlink.c +@@ -542,7 +542,7 @@ nla_put_failure: + return -EMSGSIZE; + } + +-struct rtnl_link_ops bond_link_ops __read_mostly = { ++struct rtnl_link_ops bond_link_ops = { + .kind = "bond", + .priv_size = sizeof(struct bonding), + .setup = bond_setup, +diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig +index 9e7d95d..d447b88 100644 +--- a/drivers/net/can/Kconfig ++++ b/drivers/net/can/Kconfig +@@ -104,7 +104,7 @@ config CAN_JANZ_ICAN3 + + config CAN_FLEXCAN + tristate "Support for Freescale FLEXCAN based chips" +- depends on ARM || PPC ++ depends on (ARM && CPU_LITTLE_ENDIAN) || PPC + ---help--- + Say Y here if you want to support for Freescale FlexCAN. + +diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c +index 455d4c3..3353ee7 100644 +--- a/drivers/net/ethernet/8390/ax88796.c ++++ b/drivers/net/ethernet/8390/ax88796.c +@@ -889,9 +889,11 @@ static int ax_probe(struct platform_device *pdev) + if (ax->plat->reg_offsets) + ei_local->reg_offset = ax->plat->reg_offsets; + else { ++ resource_size_t _mem_size = mem_size; ++ do_div(_mem_size, 0x18); + ei_local->reg_offset = ax->reg_offsets; + for (ret = 0; ret < 0x18; ret++) +- ax->reg_offsets[ret] = (mem_size / 0x18) * ret; ++ ax->reg_offsets[ret] = _mem_size * ret; + } + + if (!request_mem_region(mem->start, mem_size, pdev->name)) { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +index a89a40f..5a8a2ac 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1062,7 +1062,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp) + static inline void bnx2x_init_bp_objs(struct bnx2x *bp) + { + /* RX_MODE controlling object */ +- bnx2x_init_rx_mode_obj(bp, &bp->rx_mode_obj); ++ bnx2x_init_rx_mode_obj(bp); + + /* multicast configuration controlling object */ + bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid, +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +index 0fb6ff2..78fd55c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +@@ -2329,15 +2329,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp, + return rc; + } + +-void bnx2x_init_rx_mode_obj(struct bnx2x *bp, +- struct bnx2x_rx_mode_obj *o) ++void bnx2x_init_rx_mode_obj(struct bnx2x *bp) + { + if (CHIP_IS_E1x(bp)) { +- o->wait_comp = bnx2x_empty_rx_mode_wait; +- o->config_rx_mode = bnx2x_set_rx_mode_e1x; ++ bp->rx_mode_obj.wait_comp = bnx2x_empty_rx_mode_wait; ++ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e1x; + } else { +- o->wait_comp = bnx2x_wait_rx_mode_comp_e2; +- o->config_rx_mode = bnx2x_set_rx_mode_e2; ++ bp->rx_mode_obj.wait_comp = bnx2x_wait_rx_mode_comp_e2; ++ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e2; + } + } + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h +index 00d7f21..2cddec4 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h +@@ -1321,8 +1321,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp, + + /********************* RX MODE ****************/ + +-void bnx2x_init_rx_mode_obj(struct bnx2x *bp, +- struct bnx2x_rx_mode_obj *o); ++void bnx2x_init_rx_mode_obj(struct bnx2x *bp); + + /** + * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters. +diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h +index 04321e5..b51cdc4 100644 +--- a/drivers/net/ethernet/broadcom/tg3.h ++++ b/drivers/net/ethernet/broadcom/tg3.h +@@ -150,6 +150,7 @@ + #define CHIPREV_ID_5750_A0 0x4000 + #define CHIPREV_ID_5750_A1 0x4001 + #define CHIPREV_ID_5750_A3 0x4003 ++#define CHIPREV_ID_5750_C1 0x4201 + #define CHIPREV_ID_5750_C2 0x4202 + #define CHIPREV_ID_5752_A0_HW 0x5000 + #define CHIPREV_ID_5752_A0 0x6000 +diff --git a/drivers/net/ethernet/brocade/bna/bna_enet.c b/drivers/net/ethernet/brocade/bna/bna_enet.c +index 13f9636..228040f 100644 +--- a/drivers/net/ethernet/brocade/bna/bna_enet.c ++++ b/drivers/net/ethernet/brocade/bna/bna_enet.c +@@ -1690,10 +1690,10 @@ bna_cb_ioceth_reset(void *arg) + } + + static struct bfa_ioc_cbfn bna_ioceth_cbfn = { +- bna_cb_ioceth_enable, +- bna_cb_ioceth_disable, +- bna_cb_ioceth_hbfail, +- bna_cb_ioceth_reset ++ .enable_cbfn = bna_cb_ioceth_enable, ++ .disable_cbfn = bna_cb_ioceth_disable, ++ .hbfail_cbfn = bna_cb_ioceth_hbfail, ++ .reset_cbfn = bna_cb_ioceth_reset + }; + + static void bna_attr_init(struct bna_ioceth *ioceth) +diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +index 8cffcdf..aadf043 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h ++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)(struct t3cdev * dev, + */ + struct l2t_skb_cb { + arp_failure_handler_func arp_failure_handler; +-}; ++} __no_const; + + #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 34e2488..07e2079 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2120,7 +2120,7 @@ static void get_regs(struct net_device *dev, struct ethtool_regs *regs, + + int i; + struct adapter *ap = netdev2adap(dev); +- static const unsigned int *reg_ranges; ++ const unsigned int *reg_ranges; + int arr_size = 0, buf_size = 0; + + if (is_t4(ap->params.chip)) { +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index c05b66d..ed69872 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -5388,7 +5388,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + for (i=0; idev_addr[i]; + } +- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT; ++ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT; + break; + + case DE4X5_SET_HWADDR: /* Set the hardware address */ +@@ -5428,7 +5428,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + spin_lock_irqsave(&lp->lock, flags); + memcpy(&statbuf, &lp->pktStats, ioc->len); + spin_unlock_irqrestore(&lp->lock, flags); +- if (copy_to_user(ioc->data, &statbuf, ioc->len)) ++ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len)) + return -EFAULT; + break; + } +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 36c8061..ca5e1e0 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -534,7 +534,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) + + if (wrapped) + newacc += 65536; +- ACCESS_ONCE(*acc) = newacc; ++ ACCESS_ONCE_RW(*acc) = newacc; + } + + static void populate_erx_stats(struct be_adapter *adapter, +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index c11ecbc..13bb299 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -30,6 +30,8 @@ + #include + #include + #include ++#include ++#include + #include + + #include "ftgmac100.h" +diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c +index 8be5b40..081bc1b 100644 +--- a/drivers/net/ethernet/faraday/ftmac100.c ++++ b/drivers/net/ethernet/faraday/ftmac100.c +@@ -31,6 +31,8 @@ + #include + #include + #include ++#include ++#include + + #include "ftmac100.h" + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ptp.c b/drivers/net/ethernet/intel/i40e/i40e_ptp.c +index e33ec6c..f54cfe7 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c +@@ -436,7 +436,7 @@ void i40e_ptp_set_increment(struct i40e_pf *pf) + wr32(hw, I40E_PRTTSYN_INC_H, incval >> 32); + + /* Update the base adjustement value. */ +- ACCESS_ONCE(pf->ptp_base_adj) = incval; ++ ACCESS_ONCE_RW(pf->ptp_base_adj) = incval; + smp_mb(); /* Force the above update. */ + } + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index 5184e2a..acb28c3 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -776,7 +776,7 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + } + + /* update the base incval used to calculate frequency adjustment */ +- ACCESS_ONCE(adapter->base_incval) = incval; ++ ACCESS_ONCE_RW(adapter->base_incval) = incval; + smp_mb(); + + /* need lock to prevent incorrect read while modifying cyclecounter */ +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c +index 089b713..28d87ae 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c +@@ -3461,7 +3461,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp, + struct __vxge_hw_fifo *fifo; + struct vxge_hw_fifo_config *config; + u32 txdl_size, txdl_per_memblock; +- struct vxge_hw_mempool_cbs fifo_mp_callback; ++ static struct vxge_hw_mempool_cbs fifo_mp_callback = { ++ .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc, ++ }; ++ + struct __vxge_hw_virtualpath *vpath; + + if ((vp == NULL) || (attr == NULL)) { +@@ -3544,8 +3547,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp, + goto exit; + } + +- fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc; +- + fifo->mempool = + __vxge_hw_mempool_create(vpath->hldev, + fifo->config->memblock_size, +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +index 90a2dda..47e620e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +@@ -2088,7 +2088,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter) + adapter->max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS; + } else if (ret == QLC_83XX_DEFAULT_OPMODE) { + ahw->nic_mode = QLCNIC_DEFAULT_MODE; +- adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver; ++ pax_open_kernel(); ++ *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver; ++ pax_close_kernel(); + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; + adapter->max_sds_rings = QLCNIC_MAX_SDS_RINGS; + adapter->max_tx_rings = QLCNIC_MAX_TX_RINGS; +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c +index be7d7a6..a8983f8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c +@@ -207,17 +207,23 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter) + case QLCNIC_NON_PRIV_FUNC: + ahw->op_mode = QLCNIC_NON_PRIV_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; +- nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic; ++ pax_close_kernel(); + break; + case QLCNIC_PRIV_FUNC: + ahw->op_mode = QLCNIC_PRIV_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry; +- nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic; ++ pax_close_kernel(); + break; + case QLCNIC_MGMT_FUNC: + ahw->op_mode = QLCNIC_MGMT_FUNC; + ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry; +- nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic; ++ pax_open_kernel(); ++ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic; ++ pax_close_kernel(); + break; + default: + dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n"); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +index 7763962..c3499a7 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c +@@ -1108,7 +1108,7 @@ int qlcnic_dump_fw(struct qlcnic_adapter *adapter) + struct qlcnic_dump_entry *entry; + struct qlcnic_fw_dump *fw_dump = &adapter->ahw->fw_dump; + struct qlcnic_dump_template_hdr *tmpl_hdr = fw_dump->tmpl_hdr; +- static const struct qlcnic_dump_operations *fw_dump_ops; ++ const struct qlcnic_dump_operations *fw_dump_ops; + struct device *dev = &adapter->pdev->dev; + struct qlcnic_hardware_context *ahw; + void *temp_buffer; +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index 3ff7bc3..366091b 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -758,22 +758,22 @@ struct rtl8169_private { + struct mdio_ops { + void (*write)(struct rtl8169_private *, int, int); + int (*read)(struct rtl8169_private *, int); +- } mdio_ops; ++ } __no_const mdio_ops; + + struct pll_power_ops { + void (*down)(struct rtl8169_private *); + void (*up)(struct rtl8169_private *); +- } pll_power_ops; ++ } __no_const pll_power_ops; + + struct jumbo_ops { + void (*enable)(struct rtl8169_private *); + void (*disable)(struct rtl8169_private *); +- } jumbo_ops; ++ } __no_const jumbo_ops; + + struct csi_ops { + void (*write)(struct rtl8169_private *, int, int); + u32 (*read)(struct rtl8169_private *, int); +- } csi_ops; ++ } __no_const csi_ops; + + int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv); + int (*get_settings)(struct net_device *, struct ethtool_cmd *); +diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c +index d7a3682..9ce272a 100644 +--- a/drivers/net/ethernet/sfc/ptp.c ++++ b/drivers/net/ethernet/sfc/ptp.c +@@ -825,7 +825,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings) + ptp->start.dma_addr); + + /* Clear flag that signals MC ready */ +- ACCESS_ONCE(*start) = 0; ++ ACCESS_ONCE_RW(*start) = 0; + rc = efx_mcdi_rpc_start(efx, MC_CMD_PTP, synch_buf, + MC_CMD_PTP_IN_SYNCHRONIZE_LEN); + EFX_BUG_ON_PARANOID(rc); +diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c +index 50617c5..b13724c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c +@@ -140,8 +140,8 @@ void dwmac_mmc_ctrl(void __iomem *ioaddr, unsigned int mode) + + writel(value, ioaddr + MMC_CNTRL); + +- pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n", +- MMC_CNTRL, value); ++// pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n", ++// MMC_CNTRL, value); + } + + /* To mask all all interrupts.*/ +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +index 7b594ce..1f6c5708 100644 +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -100,7 +100,7 @@ struct rndis_device { + + enum rndis_device_state state; + bool link_state; +- atomic_t new_req_id; ++ atomic_unchecked_t new_req_id; + + spinlock_t request_lock; + struct list_head req_list; +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +index b54fd25..9bd2bae 100644 +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -103,7 +103,7 @@ static struct rndis_request *get_rndis_request(struct rndis_device *dev, + * template + */ + set = &rndis_msg->msg.set_req; +- set->req_id = atomic_inc_return(&dev->new_req_id); ++ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id); + + /* Add to the request list */ + spin_lock_irqsave(&dev->request_lock, flags); +@@ -770,7 +770,7 @@ static void rndis_filter_halt_device(struct rndis_device *dev) + + /* Setup the rndis set */ + halt = &request->request_msg.msg.halt_req; +- halt->req_id = atomic_inc_return(&dev->new_req_id); ++ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id); + + /* Ignore return since this msg is optional. */ + rndis_filter_send_request(dev, request); +diff --git a/drivers/net/ieee802154/fakehard.c b/drivers/net/ieee802154/fakehard.c +index bf0d55e..82bcfbd1 100644 +--- a/drivers/net/ieee802154/fakehard.c ++++ b/drivers/net/ieee802154/fakehard.c +@@ -364,7 +364,7 @@ static int ieee802154fake_probe(struct platform_device *pdev) + phy->transmit_power = 0xbf; + + dev->netdev_ops = &fake_ops; +- dev->ml_priv = &fake_mlme; ++ dev->ml_priv = (void *)&fake_mlme; + + priv = netdev_priv(dev); + priv->phy = phy; +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 1831fb7..9c24bca 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -984,13 +984,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = { + int macvlan_link_register(struct rtnl_link_ops *ops) + { + /* common fields */ +- ops->priv_size = sizeof(struct macvlan_dev); +- ops->validate = macvlan_validate; +- ops->maxtype = IFLA_MACVLAN_MAX; +- ops->policy = macvlan_policy; +- ops->changelink = macvlan_changelink; +- ops->get_size = macvlan_get_size; +- ops->fill_info = macvlan_fill_info; ++ pax_open_kernel(); ++ *(size_t *)&ops->priv_size = sizeof(struct macvlan_dev); ++ *(void **)&ops->validate = macvlan_validate; ++ *(int *)&ops->maxtype = IFLA_MACVLAN_MAX; ++ *(const void **)&ops->policy = macvlan_policy; ++ *(void **)&ops->changelink = macvlan_changelink; ++ *(void **)&ops->get_size = macvlan_get_size; ++ *(void **)&ops->fill_info = macvlan_fill_info; ++ pax_close_kernel(); + + return rtnl_link_register(ops); + }; +@@ -1045,7 +1047,7 @@ static int macvlan_device_event(struct notifier_block *unused, + return NOTIFY_DONE; + } + +-static struct notifier_block macvlan_notifier_block __read_mostly = { ++static struct notifier_block macvlan_notifier_block = { + .notifier_call = macvlan_device_event, + }; + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index ff111a8..c4c3ac4 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -1011,7 +1011,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, + } + + ret = 0; +- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) || ++ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) || + put_user(q->flags, &ifr->ifr_flags)) + ret = -EFAULT; + macvtap_put_vlan(vlan); +@@ -1181,7 +1181,7 @@ static int macvtap_device_event(struct notifier_block *unused, + return NOTIFY_DONE; + } + +-static struct notifier_block macvtap_notifier_block __read_mostly = { ++static struct notifier_block macvtap_notifier_block = { + .notifier_call = macvtap_device_event, + }; + +diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c +index daec9b0..6428fcb 100644 +--- a/drivers/net/phy/mdio-bitbang.c ++++ b/drivers/net/phy/mdio-bitbang.c +@@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus) + struct mdiobb_ctrl *ctrl = bus->priv; + + module_put(ctrl->ops->owner); ++ mdiobus_unregister(bus); + mdiobus_free(bus); + } + EXPORT_SYMBOL(free_mdio_bitbang); +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 72ff14b..11d442d 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -999,7 +999,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data; + struct ppp_stats stats; + struct ppp_comp_stats cstats; +- char *vers; + + switch (cmd) { + case SIOCGPPPSTATS: +@@ -1021,8 +1020,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + break; + + case SIOCGPPPVER: +- vers = PPP_VERSION; +- if (copy_to_user(addr, vers, strlen(vers) + 1)) ++ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION))) + break; + err = 0; + break; +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 1252d9c..80e660b 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -488,7 +488,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) + register struct tcphdr *thp; + register struct iphdr *ip; + register struct cstate *cs; +- int len, hdrlen; ++ long len, hdrlen; + unsigned char *cp = icp; + + /* We've got a compressed packet; read the change byte */ +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index c8624a8..f0a4f6a 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2869,7 +2869,7 @@ static int team_device_event(struct notifier_block *unused, + return NOTIFY_DONE; + } + +-static struct notifier_block team_notifier_block __read_mostly = { ++static struct notifier_block team_notifier_block = { + .notifier_call = team_device_event, + }; + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 26f8635..c237839 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1876,7 +1876,7 @@ unlock: + } + + static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +- unsigned long arg, int ifreq_len) ++ unsigned long arg, size_t ifreq_len) + { + struct tun_file *tfile = file->private_data; + struct tun_struct *tun; +@@ -1889,6 +1889,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, + unsigned int ifindex; + int ret; + ++ if (ifreq_len > sizeof ifr) ++ return -EFAULT; ++ + if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) { + if (copy_from_user(&ifr, argp, ifreq_len)) + return -EFAULT; +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 660bd5e..ac59452 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -71,7 +71,7 @@ + #include + #include + #include +- ++#include + + #define MOD_AUTHOR "Option Wireless" + #define MOD_DESCRIPTION "USB High Speed Option driver" +@@ -1179,7 +1179,7 @@ static void put_rxbuf_data_and_resubmit_ctrl_urb(struct hso_serial *serial) + struct urb *urb; + + urb = serial->rx_urb[0]; +- if (serial->port.count > 0) { ++ if (atomic_read(&serial->port.count) > 0) { + count = put_rxbuf_data(urb, serial); + if (count == -1) + return; +@@ -1217,7 +1217,7 @@ static void hso_std_serial_read_bulk_callback(struct urb *urb) + DUMP1(urb->transfer_buffer, urb->actual_length); + + /* Anyone listening? */ +- if (serial->port.count == 0) ++ if (atomic_read(&serial->port.count) == 0) + return; + + if (serial->parent->port_spec & HSO_INFO_CRC_BUG) +@@ -1287,8 +1287,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp) + tty_port_tty_set(&serial->port, tty); + + /* check for port already opened, if not set the termios */ +- serial->port.count++; +- if (serial->port.count == 1) { ++ if (atomic_inc_return(&serial->port.count) == 1) { + serial->rx_state = RX_IDLE; + /* Force default termio settings */ + _hso_serial_set_termios(tty, NULL); +@@ -1300,7 +1299,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp) + result = hso_start_serial_device(serial->parent, GFP_KERNEL); + if (result) { + hso_stop_serial_device(serial->parent); +- serial->port.count--; ++ atomic_dec(&serial->port.count); + kref_put(&serial->parent->ref, hso_serial_ref_free); + } + } else { +@@ -1337,10 +1336,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp) + + /* reset the rts and dtr */ + /* do the actual close */ +- serial->port.count--; ++ atomic_dec(&serial->port.count); + +- if (serial->port.count <= 0) { +- serial->port.count = 0; ++ if (atomic_read(&serial->port.count) <= 0) { ++ atomic_set(&serial->port.count, 0); + tty_port_tty_set(&serial->port, NULL); + if (!usb_gone) + hso_stop_serial_device(serial->parent); +@@ -1416,7 +1415,7 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old) + + /* the actual setup */ + spin_lock_irqsave(&serial->serial_lock, flags); +- if (serial->port.count) ++ if (atomic_read(&serial->port.count)) + _hso_serial_set_termios(tty, old); + else + tty->termios = *old; +@@ -1885,7 +1884,7 @@ static void intr_callback(struct urb *urb) + D1("Pending read interrupt on port %d\n", i); + spin_lock(&serial->serial_lock); + if (serial->rx_state == RX_IDLE && +- serial->port.count > 0) { ++ atomic_read(&serial->port.count) > 0) { + /* Setup and send a ctrl req read on + * port i */ + if (!serial->rx_urb_filled[0]) { +@@ -3061,7 +3060,7 @@ static int hso_resume(struct usb_interface *iface) + /* Start all serial ports */ + for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) { + if (serial_table[i] && (serial_table[i]->interface == iface)) { +- if (dev2ser(serial_table[i])->port.count) { ++ if (atomic_read(&dev2ser(serial_table[i])->port.count)) { + result = + hso_start_serial_device(serial_table[i], GFP_NOIO); + hso_kick_transmit(dev2ser(serial_table[i])); +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index adb12f3..48005ab 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -513,7 +513,7 @@ struct r8152 { + void (*disable)(struct r8152 *); + void (*down)(struct r8152 *); + void (*unload)(struct r8152 *); +- } rtl_ops; ++ } __no_const rtl_ops; + + int intr_interval; + u32 msg_enable; +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index a2515887..6d13233 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -51,7 +51,7 @@ static const char driver_name[] = "sierra_net"; + /* atomic counter partially included in MAC address to make sure 2 devices + * do not end up with the same MAC - concept breaks in case of > 255 ifaces + */ +-static atomic_t iface_counter = ATOMIC_INIT(0); ++static atomic_unchecked_t iface_counter = ATOMIC_INIT(0); + + /* + * SYNC Timer Delay definition used to set the expiry time +@@ -697,7 +697,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->netdev_ops = &sierra_net_device_ops; + + /* change MAC addr to include, ifacenum, and to be unique */ +- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter); ++ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter); + dev->net->dev_addr[ETH_ALEN-1] = ifacenum; + + /* we will have to manufacture ethernet headers, prepare template */ +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index d091e52..568bb179 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2847,7 +2847,7 @@ nla_put_failure: + return -EMSGSIZE; + } + +-static struct rtnl_link_ops vxlan_link_ops __read_mostly = { ++static struct rtnl_link_ops vxlan_link_ops = { + .kind = "vxlan", + .maxtype = IFLA_VXLAN_MAX, + .policy = vxlan_policy, +@@ -2894,7 +2894,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused, + return NOTIFY_DONE; + } + +-static struct notifier_block vxlan_notifier_block __read_mostly = { ++static struct notifier_block vxlan_notifier_block = { + .notifier_call = vxlan_lowerdev_event, + }; + +diff --git a/drivers/net/wan/lmc/lmc_media.c b/drivers/net/wan/lmc/lmc_media.c +index 5920c99..ff2e4a5 100644 +--- a/drivers/net/wan/lmc/lmc_media.c ++++ b/drivers/net/wan/lmc/lmc_media.c +@@ -95,62 +95,63 @@ static inline void write_av9110_bit (lmc_softc_t *, int); + static void write_av9110(lmc_softc_t *, u32, u32, u32, u32, u32); + + lmc_media_t lmc_ds3_media = { +- lmc_ds3_init, /* special media init stuff */ +- lmc_ds3_default, /* reset to default state */ +- lmc_ds3_set_status, /* reset status to state provided */ +- lmc_dummy_set_1, /* set clock source */ +- lmc_dummy_set2_1, /* set line speed */ +- lmc_ds3_set_100ft, /* set cable length */ +- lmc_ds3_set_scram, /* set scrambler */ +- lmc_ds3_get_link_status, /* get link status */ +- lmc_dummy_set_1, /* set link status */ +- lmc_ds3_set_crc_length, /* set CRC length */ +- lmc_dummy_set_1, /* set T1 or E1 circuit type */ +- lmc_ds3_watchdog ++ .init = lmc_ds3_init, /* special media init stuff */ ++ .defaults = lmc_ds3_default, /* reset to default state */ ++ .set_status = lmc_ds3_set_status, /* reset status to state provided */ ++ .set_clock_source = lmc_dummy_set_1, /* set clock source */ ++ .set_speed = lmc_dummy_set2_1, /* set line speed */ ++ .set_cable_length = lmc_ds3_set_100ft, /* set cable length */ ++ .set_scrambler = lmc_ds3_set_scram, /* set scrambler */ ++ .get_link_status = lmc_ds3_get_link_status, /* get link status */ ++ .set_link_status = lmc_dummy_set_1, /* set link status */ ++ .set_crc_length = lmc_ds3_set_crc_length, /* set CRC length */ ++ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */ ++ .watchdog = lmc_ds3_watchdog + }; + + lmc_media_t lmc_hssi_media = { +- lmc_hssi_init, /* special media init stuff */ +- lmc_hssi_default, /* reset to default state */ +- lmc_hssi_set_status, /* reset status to state provided */ +- lmc_hssi_set_clock, /* set clock source */ +- lmc_dummy_set2_1, /* set line speed */ +- lmc_dummy_set_1, /* set cable length */ +- lmc_dummy_set_1, /* set scrambler */ +- lmc_hssi_get_link_status, /* get link status */ +- lmc_hssi_set_link_status, /* set link status */ +- lmc_hssi_set_crc_length, /* set CRC length */ +- lmc_dummy_set_1, /* set T1 or E1 circuit type */ +- lmc_hssi_watchdog ++ .init = lmc_hssi_init, /* special media init stuff */ ++ .defaults = lmc_hssi_default, /* reset to default state */ ++ .set_status = lmc_hssi_set_status, /* reset status to state provided */ ++ .set_clock_source = lmc_hssi_set_clock, /* set clock source */ ++ .set_speed = lmc_dummy_set2_1, /* set line speed */ ++ .set_cable_length = lmc_dummy_set_1, /* set cable length */ ++ .set_scrambler = lmc_dummy_set_1, /* set scrambler */ ++ .get_link_status = lmc_hssi_get_link_status, /* get link status */ ++ .set_link_status = lmc_hssi_set_link_status, /* set link status */ ++ .set_crc_length = lmc_hssi_set_crc_length, /* set CRC length */ ++ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */ ++ .watchdog = lmc_hssi_watchdog + }; + +-lmc_media_t lmc_ssi_media = { lmc_ssi_init, /* special media init stuff */ +- lmc_ssi_default, /* reset to default state */ +- lmc_ssi_set_status, /* reset status to state provided */ +- lmc_ssi_set_clock, /* set clock source */ +- lmc_ssi_set_speed, /* set line speed */ +- lmc_dummy_set_1, /* set cable length */ +- lmc_dummy_set_1, /* set scrambler */ +- lmc_ssi_get_link_status, /* get link status */ +- lmc_ssi_set_link_status, /* set link status */ +- lmc_ssi_set_crc_length, /* set CRC length */ +- lmc_dummy_set_1, /* set T1 or E1 circuit type */ +- lmc_ssi_watchdog ++lmc_media_t lmc_ssi_media = { ++ .init = lmc_ssi_init, /* special media init stuff */ ++ .defaults = lmc_ssi_default, /* reset to default state */ ++ .set_status = lmc_ssi_set_status, /* reset status to state provided */ ++ .set_clock_source = lmc_ssi_set_clock, /* set clock source */ ++ .set_speed = lmc_ssi_set_speed, /* set line speed */ ++ .set_cable_length = lmc_dummy_set_1, /* set cable length */ ++ .set_scrambler = lmc_dummy_set_1, /* set scrambler */ ++ .get_link_status = lmc_ssi_get_link_status, /* get link status */ ++ .set_link_status = lmc_ssi_set_link_status, /* set link status */ ++ .set_crc_length = lmc_ssi_set_crc_length, /* set CRC length */ ++ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */ ++ .watchdog = lmc_ssi_watchdog + }; + + lmc_media_t lmc_t1_media = { +- lmc_t1_init, /* special media init stuff */ +- lmc_t1_default, /* reset to default state */ +- lmc_t1_set_status, /* reset status to state provided */ +- lmc_t1_set_clock, /* set clock source */ +- lmc_dummy_set2_1, /* set line speed */ +- lmc_dummy_set_1, /* set cable length */ +- lmc_dummy_set_1, /* set scrambler */ +- lmc_t1_get_link_status, /* get link status */ +- lmc_dummy_set_1, /* set link status */ +- lmc_t1_set_crc_length, /* set CRC length */ +- lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */ +- lmc_t1_watchdog ++ .init = lmc_t1_init, /* special media init stuff */ ++ .defaults = lmc_t1_default, /* reset to default state */ ++ .set_status = lmc_t1_set_status, /* reset status to state provided */ ++ .set_clock_source = lmc_t1_set_clock, /* set clock source */ ++ .set_speed = lmc_dummy_set2_1, /* set line speed */ ++ .set_cable_length = lmc_dummy_set_1, /* set cable length */ ++ .set_scrambler = lmc_dummy_set_1, /* set scrambler */ ++ .get_link_status = lmc_t1_get_link_status, /* get link status */ ++ .set_link_status = lmc_dummy_set_1, /* set link status */ ++ .set_crc_length = lmc_t1_set_crc_length, /* set CRC length */ ++ .set_circuit_type = lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */ ++ .watchdog = lmc_t1_watchdog + }; + + static void +diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c +index feacc3b..5bac0de 100644 +--- a/drivers/net/wan/z85230.c ++++ b/drivers/net/wan/z85230.c +@@ -485,9 +485,9 @@ static void z8530_status(struct z8530_channel *chan) + + struct z8530_irqhandler z8530_sync = + { +- z8530_rx, +- z8530_tx, +- z8530_status ++ .rx = z8530_rx, ++ .tx = z8530_tx, ++ .status = z8530_status + }; + + EXPORT_SYMBOL(z8530_sync); +@@ -605,15 +605,15 @@ static void z8530_dma_status(struct z8530_channel *chan) + } + + static struct z8530_irqhandler z8530_dma_sync = { +- z8530_dma_rx, +- z8530_dma_tx, +- z8530_dma_status ++ .rx = z8530_dma_rx, ++ .tx = z8530_dma_tx, ++ .status = z8530_dma_status + }; + + static struct z8530_irqhandler z8530_txdma_sync = { +- z8530_rx, +- z8530_dma_tx, +- z8530_dma_status ++ .rx = z8530_rx, ++ .tx = z8530_dma_tx, ++ .status = z8530_dma_status + }; + + /** +@@ -680,9 +680,9 @@ static void z8530_status_clear(struct z8530_channel *chan) + + struct z8530_irqhandler z8530_nop= + { +- z8530_rx_clear, +- z8530_tx_clear, +- z8530_status_clear ++ .rx = z8530_rx_clear, ++ .tx = z8530_tx_clear, ++ .status = z8530_status_clear + }; + + +diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c +index 0b60295..b8bfa5b 100644 +--- a/drivers/net/wimax/i2400m/rx.c ++++ b/drivers/net/wimax/i2400m/rx.c +@@ -1359,7 +1359,7 @@ int i2400m_rx_setup(struct i2400m *i2400m) + if (i2400m->rx_roq == NULL) + goto error_roq_alloc; + +- rd = kcalloc(I2400M_RO_CIN + 1, sizeof(*i2400m->rx_roq[0].log), ++ rd = kcalloc(sizeof(*i2400m->rx_roq[0].log), I2400M_RO_CIN + 1, + GFP_KERNEL); + if (rd == NULL) { + result = -ENOMEM; +diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c +index edf4b57..68b51c0 100644 +--- a/drivers/net/wireless/airo.c ++++ b/drivers/net/wireless/airo.c +@@ -7843,7 +7843,7 @@ static int writerids(struct net_device *dev, aironet_ioctl *comp) { + struct airo_info *ai = dev->ml_priv; + int ridcode; + int enabled; +- static int (* writer)(struct airo_info *, u16 rid, const void *, int, int); ++ int (* writer)(struct airo_info *, u16 rid, const void *, int, int); + unsigned char *iobuf; + + /* Only super-user can write RIDs */ +diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c +index 99b3bfa..9559372 100644 +--- a/drivers/net/wireless/at76c50x-usb.c ++++ b/drivers/net/wireless/at76c50x-usb.c +@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state) + } + + /* Convert timeout from the DFU status to jiffies */ +-static inline unsigned long at76_get_timeout(struct dfu_status *s) ++static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s) + { + return msecs_to_jiffies((s->poll_timeout[2] << 16) + | (s->poll_timeout[1] << 8) +diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c +index edc57ab..ff49e0a 100644 +--- a/drivers/net/wireless/ath/ath10k/htc.c ++++ b/drivers/net/wireless/ath/ath10k/htc.c +@@ -831,7 +831,10 @@ void ath10k_htc_stop(struct ath10k_htc *htc) + /* registered target arrival callback from the HIF layer */ + int ath10k_htc_init(struct ath10k *ar) + { +- struct ath10k_hif_cb htc_callbacks; ++ static struct ath10k_hif_cb htc_callbacks = { ++ .rx_completion = ath10k_htc_rx_completion_handler, ++ .tx_completion = ath10k_htc_tx_completion_handler, ++ }; + struct ath10k_htc_ep *ep = NULL; + struct ath10k_htc *htc = &ar->htc; + +@@ -841,8 +844,6 @@ int ath10k_htc_init(struct ath10k *ar) + ath10k_htc_reset_endpoint_states(htc); + + /* setup HIF layer callbacks */ +- htc_callbacks.rx_completion = ath10k_htc_rx_completion_handler; +- htc_callbacks.tx_completion = ath10k_htc_tx_completion_handler; + htc->ar = ar; + + /* Get HIF default pipe for HTC message exchange */ +diff --git a/drivers/net/wireless/ath/ath10k/htc.h b/drivers/net/wireless/ath/ath10k/htc.h +index 4716d33..a688310 100644 +--- a/drivers/net/wireless/ath/ath10k/htc.h ++++ b/drivers/net/wireless/ath/ath10k/htc.h +@@ -271,13 +271,13 @@ enum ath10k_htc_ep_id { + + struct ath10k_htc_ops { + void (*target_send_suspend_complete)(struct ath10k *ar); +-}; ++} __no_const; + + struct ath10k_htc_ep_ops { + void (*ep_tx_complete)(struct ath10k *, struct sk_buff *); + void (*ep_rx_complete)(struct ath10k *, struct sk_buff *); + void (*ep_tx_credits)(struct ath10k *); +-}; ++} __no_const; + + /* service connection information */ + struct ath10k_htc_svc_conn_req { +diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c +index 741b38d..b7ae41b 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c ++++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c +@@ -220,8 +220,8 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + ads->ds_txstatus6 = ads->ds_txstatus7 = 0; + ads->ds_txstatus8 = ads->ds_txstatus9 = 0; + +- ACCESS_ONCE(ads->ds_link) = i->link; +- ACCESS_ONCE(ads->ds_data) = i->buf_addr[0]; ++ ACCESS_ONCE_RW(ads->ds_link) = i->link; ++ ACCESS_ONCE_RW(ads->ds_data) = i->buf_addr[0]; + + ctl1 = i->buf_len[0] | (i->is_last ? 0 : AR_TxMore); + ctl6 = SM(i->keytype, AR_EncrType); +@@ -235,26 +235,26 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + + if ((i->is_first || i->is_last) && + i->aggr != AGGR_BUF_MIDDLE && i->aggr != AGGR_BUF_LAST) { +- ACCESS_ONCE(ads->ds_ctl2) = set11nTries(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ds_ctl2) = set11nTries(i->rates, 0) + | set11nTries(i->rates, 1) + | set11nTries(i->rates, 2) + | set11nTries(i->rates, 3) + | (i->dur_update ? AR_DurUpdateEna : 0) + | SM(0, AR_BurstDur); + +- ACCESS_ONCE(ads->ds_ctl3) = set11nRate(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ds_ctl3) = set11nRate(i->rates, 0) + | set11nRate(i->rates, 1) + | set11nRate(i->rates, 2) + | set11nRate(i->rates, 3); + } else { +- ACCESS_ONCE(ads->ds_ctl2) = 0; +- ACCESS_ONCE(ads->ds_ctl3) = 0; ++ ACCESS_ONCE_RW(ads->ds_ctl2) = 0; ++ ACCESS_ONCE_RW(ads->ds_ctl3) = 0; + } + + if (!i->is_first) { +- ACCESS_ONCE(ads->ds_ctl0) = 0; +- ACCESS_ONCE(ads->ds_ctl1) = ctl1; +- ACCESS_ONCE(ads->ds_ctl6) = ctl6; ++ ACCESS_ONCE_RW(ads->ds_ctl0) = 0; ++ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1; ++ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6; + return; + } + +@@ -279,7 +279,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + break; + } + +- ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen) ++ ACCESS_ONCE_RW(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen) + | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0) + | SM(i->txpower, AR_XmitPower) + | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0) +@@ -289,19 +289,19 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + | (i->flags & ATH9K_TXDESC_RTSENA ? AR_RTSEnable : + (i->flags & ATH9K_TXDESC_CTSENA ? AR_CTSEnable : 0)); + +- ACCESS_ONCE(ads->ds_ctl1) = ctl1; +- ACCESS_ONCE(ads->ds_ctl6) = ctl6; ++ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1; ++ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6; + + if (i->aggr == AGGR_BUF_MIDDLE || i->aggr == AGGR_BUF_LAST) + return; + +- ACCESS_ONCE(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0) + | set11nPktDurRTSCTS(i->rates, 1); + +- ACCESS_ONCE(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2) ++ ACCESS_ONCE_RW(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2) + | set11nPktDurRTSCTS(i->rates, 3); + +- ACCESS_ONCE(ads->ds_ctl7) = set11nRateFlags(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ds_ctl7) = set11nRateFlags(i->rates, 0) + | set11nRateFlags(i->rates, 1) + | set11nRateFlags(i->rates, 2) + | set11nRateFlags(i->rates, 3) +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c +index 729ffbf..49f50e3 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c +@@ -39,47 +39,47 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + (i->qcu << AR_TxQcuNum_S) | desc_len; + + checksum += val; +- ACCESS_ONCE(ads->info) = val; ++ ACCESS_ONCE_RW(ads->info) = val; + + checksum += i->link; +- ACCESS_ONCE(ads->link) = i->link; ++ ACCESS_ONCE_RW(ads->link) = i->link; + + checksum += i->buf_addr[0]; +- ACCESS_ONCE(ads->data0) = i->buf_addr[0]; ++ ACCESS_ONCE_RW(ads->data0) = i->buf_addr[0]; + checksum += i->buf_addr[1]; +- ACCESS_ONCE(ads->data1) = i->buf_addr[1]; ++ ACCESS_ONCE_RW(ads->data1) = i->buf_addr[1]; + checksum += i->buf_addr[2]; +- ACCESS_ONCE(ads->data2) = i->buf_addr[2]; ++ ACCESS_ONCE_RW(ads->data2) = i->buf_addr[2]; + checksum += i->buf_addr[3]; +- ACCESS_ONCE(ads->data3) = i->buf_addr[3]; ++ ACCESS_ONCE_RW(ads->data3) = i->buf_addr[3]; + + checksum += (val = (i->buf_len[0] << AR_BufLen_S) & AR_BufLen); +- ACCESS_ONCE(ads->ctl3) = val; ++ ACCESS_ONCE_RW(ads->ctl3) = val; + checksum += (val = (i->buf_len[1] << AR_BufLen_S) & AR_BufLen); +- ACCESS_ONCE(ads->ctl5) = val; ++ ACCESS_ONCE_RW(ads->ctl5) = val; + checksum += (val = (i->buf_len[2] << AR_BufLen_S) & AR_BufLen); +- ACCESS_ONCE(ads->ctl7) = val; ++ ACCESS_ONCE_RW(ads->ctl7) = val; + checksum += (val = (i->buf_len[3] << AR_BufLen_S) & AR_BufLen); +- ACCESS_ONCE(ads->ctl9) = val; ++ ACCESS_ONCE_RW(ads->ctl9) = val; + + checksum = (u16) (((checksum & 0xffff) + (checksum >> 16)) & 0xffff); +- ACCESS_ONCE(ads->ctl10) = checksum; ++ ACCESS_ONCE_RW(ads->ctl10) = checksum; + + if (i->is_first || i->is_last) { +- ACCESS_ONCE(ads->ctl13) = set11nTries(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ctl13) = set11nTries(i->rates, 0) + | set11nTries(i->rates, 1) + | set11nTries(i->rates, 2) + | set11nTries(i->rates, 3) + | (i->dur_update ? AR_DurUpdateEna : 0) + | SM(0, AR_BurstDur); + +- ACCESS_ONCE(ads->ctl14) = set11nRate(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ctl14) = set11nRate(i->rates, 0) + | set11nRate(i->rates, 1) + | set11nRate(i->rates, 2) + | set11nRate(i->rates, 3); + } else { +- ACCESS_ONCE(ads->ctl13) = 0; +- ACCESS_ONCE(ads->ctl14) = 0; ++ ACCESS_ONCE_RW(ads->ctl13) = 0; ++ ACCESS_ONCE_RW(ads->ctl14) = 0; + } + + ads->ctl20 = 0; +@@ -89,17 +89,17 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + + ctl17 = SM(i->keytype, AR_EncrType); + if (!i->is_first) { +- ACCESS_ONCE(ads->ctl11) = 0; +- ACCESS_ONCE(ads->ctl12) = i->is_last ? 0 : AR_TxMore; +- ACCESS_ONCE(ads->ctl15) = 0; +- ACCESS_ONCE(ads->ctl16) = 0; +- ACCESS_ONCE(ads->ctl17) = ctl17; +- ACCESS_ONCE(ads->ctl18) = 0; +- ACCESS_ONCE(ads->ctl19) = 0; ++ ACCESS_ONCE_RW(ads->ctl11) = 0; ++ ACCESS_ONCE_RW(ads->ctl12) = i->is_last ? 0 : AR_TxMore; ++ ACCESS_ONCE_RW(ads->ctl15) = 0; ++ ACCESS_ONCE_RW(ads->ctl16) = 0; ++ ACCESS_ONCE_RW(ads->ctl17) = ctl17; ++ ACCESS_ONCE_RW(ads->ctl18) = 0; ++ ACCESS_ONCE_RW(ads->ctl19) = 0; + return; + } + +- ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen) ++ ACCESS_ONCE_RW(ads->ctl11) = (i->pkt_len & AR_FrameLen) + | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0) + | SM(i->txpower, AR_XmitPower) + | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0) +@@ -135,22 +135,22 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i) + val = (i->flags & ATH9K_TXDESC_PAPRD) >> ATH9K_TXDESC_PAPRD_S; + ctl12 |= SM(val, AR_PAPRDChainMask); + +- ACCESS_ONCE(ads->ctl12) = ctl12; +- ACCESS_ONCE(ads->ctl17) = ctl17; ++ ACCESS_ONCE_RW(ads->ctl12) = ctl12; ++ ACCESS_ONCE_RW(ads->ctl17) = ctl17; + +- ACCESS_ONCE(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0) + | set11nPktDurRTSCTS(i->rates, 1); + +- ACCESS_ONCE(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2) ++ ACCESS_ONCE_RW(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2) + | set11nPktDurRTSCTS(i->rates, 3); + +- ACCESS_ONCE(ads->ctl18) = set11nRateFlags(i->rates, 0) ++ ACCESS_ONCE_RW(ads->ctl18) = set11nRateFlags(i->rates, 0) + | set11nRateFlags(i->rates, 1) + | set11nRateFlags(i->rates, 2) + | set11nRateFlags(i->rates, 3) + | SM(i->rtscts_rate, AR_RTSCTSRate); + +- ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding; ++ ACCESS_ONCE_RW(ads->ctl19) = AR_Not_Sounding; + } + + static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) +diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h +index 0acd4b5..0591c91 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.h ++++ b/drivers/net/wireless/ath/ath9k/hw.h +@@ -629,7 +629,7 @@ struct ath_hw_private_ops { + + /* ANI */ + void (*ani_cache_ini_regs)(struct ath_hw *ah); +-}; ++} __no_const; + + /** + * struct ath_spec_scan - parameters for Atheros spectral scan +@@ -706,7 +706,7 @@ struct ath_hw_ops { + #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT + void (*set_bt_ant_diversity)(struct ath_hw *hw, bool enable); + #endif +-}; ++} __no_const; + + struct ath_nf_limits { + s16 max; +diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c +index 92190da..f3a4c4c 100644 +--- a/drivers/net/wireless/b43/phy_lp.c ++++ b/drivers/net/wireless/b43/phy_lp.c +@@ -2514,7 +2514,7 @@ static int lpphy_b2063_tune(struct b43_wldev *dev, + { + struct ssb_bus *bus = dev->dev->sdev->bus; + +- static const struct b206x_channel *chandata = NULL; ++ const struct b206x_channel *chandata = NULL; + u32 crystal_freq = bus->chipco.pmu.crystalfreq * 1000; + u32 freqref, vco_freq, val1, val2, val3, timeout, timeoutref, count; + u16 old_comm15, scale; +diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c +index 0487461..fd9e84a 100644 +--- a/drivers/net/wireless/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/iwlegacy/3945-mac.c +@@ -3638,7 +3638,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + */ + if (il3945_mod_params.disable_hw_scan) { + D_INFO("Disabling hw_scan\n"); +- il3945_mac_ops.hw_scan = NULL; ++ pax_open_kernel(); ++ *(void **)&il3945_mac_ops.hw_scan = NULL; ++ pax_close_kernel(); + } + + D_INFO("*** LOAD DRIVER ***\n"); +diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +index d2fe259..0c4c682 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c ++++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +@@ -188,7 +188,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[64]; +- int buf_size; ++ size_t buf_size; + u32 offset, len; + + memset(buf, 0, sizeof(buf)); +@@ -458,7 +458,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file, + struct iwl_priv *priv = file->private_data; + + char buf[8]; +- int buf_size; ++ size_t buf_size; + u32 reset_flag; + + memset(buf, 0, sizeof(buf)); +@@ -539,7 +539,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int ht40; + + memset(buf, 0, sizeof(buf)); +@@ -591,7 +591,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int value; + + memset(buf, 0, sizeof(buf)); +@@ -683,10 +683,10 @@ DEBUGFS_READ_FILE_OPS(temperature); + DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override); + DEBUGFS_READ_FILE_OPS(current_sleep_command); + +-static const char *fmt_value = " %-30s %10u\n"; +-static const char *fmt_hex = " %-30s 0x%02X\n"; +-static const char *fmt_table = " %-30s %10u %10u %10u %10u\n"; +-static const char *fmt_header = ++static const char fmt_value[] = " %-30s %10u\n"; ++static const char fmt_hex[] = " %-30s 0x%02X\n"; ++static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n"; ++static const char fmt_header[] = + "%-32s current cumulative delta max\n"; + + static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz) +@@ -1856,7 +1856,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int clear; + + memset(buf, 0, sizeof(buf)); +@@ -1901,7 +1901,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int trace; + + memset(buf, 0, sizeof(buf)); +@@ -1972,7 +1972,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int missed; + + memset(buf, 0, sizeof(buf)); +@@ -2013,7 +2013,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int plcp; + + memset(buf, 0, sizeof(buf)); +@@ -2073,7 +2073,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int flush; + + memset(buf, 0, sizeof(buf)); +@@ -2163,7 +2163,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file, + + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int rts; + + if (!priv->cfg->ht_params) +@@ -2205,7 +2205,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file, + { + struct iwl_priv *priv = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + + memset(buf, 0, sizeof(buf)); + buf_size = min(count, sizeof(buf) - 1); +@@ -2239,7 +2239,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file, + struct iwl_priv *priv = file->private_data; + u32 event_log_flag; + char buf[8]; +- int buf_size; ++ size_t buf_size; + + /* check that the interface is up */ + if (!iwl_is_ready(priv)) +@@ -2293,7 +2293,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file, + struct iwl_priv *priv = file->private_data; + char buf[8]; + u32 calib_disabled; +- int buf_size; ++ size_t buf_size; + + memset(buf, 0, sizeof(buf)); + buf_size = min(count, sizeof(buf) - 1); +diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c +index ba1b1ea..0ff7e98 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/iwlwifi/dvm/main.c +@@ -1123,7 +1123,7 @@ static void iwl_option_config(struct iwl_priv *priv) + static int iwl_eeprom_init_hw_params(struct iwl_priv *priv) + { + struct iwl_nvm_data *data = priv->nvm_data; +- char *debug_msg; ++ static const char debug_msg[] = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n"; + + if (data->sku_cap_11n_enable && + !priv->cfg->ht_params) { +@@ -1137,7 +1137,6 @@ static int iwl_eeprom_init_hw_params(struct iwl_priv *priv) + return -EINVAL; + } + +- debug_msg = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n"; + IWL_DEBUG_INFO(priv, debug_msg, + data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", + data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", +diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c +index f950780..be9df93 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -1365,7 +1365,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, + struct isr_statistics *isr_stats = &trans_pcie->isr_stats; + + char buf[8]; +- int buf_size; ++ size_t buf_size; + u32 reset_flag; + + memset(buf, 0, sizeof(buf)); +@@ -1386,7 +1386,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, + { + struct iwl_trans *trans = file->private_data; + char buf[8]; +- int buf_size; ++ size_t buf_size; + int csr; + + memset(buf, 0, sizeof(buf)); +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 69d4c31..bd0b316 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2541,20 +2541,20 @@ static int __init init_mac80211_hwsim(void) + if (channels < 1) + return -EINVAL; + +- mac80211_hwsim_mchan_ops = mac80211_hwsim_ops; +- mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan; +- mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan; +- mac80211_hwsim_mchan_ops.sw_scan_start = NULL; +- mac80211_hwsim_mchan_ops.sw_scan_complete = NULL; +- mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc; +- mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc; +- mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx; +- mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx; +- mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx; +- mac80211_hwsim_mchan_ops.assign_vif_chanctx = +- mac80211_hwsim_assign_vif_chanctx; +- mac80211_hwsim_mchan_ops.unassign_vif_chanctx = +- mac80211_hwsim_unassign_vif_chanctx; ++ pax_open_kernel(); ++ memcpy((void *)&mac80211_hwsim_mchan_ops, &mac80211_hwsim_ops, sizeof mac80211_hwsim_mchan_ops); ++ *(void **)&mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan; ++ *(void **)&mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan; ++ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_start = NULL; ++ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_complete = NULL; ++ *(void **)&mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc; ++ *(void **)&mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc; ++ *(void **)&mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx; ++ *(void **)&mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx; ++ *(void **)&mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx; ++ *(void **)&mac80211_hwsim_mchan_ops.assign_vif_chanctx = mac80211_hwsim_assign_vif_chanctx; ++ *(void **)&mac80211_hwsim_mchan_ops.unassign_vif_chanctx = mac80211_hwsim_unassign_vif_chanctx; ++ pax_close_kernel(); + + spin_lock_init(&hwsim_radio_lock); + INIT_LIST_HEAD(&hwsim_radios); +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index 5028557..91cf394 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold) + + netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold); + +- if (rts_threshold < 0 || rts_threshold > 2347) ++ if (rts_threshold > 2347) + rts_threshold = 2347; + + tmp = cpu_to_le32(rts_threshold); +diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h +index e3b885d..7a7de2f 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/rt2x00/rt2x00.h +@@ -375,7 +375,7 @@ struct rt2x00_intf { + * for hardware which doesn't support hardware + * sequence counting. + */ +- atomic_t seqno; ++ atomic_unchecked_t seqno; + }; + + static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif) +diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c +index 5642ccc..01f03eb 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c +@@ -250,9 +250,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, + * sequence counter given by mac80211. + */ + if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags)) +- seqno = atomic_add_return(0x10, &intf->seqno); ++ seqno = atomic_add_return_unchecked(0x10, &intf->seqno); + else +- seqno = atomic_read(&intf->seqno); ++ seqno = atomic_read_unchecked(&intf->seqno); + + hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); + hdr->seq_ctrl |= cpu_to_le16(seqno); +diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c +index e2b3d9c..67a5184 100644 +--- a/drivers/net/wireless/ti/wl1251/sdio.c ++++ b/drivers/net/wireless/ti/wl1251/sdio.c +@@ -271,13 +271,17 @@ static int wl1251_sdio_probe(struct sdio_func *func, + + irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING); + +- wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq; +- wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq; ++ pax_open_kernel(); ++ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq; ++ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq; ++ pax_close_kernel(); + + wl1251_info("using dedicated interrupt line"); + } else { +- wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq; +- wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq; ++ pax_open_kernel(); ++ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq; ++ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq; ++ pax_close_kernel(); + + wl1251_info("using SDIO interrupt"); + } +diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c +index be7129b..4161356 100644 +--- a/drivers/net/wireless/ti/wl12xx/main.c ++++ b/drivers/net/wireless/ti/wl12xx/main.c +@@ -656,7 +656,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + sizeof(wl->conf.mem)); + + /* read data preparation is only needed by wl127x */ +- wl->ops->prepare_read = wl127x_prepare_read; ++ pax_open_kernel(); ++ *(void **)&wl->ops->prepare_read = wl127x_prepare_read; ++ pax_close_kernel(); + + wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER, + WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER, +@@ -681,7 +683,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + sizeof(wl->conf.mem)); + + /* read data preparation is only needed by wl127x */ +- wl->ops->prepare_read = wl127x_prepare_read; ++ pax_open_kernel(); ++ *(void **)&wl->ops->prepare_read = wl127x_prepare_read; ++ pax_close_kernel(); + + wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER, + WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER, +diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c +index ec37b16..7e34d66 100644 +--- a/drivers/net/wireless/ti/wl18xx/main.c ++++ b/drivers/net/wireless/ti/wl18xx/main.c +@@ -1823,8 +1823,10 @@ static int wl18xx_setup(struct wl1271 *wl) + } + + if (!checksum_param) { +- wl18xx_ops.set_rx_csum = NULL; +- wl18xx_ops.init_vif = NULL; ++ pax_open_kernel(); ++ *(void **)&wl18xx_ops.set_rx_csum = NULL; ++ *(void **)&wl18xx_ops.init_vif = NULL; ++ pax_close_kernel(); + } + + /* Enable 11a Band only if we have 5G antennas */ +diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c +index a912dc0..a8225ba 100644 +--- a/drivers/net/wireless/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zd1211rw/zd_usb.c +@@ -385,7 +385,7 @@ static inline void handle_regs_int(struct urb *urb) + { + struct zd_usb *usb = urb->context; + struct zd_usb_interrupt *intr = &usb->intr; +- int len; ++ unsigned int len; + u16 int_num; + + ZD_ASSERT(in_interrupt()); +diff --git a/drivers/nfc/nfcwilink.c b/drivers/nfc/nfcwilink.c +index 683671a..4519fc2 100644 +--- a/drivers/nfc/nfcwilink.c ++++ b/drivers/nfc/nfcwilink.c +@@ -497,7 +497,7 @@ static struct nci_ops nfcwilink_ops = { + + static int nfcwilink_probe(struct platform_device *pdev) + { +- static struct nfcwilink *drv; ++ struct nfcwilink *drv; + int rc; + __u32 protocols; + +diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c +index d93b2b6..ae50401 100644 +--- a/drivers/oprofile/buffer_sync.c ++++ b/drivers/oprofile/buffer_sync.c +@@ -332,7 +332,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm) + if (cookie == NO_COOKIE) + offset = pc; + if (cookie == INVALID_COOKIE) { +- atomic_inc(&oprofile_stats.sample_lost_no_mapping); ++ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping); + offset = pc; + } + if (cookie != last_cookie) { +@@ -376,14 +376,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel) + /* add userspace sample */ + + if (!mm) { +- atomic_inc(&oprofile_stats.sample_lost_no_mm); ++ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm); + return 0; + } + + cookie = lookup_dcookie(mm, s->eip, &offset); + + if (cookie == INVALID_COOKIE) { +- atomic_inc(&oprofile_stats.sample_lost_no_mapping); ++ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping); + return 0; + } + +@@ -552,7 +552,7 @@ void sync_buffer(int cpu) + /* ignore backtraces if failed to add a sample */ + if (state == sb_bt_start) { + state = sb_bt_ignore; +- atomic_inc(&oprofile_stats.bt_lost_no_mapping); ++ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping); + } + } + release_mm(mm); +diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c +index c0cc4e7..44d4e54 100644 +--- a/drivers/oprofile/event_buffer.c ++++ b/drivers/oprofile/event_buffer.c +@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value) + } + + if (buffer_pos == buffer_size) { +- atomic_inc(&oprofile_stats.event_lost_overflow); ++ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow); + return; + } + +diff --git a/drivers/oprofile/oprof.c b/drivers/oprofile/oprof.c +index ed2c3ec..deda85a 100644 +--- a/drivers/oprofile/oprof.c ++++ b/drivers/oprofile/oprof.c +@@ -110,7 +110,7 @@ static void switch_worker(struct work_struct *work) + if (oprofile_ops.switch_events()) + return; + +- atomic_inc(&oprofile_stats.multiplex_counter); ++ atomic_inc_unchecked(&oprofile_stats.multiplex_counter); + start_switch_worker(); + } + +diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c +index ee2cfce..7f8f699 100644 +--- a/drivers/oprofile/oprofile_files.c ++++ b/drivers/oprofile/oprofile_files.c +@@ -27,7 +27,7 @@ unsigned long oprofile_time_slice; + + #ifdef CONFIG_OPROFILE_EVENT_MULTIPLEX + +-static ssize_t timeout_read(struct file *file, char __user *buf, ++static ssize_t __intentional_overflow(-1) timeout_read(struct file *file, char __user *buf, + size_t count, loff_t *offset) + { + return oprofilefs_ulong_to_user(jiffies_to_msecs(oprofile_time_slice), +diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c +index 59659ce..6c860a0 100644 +--- a/drivers/oprofile/oprofile_stats.c ++++ b/drivers/oprofile/oprofile_stats.c +@@ -30,11 +30,11 @@ void oprofile_reset_stats(void) + cpu_buf->sample_invalid_eip = 0; + } + +- atomic_set(&oprofile_stats.sample_lost_no_mm, 0); +- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0); +- atomic_set(&oprofile_stats.event_lost_overflow, 0); +- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0); +- atomic_set(&oprofile_stats.multiplex_counter, 0); ++ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0); ++ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0); ++ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0); ++ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0); ++ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0); + } + + +diff --git a/drivers/oprofile/oprofile_stats.h b/drivers/oprofile/oprofile_stats.h +index 1fc622b..8c48fc3 100644 +--- a/drivers/oprofile/oprofile_stats.h ++++ b/drivers/oprofile/oprofile_stats.h +@@ -13,11 +13,11 @@ + #include + + struct oprofile_stat_struct { +- atomic_t sample_lost_no_mm; +- atomic_t sample_lost_no_mapping; +- atomic_t bt_lost_no_mapping; +- atomic_t event_lost_overflow; +- atomic_t multiplex_counter; ++ atomic_unchecked_t sample_lost_no_mm; ++ atomic_unchecked_t sample_lost_no_mapping; ++ atomic_unchecked_t bt_lost_no_mapping; ++ atomic_unchecked_t event_lost_overflow; ++ atomic_unchecked_t multiplex_counter; + }; + + extern struct oprofile_stat_struct oprofile_stats; +diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c +index 3f49345..c750d0b 100644 +--- a/drivers/oprofile/oprofilefs.c ++++ b/drivers/oprofile/oprofilefs.c +@@ -176,8 +176,8 @@ int oprofilefs_create_ro_ulong(struct dentry *root, + + static ssize_t atomic_read_file(struct file *file, char __user *buf, size_t count, loff_t *offset) + { +- atomic_t *val = file->private_data; +- return oprofilefs_ulong_to_user(atomic_read(val), buf, count, offset); ++ atomic_unchecked_t *val = file->private_data; ++ return oprofilefs_ulong_to_user(atomic_read_unchecked(val), buf, count, offset); + } + + +@@ -189,7 +189,7 @@ static const struct file_operations atomic_ro_fops = { + + + int oprofilefs_create_ro_atomic(struct dentry *root, +- char const *name, atomic_t *val) ++ char const *name, atomic_unchecked_t *val) + { + return __oprofilefs_create_file(root, name, + &atomic_ro_fops, 0444, val); +diff --git a/drivers/oprofile/timer_int.c b/drivers/oprofile/timer_int.c +index 61be1d9..dec05d7 100644 +--- a/drivers/oprofile/timer_int.c ++++ b/drivers/oprofile/timer_int.c +@@ -93,7 +93,7 @@ static int oprofile_cpu_notify(struct notifier_block *self, + return NOTIFY_OK; + } + +-static struct notifier_block __refdata oprofile_cpu_notifier = { ++static struct notifier_block oprofile_cpu_notifier = { + .notifier_call = oprofile_cpu_notify, + }; + +diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c +index 92ed045..62d39bd7 100644 +--- a/drivers/parport/procfs.c ++++ b/drivers/parport/procfs.c +@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *table, int write, + + *ppos += len; + +- return copy_to_user(result, buffer, len) ? -EFAULT : 0; ++ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0; + } + + #ifdef CONFIG_PARPORT_1284 +@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table, int write, + + *ppos += len; + +- return copy_to_user (result, buffer, len) ? -EFAULT : 0; ++ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0; + } + #endif /* IEEE1284.3 support. */ + +diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c +index 8dcccff..35d701d 100644 +--- a/drivers/pci/hotplug/acpiphp_ibm.c ++++ b/drivers/pci/hotplug/acpiphp_ibm.c +@@ -452,7 +452,9 @@ static int __init ibm_acpiphp_init(void) + goto init_cleanup; + } + +- ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL); ++ pax_open_kernel(); ++ *(size_t *)&ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL); ++ pax_close_kernel(); + retval = sysfs_create_bin_file(sysdir, &ibm_apci_table_attr); + + return retval; +diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c +index 7536eef..52dc8fa 100644 +--- a/drivers/pci/hotplug/cpcihp_generic.c ++++ b/drivers/pci/hotplug/cpcihp_generic.c +@@ -73,7 +73,6 @@ static u16 port; + static unsigned int enum_bit; + static u8 enum_mask; + +-static struct cpci_hp_controller_ops generic_hpc_ops; + static struct cpci_hp_controller generic_hpc; + + static int __init validate_parameters(void) +@@ -139,6 +138,10 @@ static int query_enum(void) + return ((value & enum_mask) == enum_mask); + } + ++static struct cpci_hp_controller_ops generic_hpc_ops = { ++ .query_enum = query_enum, ++}; ++ + static int __init cpcihp_generic_init(void) + { + int status; +@@ -165,7 +168,6 @@ static int __init cpcihp_generic_init(void) + pci_dev_put(dev); + + memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller)); +- generic_hpc_ops.query_enum = query_enum; + generic_hpc.ops = &generic_hpc_ops; + + status = cpci_hp_register_controller(&generic_hpc); +diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c +index e8c4a7c..7046f5c 100644 +--- a/drivers/pci/hotplug/cpcihp_zt5550.c ++++ b/drivers/pci/hotplug/cpcihp_zt5550.c +@@ -59,7 +59,6 @@ + /* local variables */ + static bool debug; + static bool poll; +-static struct cpci_hp_controller_ops zt5550_hpc_ops; + static struct cpci_hp_controller zt5550_hpc; + + /* Primary cPCI bus bridge device */ +@@ -205,6 +204,10 @@ static int zt5550_hc_disable_irq(void) + return 0; + } + ++static struct cpci_hp_controller_ops zt5550_hpc_ops = { ++ .query_enum = zt5550_hc_query_enum, ++}; ++ + static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) + { + int status; +@@ -216,16 +219,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id + dbg("returned from zt5550_hc_config"); + + memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller)); +- zt5550_hpc_ops.query_enum = zt5550_hc_query_enum; + zt5550_hpc.ops = &zt5550_hpc_ops; + if(!poll) { + zt5550_hpc.irq = hc_dev->irq; + zt5550_hpc.irq_flags = IRQF_SHARED; + zt5550_hpc.dev_id = hc_dev; + +- zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq; +- zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq; +- zt5550_hpc_ops.check_irq = zt5550_hc_check_irq; ++ pax_open_kernel(); ++ *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq; ++ *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq; ++ *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq; ++ pax_open_kernel(); + } else { + info("using ENUM# polling mode"); + } +diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c +index 76ba8a1..20ca857 100644 +--- a/drivers/pci/hotplug/cpqphp_nvram.c ++++ b/drivers/pci/hotplug/cpqphp_nvram.c +@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_start) + + void compaq_nvram_init (void __iomem *rom_start) + { ++ ++#ifndef CONFIG_PAX_KERNEXEC + if (rom_start) { + compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR); + } ++#endif ++ + dbg("int15 entry = %p\n", compaq_int15_entry_point); + + /* initialize our int15 lock */ +diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c +index cfa92a9..29539c5 100644 +--- a/drivers/pci/hotplug/pci_hotplug_core.c ++++ b/drivers/pci/hotplug/pci_hotplug_core.c +@@ -441,8 +441,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus, + return -EINVAL; + } + +- slot->ops->owner = owner; +- slot->ops->mod_name = mod_name; ++ pax_open_kernel(); ++ *(struct module **)&slot->ops->owner = owner; ++ *(const char **)&slot->ops->mod_name = mod_name; ++ pax_close_kernel(); + + mutex_lock(&pci_hp_mutex); + /* +diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c +index 53b58de..4479896 100644 +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -92,7 +92,7 @@ static int init_slot(struct controller *ctrl) + struct slot *slot = ctrl->slot; + struct hotplug_slot *hotplug = NULL; + struct hotplug_slot_info *info = NULL; +- struct hotplug_slot_ops *ops = NULL; ++ hotplug_slot_ops_no_const *ops = NULL; + char name[SLOT_NAME_SIZE]; + int retval = -ENOMEM; + +diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c +index 955ab79..d1df9c7 100644 +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -524,8 +524,8 @@ static int populate_msi_sysfs(struct pci_dev *pdev) + { + struct attribute **msi_attrs; + struct attribute *msi_attr; +- struct device_attribute *msi_dev_attr; +- struct attribute_group *msi_irq_group; ++ device_attribute_no_const *msi_dev_attr; ++ attribute_group_no_const *msi_irq_group; + const struct attribute_group **msi_irq_groups; + struct msi_desc *entry; + int ret = -ENOMEM; +@@ -589,7 +589,7 @@ error_attrs: + count = 0; + msi_attr = msi_attrs[count]; + while (msi_attr) { +- msi_dev_attr = container_of(msi_attr, struct device_attribute, attr); ++ msi_dev_attr = container_of(msi_attr, device_attribute_no_const, attr); + kfree(msi_attr->name); + kfree(msi_dev_attr); + ++count; +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 276ef9c..1d33a36 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1112,7 +1112,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) + { + /* allocate attribute structure, piggyback attribute name */ + int name_len = write_combine ? 13 : 10; +- struct bin_attribute *res_attr; ++ bin_attribute_no_const *res_attr; + int retval; + + res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC); +@@ -1297,7 +1297,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor + static int pci_create_capabilities_sysfs(struct pci_dev *dev) + { + int retval; +- struct bin_attribute *attr; ++ bin_attribute_no_const *attr; + + /* If the device has VPD, try to expose it in sysfs. */ + if (dev->vpd) { +@@ -1344,7 +1344,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) + { + int retval; + int rom_size = 0; +- struct bin_attribute *attr; ++ bin_attribute_no_const *attr; + + if (!sysfs_initialized) + return -EACCES; +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 4df38df..b6bb7fe 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -93,7 +93,7 @@ struct pci_vpd_ops { + struct pci_vpd { + unsigned int len; + const struct pci_vpd_ops *ops; +- struct bin_attribute *attr; /* descriptor for sysfs VPD entry */ ++ bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */ + }; + + int pci_vpd_pci22_init(struct pci_dev *dev); +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index e1e7026..d28dd33 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -27,9 +27,9 @@ + #define MODULE_PARAM_PREFIX "pcie_aspm." + + /* Note: those are not register definitions */ +-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */ +-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */ +-#define ASPM_STATE_L1 (4) /* L1 state */ ++#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */ ++#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */ ++#define ASPM_STATE_L1 (4U) /* L1 state */ + #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW) + #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 6e34498..9911975 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -175,7 +175,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, + struct pci_bus_region region, inverted_region; + bool bar_too_big = false, bar_disabled = false; + +- mask = type ? PCI_ROM_ADDRESS_MASK : ~0; ++ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0; + + /* No printks while decoding is disabled! */ + if (!dev->mmio_always_on) { +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index 46d1378..30e452b 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -434,7 +434,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { + static int __init pci_proc_init(void) + { + struct pci_dev *dev = NULL; ++ ++#ifdef CONFIG_GRKERNSEC_PROC_ADD ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL); ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); ++#endif ++#else + proc_bus_pci_dir = proc_mkdir("bus/pci", NULL); ++#endif + proc_create("devices", 0, proc_bus_pci_dir, + &proc_bus_pci_dev_operations); + proc_initialized = 1; +diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c +index 7f3aad0..7d604bb 100644 +--- a/drivers/platform/chrome/chromeos_laptop.c ++++ b/drivers/platform/chrome/chromeos_laptop.c +@@ -406,7 +406,7 @@ static struct chromeos_laptop cr48 = { + .callback = chromeos_laptop_dmi_matched, \ + .driver_data = (void *)&board_ + +-static struct dmi_system_id chromeos_laptop_dmi_table[] __initdata = { ++static struct dmi_system_id chromeos_laptop_dmi_table[] __initconst = { + { + .ident = "Samsung Series 5 550", + .matches = { +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index c5e082f..d6307a0 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1595,6 +1595,10 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++#ifdef CONFIG_GRKERNSEC_KMEM ++ return -EPERM; ++#endif ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1611,6 +1615,10 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++#ifdef CONFIG_GRKERNSEC_KMEM ++ return -EPERM; ++#endif ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1635,6 +1643,10 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++#ifdef CONFIG_GRKERNSEC_KMEM ++ return -EPERM; ++#endif ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 62f8030..c7f2a45 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1000,12 +1000,14 @@ static int __init load_scm_model_init(struct platform_device *sdev) + + if (!quirks->ec_read_only) { + /* allow userland write sysfs file */ +- dev_attr_bluetooth.store = store_bluetooth; +- dev_attr_wlan.store = store_wlan; +- dev_attr_threeg.store = store_threeg; +- dev_attr_bluetooth.attr.mode |= S_IWUSR; +- dev_attr_wlan.attr.mode |= S_IWUSR; +- dev_attr_threeg.attr.mode |= S_IWUSR; ++ pax_open_kernel(); ++ *(void **)&dev_attr_bluetooth.store = store_bluetooth; ++ *(void **)&dev_attr_wlan.store = store_wlan; ++ *(void **)&dev_attr_threeg.store = store_threeg; ++ *(umode_t *)&dev_attr_bluetooth.attr.mode |= S_IWUSR; ++ *(umode_t *)&dev_attr_wlan.attr.mode |= S_IWUSR; ++ *(umode_t *)&dev_attr_threeg.attr.mode |= S_IWUSR; ++ pax_close_kernel(); + } + + /* disable hardware control by fn key */ +diff --git a/drivers/platform/x86/msi-wmi.c b/drivers/platform/x86/msi-wmi.c +index 70222f2..8c8ce66 100644 +--- a/drivers/platform/x86/msi-wmi.c ++++ b/drivers/platform/x86/msi-wmi.c +@@ -183,7 +183,7 @@ static const struct backlight_ops msi_backlight_ops = { + static void msi_wmi_notify(u32 value, void *context) + { + struct acpi_buffer response = { ACPI_ALLOCATE_BUFFER, NULL }; +- static struct key_entry *key; ++ struct key_entry *key; + union acpi_object *obj; + acpi_status status; + +diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c +index 8f8551a..3ace3ca 100644 +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -2451,7 +2451,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd) + } + + /* High speed charging function */ +-static struct device_attribute *hsc_handle; ++static device_attribute_no_const *hsc_handle; + + static ssize_t sony_nc_highspeed_charging_store(struct device *dev, + struct device_attribute *attr, +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index defb6af..7a5d3d1 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void) + return 0; + } + +-void static hotkey_mask_warn_incomplete_mask(void) ++static void hotkey_mask_warn_incomplete_mask(void) + { + /* log only what the user can fix... */ + const u32 wantedmask = hotkey_driver_mask & +@@ -2321,11 +2321,6 @@ static void hotkey_read_nvram(struct tp_nvram_state *n, const u32 m) + } + } + +-static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, +- struct tp_nvram_state *newn, +- const u32 event_mask) +-{ +- + #define TPACPI_COMPARE_KEY(__scancode, __member) \ + do { \ + if ((event_mask & (1 << __scancode)) && \ +@@ -2339,36 +2334,42 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, + tpacpi_hotkey_send_key(__scancode); \ + } while (0) + +- void issue_volchange(const unsigned int oldvol, +- const unsigned int newvol) +- { +- unsigned int i = oldvol; ++static void issue_volchange(const unsigned int oldvol, ++ const unsigned int newvol, ++ const u32 event_mask) ++{ ++ unsigned int i = oldvol; + +- while (i > newvol) { +- TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEDOWN); +- i--; +- } +- while (i < newvol) { +- TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP); +- i++; +- } ++ while (i > newvol) { ++ TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEDOWN); ++ i--; + } ++ while (i < newvol) { ++ TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP); ++ i++; ++ } ++} + +- void issue_brightnesschange(const unsigned int oldbrt, +- const unsigned int newbrt) +- { +- unsigned int i = oldbrt; ++static void issue_brightnesschange(const unsigned int oldbrt, ++ const unsigned int newbrt, ++ const u32 event_mask) ++{ ++ unsigned int i = oldbrt; + +- while (i > newbrt) { +- TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNEND); +- i--; +- } +- while (i < newbrt) { +- TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME); +- i++; +- } ++ while (i > newbrt) { ++ TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNEND); ++ i--; ++ } ++ while (i < newbrt) { ++ TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME); ++ i++; + } ++} + ++static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, ++ struct tp_nvram_state *newn, ++ const u32 event_mask) ++{ + TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_THINKPAD, thinkpad_toggle); + TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_FNSPACE, zoom_toggle); + TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_FNF7, display_toggle); +@@ -2402,7 +2403,7 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, + oldn->volume_level != newn->volume_level) { + /* recently muted, or repeated mute keypress, or + * multiple presses ending in mute */ +- issue_volchange(oldn->volume_level, newn->volume_level); ++ issue_volchange(oldn->volume_level, newn->volume_level, event_mask); + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_MUTE); + } + } else { +@@ -2412,7 +2413,7 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP); + } + if (oldn->volume_level != newn->volume_level) { +- issue_volchange(oldn->volume_level, newn->volume_level); ++ issue_volchange(oldn->volume_level, newn->volume_level, event_mask); + } else if (oldn->volume_toggle != newn->volume_toggle) { + /* repeated vol up/down keypress at end of scale ? */ + if (newn->volume_level == 0) +@@ -2425,7 +2426,8 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, + /* handle brightness */ + if (oldn->brightness_level != newn->brightness_level) { + issue_brightnesschange(oldn->brightness_level, +- newn->brightness_level); ++ newn->brightness_level, ++ event_mask); + } else if (oldn->brightness_toggle != newn->brightness_toggle) { + /* repeated key presses that didn't change state */ + if (newn->brightness_level == 0) +@@ -2434,10 +2436,10 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn, + && !tp_features.bright_unkfw) + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME); + } ++} + + #undef TPACPI_COMPARE_KEY + #undef TPACPI_MAY_SEND_KEY +-} + + /* + * Polling driver +diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c +index 769d265..a3a05ca 100644 +--- a/drivers/pnp/pnpbios/bioscalls.c ++++ b/drivers/pnp/pnpbios/bioscalls.c +@@ -58,7 +58,7 @@ do { \ + set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \ + } while(0) + +-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092, ++static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093, + (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1); + + /* +@@ -95,7 +95,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3, + + cpu = get_cpu(); + save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8]; ++ ++ pax_open_kernel(); + get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc; ++ pax_close_kernel(); + + /* On some boxes IRQ's during PnP BIOS calls are deadly. */ + spin_lock_irqsave(&pnp_bios_lock, flags); +@@ -133,7 +136,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3, + :"memory"); + spin_unlock_irqrestore(&pnp_bios_lock, flags); + ++ pax_open_kernel(); + get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40; ++ pax_close_kernel(); ++ + put_cpu(); + + /* If we get here and this is set then the PnP BIOS faulted on us. */ +@@ -467,7 +473,7 @@ int pnp_bios_read_escd(char *data, u32 nvram_base) + return status; + } + +-void pnpbios_calls_init(union pnp_bios_install_struct *header) ++void __init pnpbios_calls_init(union pnp_bios_install_struct *header) + { + int i; + +@@ -475,6 +481,8 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header) + pnp_bios_callpoint.offset = header->fields.pm16offset; + pnp_bios_callpoint.segment = PNP_CS16; + ++ pax_open_kernel(); ++ + for_each_possible_cpu(i) { + struct desc_struct *gdt = get_cpu_gdt_table(i); + if (!gdt) +@@ -486,4 +494,6 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header) + set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS], + (unsigned long)__va(header->fields.pm16dseg)); + } ++ ++ pax_close_kernel(); + } +diff --git a/drivers/pnp/resource.c b/drivers/pnp/resource.c +index bacddd1..65ea100 100644 +--- a/drivers/pnp/resource.c ++++ b/drivers/pnp/resource.c +@@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, struct resource *res) + return 1; + + /* check if the resource is valid */ +- if (*irq < 0 || *irq > 15) ++ if (*irq > 15) + return 0; + + /* check if the resource is reserved */ +@@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, struct resource *res) + return 1; + + /* check if the resource is valid */ +- if (*dma < 0 || *dma == 4 || *dma > 7) ++ if (*dma == 4 || *dma > 7) + return 0; + + /* check if the resource is reserved */ +diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c +index 0c52e2a..3421ab7 100644 +--- a/drivers/power/pda_power.c ++++ b/drivers/power/pda_power.c +@@ -37,7 +37,11 @@ static int polling; + + #if IS_ENABLED(CONFIG_USB_PHY) + static struct usb_phy *transceiver; +-static struct notifier_block otg_nb; ++static int otg_handle_notification(struct notifier_block *nb, ++ unsigned long event, void *unused); ++static struct notifier_block otg_nb = { ++ .notifier_call = otg_handle_notification ++}; + #endif + + static struct regulator *ac_draw; +@@ -369,7 +373,6 @@ static int pda_power_probe(struct platform_device *pdev) + + #if IS_ENABLED(CONFIG_USB_PHY) + if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) { +- otg_nb.notifier_call = otg_handle_notification; + ret = usb_register_notifier(transceiver, &otg_nb); + if (ret) { + dev_err(dev, "failure to register otg notifier\n"); +diff --git a/drivers/power/power_supply.h b/drivers/power/power_supply.h +index cc439fd..8fa30df 100644 +--- a/drivers/power/power_supply.h ++++ b/drivers/power/power_supply.h +@@ -16,12 +16,12 @@ struct power_supply; + + #ifdef CONFIG_SYSFS + +-extern void power_supply_init_attrs(struct device_type *dev_type); ++extern void power_supply_init_attrs(void); + extern int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env); + + #else + +-static inline void power_supply_init_attrs(struct device_type *dev_type) {} ++static inline void power_supply_init_attrs(void) {} + #define power_supply_uevent NULL + + #endif /* CONFIG_SYSFS */ +diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c +index 2660664..75fcb04 100644 +--- a/drivers/power/power_supply_core.c ++++ b/drivers/power/power_supply_core.c +@@ -28,7 +28,10 @@ EXPORT_SYMBOL_GPL(power_supply_class); + ATOMIC_NOTIFIER_HEAD(power_supply_notifier); + EXPORT_SYMBOL_GPL(power_supply_notifier); + +-static struct device_type power_supply_dev_type; ++extern const struct attribute_group *power_supply_attr_groups[]; ++static struct device_type power_supply_dev_type = { ++ .groups = power_supply_attr_groups, ++}; + + static bool __power_supply_is_supplied_by(struct power_supply *supplier, + struct power_supply *supply) +@@ -628,7 +631,7 @@ static int __init power_supply_class_init(void) + return PTR_ERR(power_supply_class); + + power_supply_class->dev_uevent = power_supply_uevent; +- power_supply_init_attrs(&power_supply_dev_type); ++ power_supply_init_attrs(); + + return 0; + } +diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c +index 44420d1..967126e 100644 +--- a/drivers/power/power_supply_sysfs.c ++++ b/drivers/power/power_supply_sysfs.c +@@ -230,17 +230,15 @@ static struct attribute_group power_supply_attr_group = { + .is_visible = power_supply_attr_is_visible, + }; + +-static const struct attribute_group *power_supply_attr_groups[] = { ++const struct attribute_group *power_supply_attr_groups[] = { + &power_supply_attr_group, + NULL, + }; + +-void power_supply_init_attrs(struct device_type *dev_type) ++void power_supply_init_attrs(void) + { + int i; + +- dev_type->groups = power_supply_attr_groups; +- + for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++) + __power_supply_attrs[i] = &power_supply_attrs[i].attr; + } +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c +index 84419af..268ede8 100644 +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -154,8 +154,77 @@ struct powercap_constraint_attr { + struct device_attribute name_attr; + }; + ++static ssize_t show_constraint_name(struct device *dev, ++ struct device_attribute *dev_attr, ++ char *buf); ++ + static struct powercap_constraint_attr +- constraint_attrs[MAX_CONSTRAINTS_PER_ZONE]; ++ constraint_attrs[MAX_CONSTRAINTS_PER_ZONE] = { ++ [0 ... MAX_CONSTRAINTS_PER_ZONE - 1] = { ++ .power_limit_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IWUSR | S_IRUGO ++ }, ++ .show = show_constraint_power_limit_uw, ++ .store = store_constraint_power_limit_uw ++ }, ++ ++ .time_window_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IWUSR | S_IRUGO ++ }, ++ .show = show_constraint_time_window_us, ++ .store = store_constraint_time_window_us ++ }, ++ ++ .max_power_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IRUGO ++ }, ++ .show = show_constraint_max_power_uw, ++ .store = NULL ++ }, ++ ++ .min_power_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IRUGO ++ }, ++ .show = show_constraint_min_power_uw, ++ .store = NULL ++ }, ++ ++ .max_time_window_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IRUGO ++ }, ++ .show = show_constraint_max_time_window_us, ++ .store = NULL ++ }, ++ ++ .min_time_window_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IRUGO ++ }, ++ .show = show_constraint_min_time_window_us, ++ .store = NULL ++ }, ++ ++ .name_attr = { ++ .attr = { ++ .name = NULL, ++ .mode = S_IRUGO ++ }, ++ .show = show_constraint_name, ++ .store = NULL ++ } ++ } ++}; + + /* A list of powercap control_types */ + static LIST_HEAD(powercap_cntrl_list); +@@ -193,23 +262,16 @@ static ssize_t show_constraint_name(struct device *dev, + } + + static int create_constraint_attribute(int id, const char *name, +- int mode, +- struct device_attribute *dev_attr, +- ssize_t (*show)(struct device *, +- struct device_attribute *, char *), +- ssize_t (*store)(struct device *, +- struct device_attribute *, +- const char *, size_t) +- ) ++ struct device_attribute *dev_attr) + { ++ name = kasprintf(GFP_KERNEL, "constraint_%d_%s", id, name); + +- dev_attr->attr.name = kasprintf(GFP_KERNEL, "constraint_%d_%s", +- id, name); +- if (!dev_attr->attr.name) ++ if (!name) + return -ENOMEM; +- dev_attr->attr.mode = mode; +- dev_attr->show = show; +- dev_attr->store = store; ++ ++ pax_open_kernel(); ++ *(const char **)&dev_attr->attr.name = name; ++ pax_close_kernel(); + + return 0; + } +@@ -236,49 +298,31 @@ static int seed_constraint_attributes(void) + + for (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) { + ret = create_constraint_attribute(i, "power_limit_uw", +- S_IWUSR | S_IRUGO, +- &constraint_attrs[i].power_limit_attr, +- show_constraint_power_limit_uw, +- store_constraint_power_limit_uw); ++ &constraint_attrs[i].power_limit_attr); + if (ret) + goto err_alloc; + ret = create_constraint_attribute(i, "time_window_us", +- S_IWUSR | S_IRUGO, +- &constraint_attrs[i].time_window_attr, +- show_constraint_time_window_us, +- store_constraint_time_window_us); ++ &constraint_attrs[i].time_window_attr); + if (ret) + goto err_alloc; +- ret = create_constraint_attribute(i, "name", S_IRUGO, +- &constraint_attrs[i].name_attr, +- show_constraint_name, +- NULL); ++ ret = create_constraint_attribute(i, "name", ++ &constraint_attrs[i].name_attr); + if (ret) + goto err_alloc; +- ret = create_constraint_attribute(i, "max_power_uw", S_IRUGO, +- &constraint_attrs[i].max_power_attr, +- show_constraint_max_power_uw, +- NULL); ++ ret = create_constraint_attribute(i, "max_power_uw", ++ &constraint_attrs[i].max_power_attr); + if (ret) + goto err_alloc; +- ret = create_constraint_attribute(i, "min_power_uw", S_IRUGO, +- &constraint_attrs[i].min_power_attr, +- show_constraint_min_power_uw, +- NULL); ++ ret = create_constraint_attribute(i, "min_power_uw", ++ &constraint_attrs[i].min_power_attr); + if (ret) + goto err_alloc; + ret = create_constraint_attribute(i, "max_time_window_us", +- S_IRUGO, +- &constraint_attrs[i].max_time_window_attr, +- show_constraint_max_time_window_us, +- NULL); ++ &constraint_attrs[i].max_time_window_attr); + if (ret) + goto err_alloc; + ret = create_constraint_attribute(i, "min_time_window_us", +- S_IRUGO, +- &constraint_attrs[i].min_time_window_attr, +- show_constraint_min_time_window_us, +- NULL); ++ &constraint_attrs[i].min_time_window_attr); + if (ret) + goto err_alloc; + +@@ -378,10 +422,12 @@ static void create_power_zone_common_attributes( + power_zone->zone_dev_attrs[count++] = + &dev_attr_max_energy_range_uj.attr; + if (power_zone->ops->get_energy_uj) { ++ pax_open_kernel(); + if (power_zone->ops->reset_energy_uj) +- dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO; ++ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO; + else +- dev_attr_energy_uj.attr.mode = S_IRUGO; ++ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IRUGO; ++ pax_close_kernel(); + power_zone->zone_dev_attrs[count++] = + &dev_attr_energy_uj.attr; + } +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index afca1bc..86840b8 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -3366,7 +3366,7 @@ regulator_register(const struct regulator_desc *regulator_desc, + { + const struct regulation_constraints *constraints = NULL; + const struct regulator_init_data *init_data; +- static atomic_t regulator_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t regulator_no = ATOMIC_INIT(0); + struct regulator_dev *rdev; + struct device *dev; + int ret, i; +@@ -3436,7 +3436,7 @@ regulator_register(const struct regulator_desc *regulator_desc, + rdev->dev.of_node = config->of_node; + rdev->dev.parent = dev; + dev_set_name(&rdev->dev, "regulator.%d", +- atomic_inc_return(®ulator_no) - 1); ++ atomic_inc_return_unchecked(®ulator_no) - 1); + ret = device_register(&rdev->dev); + if (ret != 0) { + put_device(&rdev->dev); +diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c +index 8d94d3d..653b623 100644 +--- a/drivers/regulator/max8660.c ++++ b/drivers/regulator/max8660.c +@@ -420,8 +420,10 @@ static int max8660_probe(struct i2c_client *client, + max8660->shadow_regs[MAX8660_OVER1] = 5; + } else { + /* Otherwise devices can be toggled via software */ +- max8660_dcdc_ops.enable = max8660_dcdc_enable; +- max8660_dcdc_ops.disable = max8660_dcdc_disable; ++ pax_open_kernel(); ++ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable; ++ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable; ++ pax_close_kernel(); + } + + /* +diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c +index 892aa1e..ebd1b9c 100644 +--- a/drivers/regulator/max8973-regulator.c ++++ b/drivers/regulator/max8973-regulator.c +@@ -406,9 +406,11 @@ static int max8973_probe(struct i2c_client *client, + if (!pdata || !pdata->enable_ext_control) { + max->desc.enable_reg = MAX8973_VOUT; + max->desc.enable_mask = MAX8973_VOUT_ENABLE; +- max->ops.enable = regulator_enable_regmap; +- max->ops.disable = regulator_disable_regmap; +- max->ops.is_enabled = regulator_is_enabled_regmap; ++ pax_open_kernel(); ++ *(void **)&max->ops.enable = regulator_enable_regmap; ++ *(void **)&max->ops.disable = regulator_disable_regmap; ++ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap; ++ pax_close_kernel(); + } + + if (pdata) { +diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c +index f374fa5..26f0683 100644 +--- a/drivers/regulator/mc13892-regulator.c ++++ b/drivers/regulator/mc13892-regulator.c +@@ -582,10 +582,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev) + } + mc13xxx_unlock(mc13892); + +- mc13892_regulators[MC13892_VCAM].desc.ops->set_mode ++ pax_open_kernel(); ++ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode + = mc13892_vcam_set_mode; +- mc13892_regulators[MC13892_VCAM].desc.ops->get_mode ++ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode + = mc13892_vcam_get_mode; ++ pax_close_kernel(); + + mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators, + ARRAY_SIZE(mc13892_regulators)); +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index cae212f..58a3980 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -777,7 +777,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + hpet_rtc_timer_init(); + + /* export at least the first block of NVRAM */ +- nvram.size = address_space - NVRAM_OFFSET; ++ pax_open_kernel(); ++ *(size_t *)&nvram.size = address_space - NVRAM_OFFSET; ++ pax_close_kernel(); + retval = sysfs_create_bin_file(&dev->kobj, &nvram); + if (retval < 0) { + dev_dbg(dev, "can't create nvram file? %d\n", retval); +diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c +index d049393..bb20be0 100644 +--- a/drivers/rtc/rtc-dev.c ++++ b/drivers/rtc/rtc-dev.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include "rtc-core.h" + + static dev_t rtc_devt; +@@ -347,6 +348,8 @@ static long rtc_dev_ioctl(struct file *file, + if (copy_from_user(&tm, uarg, sizeof(tm))) + return -EFAULT; + ++ gr_log_timechange(); ++ + return rtc_set_time(rtc, &tm); + + case RTC_PIE_ON: +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 4e75345..09f8663 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -107,7 +107,7 @@ struct ds1307 { + u8 offset; /* register's offset */ + u8 regs[11]; + u16 nvram_offset; +- struct bin_attribute *nvram; ++ bin_attribute_no_const *nvram; + enum ds_type type; + unsigned long flags; + #define HAS_NVRAM 0 /* bit 0 == sysfs file active */ +diff --git a/drivers/rtc/rtc-m48t59.c b/drivers/rtc/rtc-m48t59.c +index 11880c1..b823aa4 100644 +--- a/drivers/rtc/rtc-m48t59.c ++++ b/drivers/rtc/rtc-m48t59.c +@@ -483,7 +483,9 @@ static int m48t59_rtc_probe(struct platform_device *pdev) + if (IS_ERR(m48t59->rtc)) + return PTR_ERR(m48t59->rtc); + +- m48t59_nvram_attr.size = pdata->offset; ++ pax_open_kernel(); ++ *(size_t *)&m48t59_nvram_attr.size = pdata->offset; ++ pax_close_kernel(); + + ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr); + if (ret) +diff --git a/drivers/scsi/aic7xxx/aic79xx_pci.c b/drivers/scsi/aic7xxx/aic79xx_pci.c +index 14b5f8d..cc9bd26 100644 +--- a/drivers/scsi/aic7xxx/aic79xx_pci.c ++++ b/drivers/scsi/aic7xxx/aic79xx_pci.c +@@ -827,7 +827,7 @@ ahd_pci_intr(struct ahd_softc *ahd) + for (bit = 0; bit < 8; bit++) { + + if ((pci_status[i] & (0x1 << bit)) != 0) { +- static const char *s; ++ const char *s; + + s = pci_status_strings[bit]; + if (i == 7/*TARG*/ && bit == 3) +@@ -887,23 +887,15 @@ ahd_pci_split_intr(struct ahd_softc *ahd, u_int intstat) + + for (bit = 0; bit < 8; bit++) { + +- if ((split_status[i] & (0x1 << bit)) != 0) { +- static const char *s; +- +- s = split_status_strings[bit]; +- printk(s, ahd_name(ahd), ++ if ((split_status[i] & (0x1 << bit)) != 0) ++ printk(split_status_strings[bit], ahd_name(ahd), + split_status_source[i]); +- } + + if (i > 1) + continue; + +- if ((sg_split_status[i] & (0x1 << bit)) != 0) { +- static const char *s; +- +- s = split_status_strings[bit]; +- printk(s, ahd_name(ahd), "SG"); +- } ++ if ((sg_split_status[i] & (0x1 << bit)) != 0) ++ printk(split_status_strings[bit], ahd_name(ahd), "SG"); + } + } + /* +diff --git a/drivers/scsi/bfa/bfa_fcpim.h b/drivers/scsi/bfa/bfa_fcpim.h +index e693af6..2e525b6 100644 +--- a/drivers/scsi/bfa/bfa_fcpim.h ++++ b/drivers/scsi/bfa/bfa_fcpim.h +@@ -36,7 +36,7 @@ struct bfa_iotag_s { + + struct bfa_itn_s { + bfa_isr_func_t isr; +-}; ++} __no_const; + + void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport, + void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m)); +diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c +index a3ab5cc..8143622 100644 +--- a/drivers/scsi/bfa/bfa_fcs.c ++++ b/drivers/scsi/bfa/bfa_fcs.c +@@ -38,10 +38,21 @@ struct bfa_fcs_mod_s { + #define BFA_FCS_MODULE(_mod) { _mod ## _modinit, _mod ## _modexit } + + static struct bfa_fcs_mod_s fcs_modules[] = { +- { bfa_fcs_port_attach, NULL, NULL }, +- { bfa_fcs_uf_attach, NULL, NULL }, +- { bfa_fcs_fabric_attach, bfa_fcs_fabric_modinit, +- bfa_fcs_fabric_modexit }, ++ { ++ .attach = bfa_fcs_port_attach, ++ .modinit = NULL, ++ .modexit = NULL ++ }, ++ { ++ .attach = bfa_fcs_uf_attach, ++ .modinit = NULL, ++ .modexit = NULL ++ }, ++ { ++ .attach = bfa_fcs_fabric_attach, ++ .modinit = bfa_fcs_fabric_modinit, ++ .modexit = bfa_fcs_fabric_modexit ++ }, + }; + + /* +diff --git a/drivers/scsi/bfa/bfa_fcs_lport.c b/drivers/scsi/bfa/bfa_fcs_lport.c +index ff75ef8..2dfe00a 100644 +--- a/drivers/scsi/bfa/bfa_fcs_lport.c ++++ b/drivers/scsi/bfa/bfa_fcs_lport.c +@@ -89,15 +89,26 @@ static struct { + void (*offline) (struct bfa_fcs_lport_s *port); + } __port_action[] = { + { +- bfa_fcs_lport_unknown_init, bfa_fcs_lport_unknown_online, +- bfa_fcs_lport_unknown_offline}, { +- bfa_fcs_lport_fab_init, bfa_fcs_lport_fab_online, +- bfa_fcs_lport_fab_offline}, { +- bfa_fcs_lport_n2n_init, bfa_fcs_lport_n2n_online, +- bfa_fcs_lport_n2n_offline}, { +- bfa_fcs_lport_loop_init, bfa_fcs_lport_loop_online, +- bfa_fcs_lport_loop_offline}, +- }; ++ .init = bfa_fcs_lport_unknown_init, ++ .online = bfa_fcs_lport_unknown_online, ++ .offline = bfa_fcs_lport_unknown_offline ++ }, ++ { ++ .init = bfa_fcs_lport_fab_init, ++ .online = bfa_fcs_lport_fab_online, ++ .offline = bfa_fcs_lport_fab_offline ++ }, ++ { ++ .init = bfa_fcs_lport_n2n_init, ++ .online = bfa_fcs_lport_n2n_online, ++ .offline = bfa_fcs_lport_n2n_offline ++ }, ++ { ++ .init = bfa_fcs_lport_loop_init, ++ .online = bfa_fcs_lport_loop_online, ++ .offline = bfa_fcs_lport_loop_offline ++ }, ++}; + + /* + * fcs_port_sm FCS logical port state machine +diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h +index 2e28392..9d865b6 100644 +--- a/drivers/scsi/bfa/bfa_ioc.h ++++ b/drivers/scsi/bfa/bfa_ioc.h +@@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s { + bfa_ioc_disable_cbfn_t disable_cbfn; + bfa_ioc_hbfail_cbfn_t hbfail_cbfn; + bfa_ioc_reset_cbfn_t reset_cbfn; +-}; ++} __no_const; + + /* + * IOC event notification mechanism. +@@ -352,7 +352,7 @@ struct bfa_ioc_hwif_s { + void (*ioc_set_alt_fwstate) (struct bfa_ioc_s *ioc, + enum bfi_ioc_state fwstate); + enum bfi_ioc_state (*ioc_get_alt_fwstate) (struct bfa_ioc_s *ioc); +-}; ++} __no_const; + + /* + * Queue element to wait for room in request queue. FIFO order is +diff --git a/drivers/scsi/bfa/bfa_modules.h b/drivers/scsi/bfa/bfa_modules.h +index a14c784..6de6790 100644 +--- a/drivers/scsi/bfa/bfa_modules.h ++++ b/drivers/scsi/bfa/bfa_modules.h +@@ -78,12 +78,12 @@ enum { + \ + extern struct bfa_module_s hal_mod_ ## __mod; \ + struct bfa_module_s hal_mod_ ## __mod = { \ +- bfa_ ## __mod ## _meminfo, \ +- bfa_ ## __mod ## _attach, \ +- bfa_ ## __mod ## _detach, \ +- bfa_ ## __mod ## _start, \ +- bfa_ ## __mod ## _stop, \ +- bfa_ ## __mod ## _iocdisable, \ ++ .meminfo = bfa_ ## __mod ## _meminfo, \ ++ .attach = bfa_ ## __mod ## _attach, \ ++ .detach = bfa_ ## __mod ## _detach, \ ++ .start = bfa_ ## __mod ## _start, \ ++ .stop = bfa_ ## __mod ## _stop, \ ++ .iocdisable = bfa_ ## __mod ## _iocdisable, \ + } + + #define BFA_CACHELINE_SZ (256) +diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c +index 045c4e1..13de803 100644 +--- a/drivers/scsi/fcoe/fcoe_sysfs.c ++++ b/drivers/scsi/fcoe/fcoe_sysfs.c +@@ -33,8 +33,8 @@ + */ + #include "libfcoe.h" + +-static atomic_t ctlr_num; +-static atomic_t fcf_num; ++static atomic_unchecked_t ctlr_num; ++static atomic_unchecked_t fcf_num; + + /* + * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs +@@ -685,7 +685,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent, + if (!ctlr) + goto out; + +- ctlr->id = atomic_inc_return(&ctlr_num) - 1; ++ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1; + ctlr->f = f; + ctlr->mode = FIP_CONN_TYPE_FABRIC; + INIT_LIST_HEAD(&ctlr->fcfs); +@@ -902,7 +902,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr, + fcf->dev.parent = &ctlr->dev; + fcf->dev.bus = &fcoe_bus_type; + fcf->dev.type = &fcoe_fcf_device_type; +- fcf->id = atomic_inc_return(&fcf_num) - 1; ++ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1; + fcf->state = FCOE_FCF_STATE_UNKNOWN; + + fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo; +@@ -938,8 +938,8 @@ int __init fcoe_sysfs_setup(void) + { + int error; + +- atomic_set(&ctlr_num, 0); +- atomic_set(&fcf_num, 0); ++ atomic_set_unchecked(&ctlr_num, 0); ++ atomic_set_unchecked(&fcf_num, 0); + + error = bus_register(&fcoe_bus_type); + if (error) +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index f28ea07..34b16d3 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -42,7 +42,7 @@ + #include "scsi_logging.h" + + +-static atomic_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */ ++static atomic_unchecked_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */ + + + static void scsi_host_cls_release(struct device *dev) +@@ -369,7 +369,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize) + * subtract one because we increment first then return, but we need to + * know what the next host number was before increment + */ +- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1; ++ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1; + shost->dma_channel = 0xff; + + /* These three are default values which can be overridden */ +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 868318a..e07ef3b 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -571,7 +571,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q) + unsigned long flags; + + if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant))) +- return h->access.command_completed(h, q); ++ return h->access->command_completed(h, q); + + if ((rq->head[rq->current_entry] & 1) == rq->wraparound) { + a = rq->head[rq->current_entry]; +@@ -3474,7 +3474,7 @@ static void start_io(struct ctlr_info *h) + while (!list_empty(&h->reqQ)) { + c = list_entry(h->reqQ.next, struct CommandList, list); + /* can't do anything if fifo is full */ +- if ((h->access.fifo_full(h))) { ++ if ((h->access->fifo_full(h))) { + h->fifo_recently_full = 1; + dev_warn(&h->pdev->dev, "fifo full\n"); + break; +@@ -3498,7 +3498,7 @@ static void start_io(struct ctlr_info *h) + + /* Tell the controller execute command */ + spin_unlock_irqrestore(&h->lock, flags); +- h->access.submit_command(h, c); ++ h->access->submit_command(h, c); + spin_lock_irqsave(&h->lock, flags); + } + spin_unlock_irqrestore(&h->lock, flags); +@@ -3506,17 +3506,17 @@ static void start_io(struct ctlr_info *h) + + static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q) + { +- return h->access.command_completed(h, q); ++ return h->access->command_completed(h, q); + } + + static inline bool interrupt_pending(struct ctlr_info *h) + { +- return h->access.intr_pending(h); ++ return h->access->intr_pending(h); + } + + static inline long interrupt_not_for_us(struct ctlr_info *h) + { +- return (h->access.intr_pending(h) == 0) || ++ return (h->access->intr_pending(h) == 0) || + (h->interrupts_enabled == 0); + } + +@@ -4442,7 +4442,7 @@ static int hpsa_pci_init(struct ctlr_info *h) + if (prod_index < 0) + return -ENODEV; + h->product_name = products[prod_index].product_name; +- h->access = *(products[prod_index].access); ++ h->access = products[prod_index].access; + + pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S | + PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM); +@@ -4712,7 +4712,7 @@ static void controller_lockup_detected(struct ctlr_info *h) + { + unsigned long flags; + +- h->access.set_intr_mask(h, HPSA_INTR_OFF); ++ h->access->set_intr_mask(h, HPSA_INTR_OFF); + spin_lock_irqsave(&h->lock, flags); + h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET); + spin_unlock_irqrestore(&h->lock, flags); +@@ -4843,7 +4843,7 @@ reinit_after_soft_reset: + } + + /* make sure the board interrupts are off */ +- h->access.set_intr_mask(h, HPSA_INTR_OFF); ++ h->access->set_intr_mask(h, HPSA_INTR_OFF); + + if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx)) + goto clean2; +@@ -4877,7 +4877,7 @@ reinit_after_soft_reset: + * fake ones to scoop up any residual completions. + */ + spin_lock_irqsave(&h->lock, flags); +- h->access.set_intr_mask(h, HPSA_INTR_OFF); ++ h->access->set_intr_mask(h, HPSA_INTR_OFF); + spin_unlock_irqrestore(&h->lock, flags); + free_irqs(h); + rc = hpsa_request_irq(h, hpsa_msix_discard_completions, +@@ -4896,9 +4896,9 @@ reinit_after_soft_reset: + dev_info(&h->pdev->dev, "Board READY.\n"); + dev_info(&h->pdev->dev, + "Waiting for stale completions to drain.\n"); +- h->access.set_intr_mask(h, HPSA_INTR_ON); ++ h->access->set_intr_mask(h, HPSA_INTR_ON); + msleep(10000); +- h->access.set_intr_mask(h, HPSA_INTR_OFF); ++ h->access->set_intr_mask(h, HPSA_INTR_OFF); + + rc = controller_reset_failed(h->cfgtable); + if (rc) +@@ -4919,7 +4919,7 @@ reinit_after_soft_reset: + } + + /* Turn the interrupts on so we can service requests */ +- h->access.set_intr_mask(h, HPSA_INTR_ON); ++ h->access->set_intr_mask(h, HPSA_INTR_ON); + + hpsa_hba_inquiry(h); + hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */ +@@ -4988,7 +4988,7 @@ static void hpsa_shutdown(struct pci_dev *pdev) + * To write all data in the battery backed cache to disks + */ + hpsa_flush_cache(h); +- h->access.set_intr_mask(h, HPSA_INTR_OFF); ++ h->access->set_intr_mask(h, HPSA_INTR_OFF); + hpsa_free_irqs_and_disable_msix(h); + } + +@@ -5162,7 +5162,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 use_short_tags) + return; + } + /* Change the access methods to the performant access methods */ +- h->access = SA5_performant_access; ++ h->access = &SA5_performant_access; + h->transMethod = CFGTBL_Trans_Performant; + } + +diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h +index 01c3283..4655219 100644 +--- a/drivers/scsi/hpsa.h ++++ b/drivers/scsi/hpsa.h +@@ -79,7 +79,7 @@ struct ctlr_info { + unsigned int msix_vector; + unsigned int msi_vector; + int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */ +- struct access_method access; ++ struct access_method *access; + + /* queue and queue Info */ + struct list_head reqQ; +@@ -388,19 +388,19 @@ static bool SA5_performant_intr_pending(struct ctlr_info *h) + } + + static struct access_method SA5_access = { +- SA5_submit_command, +- SA5_intr_mask, +- SA5_fifo_full, +- SA5_intr_pending, +- SA5_completed, ++ .submit_command = SA5_submit_command, ++ .set_intr_mask = SA5_intr_mask, ++ .fifo_full = SA5_fifo_full, ++ .intr_pending = SA5_intr_pending, ++ .command_completed = SA5_completed, + }; + + static struct access_method SA5_performant_access = { +- SA5_submit_command, +- SA5_performant_intr_mask, +- SA5_fifo_full, +- SA5_performant_intr_pending, +- SA5_performant_completed, ++ .submit_command = SA5_submit_command, ++ .set_intr_mask = SA5_performant_intr_mask, ++ .fifo_full = SA5_fifo_full, ++ .intr_pending = SA5_performant_intr_pending, ++ .command_completed = SA5_performant_completed, + }; + + struct board_type { +diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c +index 1b3a094..068e683 100644 +--- a/drivers/scsi/libfc/fc_exch.c ++++ b/drivers/scsi/libfc/fc_exch.c +@@ -101,12 +101,12 @@ struct fc_exch_mgr { + u16 pool_max_index; + + struct { +- atomic_t no_free_exch; +- atomic_t no_free_exch_xid; +- atomic_t xid_not_found; +- atomic_t xid_busy; +- atomic_t seq_not_found; +- atomic_t non_bls_resp; ++ atomic_unchecked_t no_free_exch; ++ atomic_unchecked_t no_free_exch_xid; ++ atomic_unchecked_t xid_not_found; ++ atomic_unchecked_t xid_busy; ++ atomic_unchecked_t seq_not_found; ++ atomic_unchecked_t non_bls_resp; + } stats; + }; + +@@ -811,7 +811,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport, + /* allocate memory for exchange */ + ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC); + if (!ep) { +- atomic_inc(&mp->stats.no_free_exch); ++ atomic_inc_unchecked(&mp->stats.no_free_exch); + goto out; + } + memset(ep, 0, sizeof(*ep)); +@@ -874,7 +874,7 @@ out: + return ep; + err: + spin_unlock_bh(&pool->lock); +- atomic_inc(&mp->stats.no_free_exch_xid); ++ atomic_inc_unchecked(&mp->stats.no_free_exch_xid); + mempool_free(ep, mp->ep_pool); + return NULL; + } +@@ -1023,7 +1023,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, + xid = ntohs(fh->fh_ox_id); /* we originated exch */ + ep = fc_exch_find(mp, xid); + if (!ep) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + reject = FC_RJT_OX_ID; + goto out; + } +@@ -1053,7 +1053,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, + ep = fc_exch_find(mp, xid); + if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) { + if (ep) { +- atomic_inc(&mp->stats.xid_busy); ++ atomic_inc_unchecked(&mp->stats.xid_busy); + reject = FC_RJT_RX_ID; + goto rel; + } +@@ -1064,7 +1064,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, + } + xid = ep->xid; /* get our XID */ + } else if (!ep) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + reject = FC_RJT_RX_ID; /* XID not found */ + goto out; + } +@@ -1082,7 +1082,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport, + } else { + sp = &ep->seq; + if (sp->id != fh->fh_seq_id) { +- atomic_inc(&mp->stats.seq_not_found); ++ atomic_inc_unchecked(&mp->stats.seq_not_found); + if (f_ctl & FC_FC_END_SEQ) { + /* + * Update sequence_id based on incoming last +@@ -1533,22 +1533,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) + + ep = fc_exch_find(mp, ntohs(fh->fh_ox_id)); + if (!ep) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + goto out; + } + if (ep->esb_stat & ESB_ST_COMPLETE) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + goto rel; + } + if (ep->rxid == FC_XID_UNKNOWN) + ep->rxid = ntohs(fh->fh_rx_id); + if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + goto rel; + } + if (ep->did != ntoh24(fh->fh_s_id) && + ep->did != FC_FID_FLOGI) { +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + goto rel; + } + sof = fr_sof(fp); +@@ -1557,7 +1557,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) + sp->ssb_stat |= SSB_ST_RESP; + sp->id = fh->fh_seq_id; + } else if (sp->id != fh->fh_seq_id) { +- atomic_inc(&mp->stats.seq_not_found); ++ atomic_inc_unchecked(&mp->stats.seq_not_found); + goto rel; + } + +@@ -1619,9 +1619,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp) + sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */ + + if (!sp) +- atomic_inc(&mp->stats.xid_not_found); ++ atomic_inc_unchecked(&mp->stats.xid_not_found); + else +- atomic_inc(&mp->stats.non_bls_resp); ++ atomic_inc_unchecked(&mp->stats.non_bls_resp); + + fc_frame_free(fp); + } +@@ -2261,13 +2261,13 @@ void fc_exch_update_stats(struct fc_lport *lport) + + list_for_each_entry(ema, &lport->ema_list, ema_list) { + mp = ema->mp; +- st->fc_no_free_exch += atomic_read(&mp->stats.no_free_exch); ++ st->fc_no_free_exch += atomic_read_unchecked(&mp->stats.no_free_exch); + st->fc_no_free_exch_xid += +- atomic_read(&mp->stats.no_free_exch_xid); +- st->fc_xid_not_found += atomic_read(&mp->stats.xid_not_found); +- st->fc_xid_busy += atomic_read(&mp->stats.xid_busy); +- st->fc_seq_not_found += atomic_read(&mp->stats.seq_not_found); +- st->fc_non_bls_resp += atomic_read(&mp->stats.non_bls_resp); ++ atomic_read_unchecked(&mp->stats.no_free_exch_xid); ++ st->fc_xid_not_found += atomic_read_unchecked(&mp->stats.xid_not_found); ++ st->fc_xid_busy += atomic_read_unchecked(&mp->stats.xid_busy); ++ st->fc_seq_not_found += atomic_read_unchecked(&mp->stats.seq_not_found); ++ st->fc_non_bls_resp += atomic_read_unchecked(&mp->stats.non_bls_resp); + } + } + EXPORT_SYMBOL(fc_exch_update_stats); +diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c +index d289583..b745eec 100644 +--- a/drivers/scsi/libsas/sas_ata.c ++++ b/drivers/scsi/libsas/sas_ata.c +@@ -554,7 +554,7 @@ static struct ata_port_operations sas_sata_ops = { + .postreset = ata_std_postreset, + .error_handler = ata_std_error_handler, + .post_internal_cmd = sas_ata_post_internal, +- .qc_defer = ata_std_qc_defer, ++ .qc_defer = ata_std_qc_defer, + .qc_prep = ata_noop_qc_prep, + .qc_issue = sas_ata_qc_issue, + .qc_fill_rtf = sas_ata_qc_fill_rtf, +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 4e1b75c..0bbdfa9 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -432,7 +432,7 @@ struct lpfc_vport { + struct dentry *debug_nodelist; + struct dentry *vport_debugfs_root; + struct lpfc_debugfs_trc *disc_trc; +- atomic_t disc_trc_cnt; ++ atomic_unchecked_t disc_trc_cnt; + #endif + uint8_t stat_data_enabled; + uint8_t stat_data_blocked; +@@ -865,8 +865,8 @@ struct lpfc_hba { + struct timer_list fabric_block_timer; + unsigned long bit_flags; + #define FABRIC_COMANDS_BLOCKED 0 +- atomic_t num_rsrc_err; +- atomic_t num_cmd_success; ++ atomic_unchecked_t num_rsrc_err; ++ atomic_unchecked_t num_cmd_success; + unsigned long last_rsrc_error_time; + unsigned long last_ramp_down_time; + unsigned long last_ramp_up_time; +@@ -902,7 +902,7 @@ struct lpfc_hba { + + struct dentry *debug_slow_ring_trc; + struct lpfc_debugfs_trc *slow_ring_trc; +- atomic_t slow_ring_trc_cnt; ++ atomic_unchecked_t slow_ring_trc_cnt; + /* iDiag debugfs sub-directory */ + struct dentry *idiag_root; + struct dentry *idiag_pci_cfg; +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index b800cc9..16b6a91 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc, + + #include + +-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0); ++static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0); + static unsigned long lpfc_debugfs_start_time = 0L; + + /* iDiag */ +@@ -147,7 +147,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size) + lpfc_debugfs_enable = 0; + + len = 0; +- index = (atomic_read(&vport->disc_trc_cnt) + 1) & ++ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) & + (lpfc_debugfs_max_disc_trc - 1); + for (i = index; i < lpfc_debugfs_max_disc_trc; i++) { + dtp = vport->disc_trc + i; +@@ -213,7 +213,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size) + lpfc_debugfs_enable = 0; + + len = 0; +- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) & ++ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) & + (lpfc_debugfs_max_slow_ring_trc - 1); + for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) { + dtp = phba->slow_ring_trc + i; +@@ -646,14 +646,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport *vport, int mask, char *fmt, + !vport || !vport->disc_trc) + return; + +- index = atomic_inc_return(&vport->disc_trc_cnt) & ++ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) & + (lpfc_debugfs_max_disc_trc - 1); + dtp = vport->disc_trc + index; + dtp->fmt = fmt; + dtp->data1 = data1; + dtp->data2 = data2; + dtp->data3 = data3; +- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt); ++ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt); + dtp->jif = jiffies; + #endif + return; +@@ -684,14 +684,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_hba *phba, char *fmt, + !phba || !phba->slow_ring_trc) + return; + +- index = atomic_inc_return(&phba->slow_ring_trc_cnt) & ++ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) & + (lpfc_debugfs_max_slow_ring_trc - 1); + dtp = phba->slow_ring_trc + index; + dtp->fmt = fmt; + dtp->data1 = data1; + dtp->data2 = data2; + dtp->data3 = data3; +- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt); ++ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt); + dtp->jif = jiffies; + #endif + return; +@@ -4168,7 +4168,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + "slow_ring buffer\n"); + goto debug_failed; + } +- atomic_set(&phba->slow_ring_trc_cnt, 0); ++ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0); + memset(phba->slow_ring_trc, 0, + (sizeof(struct lpfc_debugfs_trc) * + lpfc_debugfs_max_slow_ring_trc)); +@@ -4214,7 +4214,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + "buffer\n"); + goto debug_failed; + } +- atomic_set(&vport->disc_trc_cnt, 0); ++ atomic_set_unchecked(&vport->disc_trc_cnt, 0); + + snprintf(name, sizeof(name), "discovery_trace"); + vport->debug_disc_trc = +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 68c94cc..8c27be5 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -10949,8 +10949,10 @@ lpfc_init(void) + "misc_register returned with status %d", error); + + if (lpfc_enable_npiv) { +- lpfc_transport_functions.vport_create = lpfc_vport_create; +- lpfc_transport_functions.vport_delete = lpfc_vport_delete; ++ pax_open_kernel(); ++ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create; ++ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete; ++ pax_close_kernel(); + } + lpfc_transport_template = + fc_attach_transport(&lpfc_transport_functions); +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index b2ede05..aaf482ca 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -353,7 +353,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba) + uint32_t evt_posted; + + spin_lock_irqsave(&phba->hbalock, flags); +- atomic_inc(&phba->num_rsrc_err); ++ atomic_inc_unchecked(&phba->num_rsrc_err); + phba->last_rsrc_error_time = jiffies; + + if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) { +@@ -394,7 +394,7 @@ lpfc_rampup_queue_depth(struct lpfc_vport *vport, + unsigned long flags; + struct lpfc_hba *phba = vport->phba; + uint32_t evt_posted; +- atomic_inc(&phba->num_cmd_success); ++ atomic_inc_unchecked(&phba->num_cmd_success); + + if (vport->cfg_lun_queue_depth <= queue_depth) + return; +@@ -438,8 +438,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + unsigned long num_rsrc_err, num_cmd_success; + int i; + +- num_rsrc_err = atomic_read(&phba->num_rsrc_err); +- num_cmd_success = atomic_read(&phba->num_cmd_success); ++ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err); ++ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success); + + /* + * The error and success command counters are global per +@@ -467,8 +467,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + } + } + lpfc_destroy_vport_work_array(phba, vports); +- atomic_set(&phba->num_rsrc_err, 0); +- atomic_set(&phba->num_cmd_success, 0); ++ atomic_set_unchecked(&phba->num_rsrc_err, 0); ++ atomic_set_unchecked(&phba->num_cmd_success, 0); + } + + /** +@@ -502,8 +502,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_hba *phba) + } + } + lpfc_destroy_vport_work_array(phba, vports); +- atomic_set(&phba->num_rsrc_err, 0); +- atomic_set(&phba->num_cmd_success, 0); ++ atomic_set_unchecked(&phba->num_rsrc_err, 0); ++ atomic_set_unchecked(&phba->num_cmd_success, 0); + } + + /** +diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +index 7f0af4f..193ac3e 100644 +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -1557,7 +1557,7 @@ _scsih_get_resync(struct device *dev) + { + struct scsi_device *sdev = to_scsi_device(dev); + struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host); +- static struct _raid_device *raid_device; ++ struct _raid_device *raid_device; + unsigned long flags; + Mpi2RaidVolPage0_t vol_pg0; + Mpi2ConfigReply_t mpi_reply; +@@ -1609,7 +1609,7 @@ _scsih_get_state(struct device *dev) + { + struct scsi_device *sdev = to_scsi_device(dev); + struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host); +- static struct _raid_device *raid_device; ++ struct _raid_device *raid_device; + unsigned long flags; + Mpi2RaidVolPage0_t vol_pg0; + Mpi2ConfigReply_t mpi_reply; +@@ -6637,7 +6637,7 @@ _scsih_sas_ir_operation_status_event(struct MPT2SAS_ADAPTER *ioc, + struct fw_event_work *fw_event) + { + Mpi2EventDataIrOperationStatus_t *event_data = fw_event->event_data; +- static struct _raid_device *raid_device; ++ struct _raid_device *raid_device; + unsigned long flags; + u16 handle; + +@@ -7108,7 +7108,7 @@ _scsih_scan_for_devices_after_reset(struct MPT2SAS_ADAPTER *ioc) + u64 sas_address; + struct _sas_device *sas_device; + struct _sas_node *expander_device; +- static struct _raid_device *raid_device; ++ struct _raid_device *raid_device; + u8 retry_count; + unsigned long flags; + +diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c +index be8ce54..94ed33a 100644 +--- a/drivers/scsi/pmcraid.c ++++ b/drivers/scsi/pmcraid.c +@@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev) + res->scsi_dev = scsi_dev; + scsi_dev->hostdata = res; + res->change_detected = 0; +- atomic_set(&res->read_failures, 0); +- atomic_set(&res->write_failures, 0); ++ atomic_set_unchecked(&res->read_failures, 0); ++ atomic_set_unchecked(&res->write_failures, 0); + rc = 0; + } + spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags); +@@ -2687,9 +2687,9 @@ static int pmcraid_error_handler(struct pmcraid_cmd *cmd) + + /* If this was a SCSI read/write command keep count of errors */ + if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD) +- atomic_inc(&res->read_failures); ++ atomic_inc_unchecked(&res->read_failures); + else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD) +- atomic_inc(&res->write_failures); ++ atomic_inc_unchecked(&res->write_failures); + + if (!RES_IS_GSCSI(res->cfg_entry) && + masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) { +@@ -3545,7 +3545,7 @@ static int pmcraid_queuecommand_lck( + * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses + * hrrq_id assigned here in queuecommand + */ +- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) % ++ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) % + pinstance->num_hrrq; + cmd->cmd_done = pmcraid_io_done; + +@@ -3857,7 +3857,7 @@ static long pmcraid_ioctl_passthrough( + * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses + * hrrq_id assigned here in queuecommand + */ +- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) % ++ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) % + pinstance->num_hrrq; + + if (request_size) { +@@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(struct work_struct *workp) + + pinstance = container_of(workp, struct pmcraid_instance, worker_q); + /* add resources only after host is added into system */ +- if (!atomic_read(&pinstance->expose_resources)) ++ if (!atomic_read_unchecked(&pinstance->expose_resources)) + return; + + fw_version = be16_to_cpu(pinstance->inq_data->fw_version); +@@ -5322,8 +5322,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host, + init_waitqueue_head(&pinstance->reset_wait_q); + + atomic_set(&pinstance->outstanding_cmds, 0); +- atomic_set(&pinstance->last_message_id, 0); +- atomic_set(&pinstance->expose_resources, 0); ++ atomic_set_unchecked(&pinstance->last_message_id, 0); ++ atomic_set_unchecked(&pinstance->expose_resources, 0); + + INIT_LIST_HEAD(&pinstance->free_res_q); + INIT_LIST_HEAD(&pinstance->used_res_q); +@@ -6036,7 +6036,7 @@ static int pmcraid_probe(struct pci_dev *pdev, + /* Schedule worker thread to handle CCN and take care of adding and + * removing devices to OS + */ +- atomic_set(&pinstance->expose_resources, 1); ++ atomic_set_unchecked(&pinstance->expose_resources, 1); + schedule_work(&pinstance->worker_q); + return rc; + +diff --git a/drivers/scsi/pmcraid.h b/drivers/scsi/pmcraid.h +index e1d150f..6c6df44 100644 +--- a/drivers/scsi/pmcraid.h ++++ b/drivers/scsi/pmcraid.h +@@ -748,7 +748,7 @@ struct pmcraid_instance { + struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS]; + + /* Message id as filled in last fired IOARCB, used to identify HRRQ */ +- atomic_t last_message_id; ++ atomic_unchecked_t last_message_id; + + /* configuration table */ + struct pmcraid_config_table *cfg_table; +@@ -777,7 +777,7 @@ struct pmcraid_instance { + atomic_t outstanding_cmds; + + /* should add/delete resources to mid-layer now ?*/ +- atomic_t expose_resources; ++ atomic_unchecked_t expose_resources; + + + +@@ -813,8 +813,8 @@ struct pmcraid_resource_entry { + struct pmcraid_config_table_entry_ext cfg_entry_ext; + }; + struct scsi_device *scsi_dev; /* Link scsi_device structure */ +- atomic_t read_failures; /* count of failed READ commands */ +- atomic_t write_failures; /* count of failed WRITE commands */ ++ atomic_unchecked_t read_failures; /* count of failed READ commands */ ++ atomic_unchecked_t write_failures; /* count of failed WRITE commands */ + + /* To indicate add/delete/modify during CCN */ + u8 change_detected; +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 4a0d7c9..3d658d7 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2038,7 +2038,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable) + return 0; + } + +-struct fc_function_template qla2xxx_transport_functions = { ++fc_function_template_no_const qla2xxx_transport_functions = { + + .show_host_node_name = 1, + .show_host_port_name = 1, +@@ -2086,7 +2086,7 @@ struct fc_function_template qla2xxx_transport_functions = { + .bsg_timeout = qla24xx_bsg_timeout, + }; + +-struct fc_function_template qla2xxx_transport_vport_functions = { ++fc_function_template_no_const qla2xxx_transport_vport_functions = { + + .show_host_node_name = 1, + .show_host_port_name = 1, +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index 1f42662..bf9836c 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -546,8 +546,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *); + struct device_attribute; + extern struct device_attribute *qla2x00_host_attrs[]; + struct fc_function_template; +-extern struct fc_function_template qla2xxx_transport_functions; +-extern struct fc_function_template qla2xxx_transport_vport_functions; ++extern fc_function_template_no_const qla2xxx_transport_functions; ++extern fc_function_template_no_const qla2xxx_transport_vport_functions; + extern void qla2x00_alloc_sysfs_attr(scsi_qla_host_t *); + extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool); + extern void qla2x00_init_host_attr(scsi_qla_host_t *); +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 89a5300..2a459ab 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1491,8 +1491,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha) + !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) { + /* Ok, a 64bit DMA mask is applicable. */ + ha->flags.enable_64bit_addressing = 1; +- ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64; +- ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64; ++ pax_open_kernel(); ++ *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64; ++ *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64; ++ pax_close_kernel(); + return; + } + } +diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h +index aa67bb9..06d0e2a 100644 +--- a/drivers/scsi/qla4xxx/ql4_def.h ++++ b/drivers/scsi/qla4xxx/ql4_def.h +@@ -303,7 +303,7 @@ struct ddb_entry { + * (4000 only) */ + atomic_t relogin_timer; /* Max Time to wait for + * relogin to complete */ +- atomic_t relogin_retry_count; /* Num of times relogin has been ++ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been + * retried */ + uint32_t default_time2wait; /* Default Min time between + * relogins (+aens) */ +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index c21adc3..1b4155f 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -4463,12 +4463,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) + */ + if (!iscsi_is_session_online(cls_sess)) { + /* Reset retry relogin timer */ +- atomic_inc(&ddb_entry->relogin_retry_count); ++ atomic_inc_unchecked(&ddb_entry->relogin_retry_count); + DEBUG2(ql4_printk(KERN_INFO, ha, + "%s: index[%d] relogin timed out-retrying" + " relogin (%d), retry (%d)\n", __func__, + ddb_entry->fw_ddb_index, +- atomic_read(&ddb_entry->relogin_retry_count), ++ atomic_read_unchecked(&ddb_entry->relogin_retry_count), + ddb_entry->default_time2wait + 4)); + set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags); + atomic_set(&ddb_entry->retry_relogin_timer, +@@ -6552,7 +6552,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, + + atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY); + atomic_set(&ddb_entry->relogin_timer, 0); +- atomic_set(&ddb_entry->relogin_retry_count, 0); ++ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0); + def_timeout = le16_to_cpu(ddb_entry->fw_ddb_entry.def_timeout); + ddb_entry->default_relogin_timeout = + (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ? +diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c +index d8afec8..3ec7152 100644 +--- a/drivers/scsi/scsi.c ++++ b/drivers/scsi/scsi.c +@@ -658,7 +658,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + struct Scsi_Host *host = cmd->device->host; + int rtn = 0; + +- atomic_inc(&cmd->device->iorequest_cnt); ++ atomic_inc_unchecked(&cmd->device->iorequest_cnt); + + /* check if the device is still usable */ + if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 62ec84b..93159d8 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1474,7 +1474,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) + shost = sdev->host; + scsi_init_cmd_errh(cmd); + cmd->result = DID_NO_CONNECT << 16; +- atomic_inc(&cmd->device->iorequest_cnt); ++ atomic_inc_unchecked(&cmd->device->iorequest_cnt); + + /* + * SCSI request completion path will do scsi_device_unbusy(), +@@ -1500,9 +1500,9 @@ static void scsi_softirq_done(struct request *rq) + + INIT_LIST_HEAD(&cmd->eh_entry); + +- atomic_inc(&cmd->device->iodone_cnt); ++ atomic_inc_unchecked(&cmd->device->iodone_cnt); + if (cmd->result) +- atomic_inc(&cmd->device->ioerr_cnt); ++ atomic_inc_unchecked(&cmd->device->ioerr_cnt); + + disposition = scsi_decide_disposition(cmd); + if (disposition != SUCCESS && +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 9117d0b..d289a7a 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -739,7 +739,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \ + char *buf) \ + { \ + struct scsi_device *sdev = to_scsi_device(dev); \ +- unsigned long long count = atomic_read(&sdev->field); \ ++ unsigned long long count = atomic_read_unchecked(&sdev->field); \ + return snprintf(buf, 20, "0x%llx\n", count); \ + } \ + static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL) +diff --git a/drivers/scsi/scsi_tgt_lib.c b/drivers/scsi/scsi_tgt_lib.c +index 84a1fdf..693b0d6 100644 +--- a/drivers/scsi/scsi_tgt_lib.c ++++ b/drivers/scsi/scsi_tgt_lib.c +@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct scsi_tgt_cmd *tcmd, struct scsi_cmnd *cmd, + int err; + + dprintk("%lx %u\n", uaddr, len); +- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL); ++ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL); + if (err) { + /* + * TODO: need to fixup sg_tablesize, max_segment_size, +diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c +index 4628fd5..a94a1c2 100644 +--- a/drivers/scsi/scsi_transport_fc.c ++++ b/drivers/scsi/scsi_transport_fc.c +@@ -497,7 +497,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class, + * Netlink Infrastructure + */ + +-static atomic_t fc_event_seq; ++static atomic_unchecked_t fc_event_seq; + + /** + * fc_get_event_number - Obtain the next sequential FC event number +@@ -510,7 +510,7 @@ static atomic_t fc_event_seq; + u32 + fc_get_event_number(void) + { +- return atomic_add_return(1, &fc_event_seq); ++ return atomic_add_return_unchecked(1, &fc_event_seq); + } + EXPORT_SYMBOL(fc_get_event_number); + +@@ -654,7 +654,7 @@ static __init int fc_transport_init(void) + { + int error; + +- atomic_set(&fc_event_seq, 0); ++ atomic_set_unchecked(&fc_event_seq, 0); + + error = transport_class_register(&fc_host_class); + if (error) +@@ -844,7 +844,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val) + char *cp; + + *val = simple_strtoul(buf, &cp, 0); +- if ((*cp && (*cp != '\n')) || (*val < 0)) ++ if (*cp && (*cp != '\n')) + return -EINVAL; + /* + * Check for overflow; dev_loss_tmo is u32 +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index fd8ffe6..fd0bebf 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -79,7 +79,7 @@ struct iscsi_internal { + struct transport_container session_cont; + }; + +-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */ ++static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */ + static struct workqueue_struct *iscsi_eh_timer_workq; + + static DEFINE_IDA(iscsi_sess_ida); +@@ -2071,7 +2071,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id) + int err; + + ihost = shost->shost_data; +- session->sid = atomic_add_return(1, &iscsi_session_nr); ++ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr); + + if (target_id == ISCSI_MAX_TARGET) { + id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL); +@@ -4511,7 +4511,7 @@ static __init int iscsi_transport_init(void) + printk(KERN_INFO "Loading iSCSI transport class v%s.\n", + ISCSI_TRANSPORT_VERSION); + +- atomic_set(&iscsi_session_nr, 0); ++ atomic_set_unchecked(&iscsi_session_nr, 0); + + err = class_register(&iscsi_transport_class); + if (err) +diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c +index d47ffc8..30f46a9 100644 +--- a/drivers/scsi/scsi_transport_srp.c ++++ b/drivers/scsi/scsi_transport_srp.c +@@ -36,7 +36,7 @@ + #include "scsi_transport_srp_internal.h" + + struct srp_host_attrs { +- atomic_t next_port_id; ++ atomic_unchecked_t next_port_id; + }; + #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data) + +@@ -101,7 +101,7 @@ static int srp_host_setup(struct transport_container *tc, struct device *dev, + struct Scsi_Host *shost = dev_to_shost(dev); + struct srp_host_attrs *srp_host = to_srp_host_attrs(shost); + +- atomic_set(&srp_host->next_port_id, 0); ++ atomic_set_unchecked(&srp_host->next_port_id, 0); + return 0; + } + +@@ -734,7 +734,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost, + rport_fast_io_fail_timedout); + INIT_DELAYED_WORK(&rport->dev_loss_work, rport_dev_loss_timedout); + +- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id); ++ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id); + dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id); + + transport_setup_device(&rport->dev); +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 470954a..eca8d22 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2962,7 +2962,7 @@ static int sd_probe(struct device *dev) + sdkp->disk = gd; + sdkp->index = index; + atomic_set(&sdkp->openers, 0); +- atomic_set(&sdkp->device->ioerr_cnt, 0); ++ atomic_set_unchecked(&sdkp->device->ioerr_cnt, 0); + + if (!sdp->request_queue->rq_timeout) { + if (sdp->type != TYPE_MOD) +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index df5e961..df6b97f 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) + sdp->disk->disk_name, + MKDEV(SCSI_GENERIC_MAJOR, sdp->index), + NULL, +- (char *)arg); ++ (char __user *)arg); + case BLKTRACESTART: + return blk_trace_startstop(sdp->device->request_queue, 1); + case BLKTRACESTOP: +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index d0b28bb..a263613 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1971,7 +1971,7 @@ int spi_bus_unlock(struct spi_master *master) + EXPORT_SYMBOL_GPL(spi_bus_unlock); + + /* portable code must never pass more than 32 bytes */ +-#define SPI_BUFSIZ max(32, SMP_CACHE_BYTES) ++#define SPI_BUFSIZ max(32UL, SMP_CACHE_BYTES) + + static u8 *buf; + +diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c +index 2c61783..4d49e4e 100644 +--- a/drivers/staging/android/timed_output.c ++++ b/drivers/staging/android/timed_output.c +@@ -25,7 +25,7 @@ + #include "timed_output.h" + + static struct class *timed_output_class; +-static atomic_t device_count; ++static atomic_unchecked_t device_count; + + static ssize_t enable_show(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -63,7 +63,7 @@ static int create_timed_output_class(void) + timed_output_class = class_create(THIS_MODULE, "timed_output"); + if (IS_ERR(timed_output_class)) + return PTR_ERR(timed_output_class); +- atomic_set(&device_count, 0); ++ atomic_set_unchecked(&device_count, 0); + timed_output_class->dev_groups = timed_output_groups; + } + +@@ -81,7 +81,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev) + if (ret < 0) + return ret; + +- tdev->index = atomic_inc_return(&device_count); ++ tdev->index = atomic_inc_return_unchecked(&device_count); + tdev->dev = device_create(timed_output_class, NULL, + MKDEV(0, tdev->index), NULL, "%s", tdev->name); + if (IS_ERR(tdev->dev)) +diff --git a/drivers/staging/gdm724x/gdm_tty.c b/drivers/staging/gdm724x/gdm_tty.c +index fe47cd3..19a1bd1 100644 +--- a/drivers/staging/gdm724x/gdm_tty.c ++++ b/drivers/staging/gdm724x/gdm_tty.c +@@ -44,7 +44,7 @@ + #define gdm_tty_send_control(n, r, v, d, l) (\ + n->tty_dev->send_control(n->tty_dev->priv_dev, r, v, d, l)) + +-#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && gdm->port.count) ++#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && atomic_read(&gdm->port.count)) + + static struct tty_driver *gdm_driver[TTY_MAX_COUNT]; + static struct gdm *gdm_table[TTY_MAX_COUNT][GDM_TTY_MINOR]; +diff --git a/drivers/staging/imx-drm/imx-drm-core.c b/drivers/staging/imx-drm/imx-drm-core.c +index 236ed66..dd9cd74 100644 +--- a/drivers/staging/imx-drm/imx-drm-core.c ++++ b/drivers/staging/imx-drm/imx-drm-core.c +@@ -488,7 +488,7 @@ int imx_drm_add_crtc(struct drm_crtc *crtc, + goto err_busy; + } + +- if (imxdrm->drm->open_count) { ++ if (local_read(&imxdrm->drm->open_count)) { + ret = -EBUSY; + goto err_busy; + } +@@ -576,7 +576,7 @@ int imx_drm_add_encoder(struct drm_encoder *encoder, + + mutex_lock(&imxdrm->mutex); + +- if (imxdrm->drm->open_count) { ++ if (local_read(&imxdrm->drm->open_count)) { + ret = -EBUSY; + goto err_busy; + } +@@ -715,7 +715,7 @@ int imx_drm_add_connector(struct drm_connector *connector, + + mutex_lock(&imxdrm->mutex); + +- if (imxdrm->drm->open_count) { ++ if (local_read(&imxdrm->drm->open_count)) { + ret = -EBUSY; + goto err_busy; + } +diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c +index 3f8020c..649fded 100644 +--- a/drivers/staging/lustre/lnet/selftest/brw_test.c ++++ b/drivers/staging/lustre/lnet/selftest/brw_test.c +@@ -488,13 +488,11 @@ brw_server_handle(struct srpc_server_rpc *rpc) + return 0; + } + +-sfw_test_client_ops_t brw_test_client; +-void brw_init_test_client(void) +-{ +- brw_test_client.tso_init = brw_client_init; +- brw_test_client.tso_fini = brw_client_fini; +- brw_test_client.tso_prep_rpc = brw_client_prep_rpc; +- brw_test_client.tso_done_rpc = brw_client_done_rpc; ++sfw_test_client_ops_t brw_test_client = { ++ .tso_init = brw_client_init, ++ .tso_fini = brw_client_fini, ++ .tso_prep_rpc = brw_client_prep_rpc, ++ .tso_done_rpc = brw_client_done_rpc, + }; + + srpc_service_t brw_test_service; +diff --git a/drivers/staging/lustre/lnet/selftest/framework.c b/drivers/staging/lustre/lnet/selftest/framework.c +index 050723a..fa6fdf1 100644 +--- a/drivers/staging/lustre/lnet/selftest/framework.c ++++ b/drivers/staging/lustre/lnet/selftest/framework.c +@@ -1635,12 +1635,10 @@ static srpc_service_t sfw_services[] = + + extern sfw_test_client_ops_t ping_test_client; + extern srpc_service_t ping_test_service; +-extern void ping_init_test_client(void); + extern void ping_init_test_service(void); + + extern sfw_test_client_ops_t brw_test_client; + extern srpc_service_t brw_test_service; +-extern void brw_init_test_client(void); + extern void brw_init_test_service(void); + + +@@ -1684,12 +1682,10 @@ sfw_startup (void) + INIT_LIST_HEAD(&sfw_data.fw_zombie_rpcs); + INIT_LIST_HEAD(&sfw_data.fw_zombie_sessions); + +- brw_init_test_client(); + brw_init_test_service(); + rc = sfw_register_test(&brw_test_service, &brw_test_client); + LASSERT (rc == 0); + +- ping_init_test_client(); + ping_init_test_service(); + rc = sfw_register_test(&ping_test_service, &ping_test_client); + LASSERT (rc == 0); +diff --git a/drivers/staging/lustre/lnet/selftest/ping_test.c b/drivers/staging/lustre/lnet/selftest/ping_test.c +index 750cac4..e4d751f 100644 +--- a/drivers/staging/lustre/lnet/selftest/ping_test.c ++++ b/drivers/staging/lustre/lnet/selftest/ping_test.c +@@ -211,14 +211,12 @@ ping_server_handle(struct srpc_server_rpc *rpc) + return 0; + } + +-sfw_test_client_ops_t ping_test_client; +-void ping_init_test_client(void) +-{ +- ping_test_client.tso_init = ping_client_init; +- ping_test_client.tso_fini = ping_client_fini; +- ping_test_client.tso_prep_rpc = ping_client_prep_rpc; +- ping_test_client.tso_done_rpc = ping_client_done_rpc; +-} ++sfw_test_client_ops_t ping_test_client = { ++ .tso_init = ping_client_init, ++ .tso_fini = ping_client_fini, ++ .tso_prep_rpc = ping_client_prep_rpc, ++ .tso_done_rpc = ping_client_done_rpc, ++}; + + srpc_service_t ping_test_service; + void ping_init_test_service(void) +diff --git a/drivers/staging/lustre/lustre/include/lustre_dlm.h b/drivers/staging/lustre/lustre/include/lustre_dlm.h +index ec4bb5e..740c6dd 100644 +--- a/drivers/staging/lustre/lustre/include/lustre_dlm.h ++++ b/drivers/staging/lustre/lustre/include/lustre_dlm.h +@@ -1141,7 +1141,7 @@ struct ldlm_callback_suite { + ldlm_completion_callback lcs_completion; + ldlm_blocking_callback lcs_blocking; + ldlm_glimpse_callback lcs_glimpse; +-}; ++} __no_const; + + /* ldlm_lockd.c */ + int ldlm_del_waiting_lock(struct ldlm_lock *lock); +diff --git a/drivers/staging/lustre/lustre/include/obd.h b/drivers/staging/lustre/lustre/include/obd.h +index c3470ce..2bef527 100644 +--- a/drivers/staging/lustre/lustre/include/obd.h ++++ b/drivers/staging/lustre/lustre/include/obd.h +@@ -1426,7 +1426,7 @@ struct md_ops { + * lprocfs_alloc_md_stats() in obdclass/lprocfs_status.c. Also, add a + * wrapper function in include/linux/obd_class.h. + */ +-}; ++} __no_const; + + struct lsm_operations { + void (*lsm_free)(struct lov_stripe_md *); +diff --git a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c +index c9aae13..60ea292 100644 +--- a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c ++++ b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c +@@ -239,7 +239,7 @@ ldlm_process_flock_lock(struct ldlm_lock *req, __u64 *flags, int first_enq, + int added = (mode == LCK_NL); + int overlaps = 0; + int splitted = 0; +- const struct ldlm_callback_suite null_cbs = { NULL }; ++ const struct ldlm_callback_suite null_cbs = { }; + + CDEBUG(D_DLMTRACE, "flags %#llx owner "LPU64" pid %u mode %u start " + LPU64" end "LPU64"\n", *flags, +diff --git a/drivers/staging/lustre/lustre/libcfs/linux/linux-proc.c b/drivers/staging/lustre/lustre/libcfs/linux/linux-proc.c +index e947b91..f408990 100644 +--- a/drivers/staging/lustre/lustre/libcfs/linux/linux-proc.c ++++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-proc.c +@@ -217,7 +217,7 @@ DECLARE_PROC_HANDLER(proc_debug_mb) + int LL_PROC_PROTO(proc_console_max_delay_cs) + { + int rc, max_delay_cs; +- ctl_table_t dummy = *table; ++ ctl_table_no_const dummy = *table; + cfs_duration_t d; + + dummy.data = &max_delay_cs; +@@ -248,7 +248,7 @@ int LL_PROC_PROTO(proc_console_max_delay_cs) + int LL_PROC_PROTO(proc_console_min_delay_cs) + { + int rc, min_delay_cs; +- ctl_table_t dummy = *table; ++ ctl_table_no_const dummy = *table; + cfs_duration_t d; + + dummy.data = &min_delay_cs; +@@ -279,7 +279,7 @@ int LL_PROC_PROTO(proc_console_min_delay_cs) + int LL_PROC_PROTO(proc_console_backoff) + { + int rc, backoff; +- ctl_table_t dummy = *table; ++ ctl_table_no_const dummy = *table; + + dummy.data = &backoff; + dummy.proc_handler = &proc_dointvec; +diff --git a/drivers/staging/lustre/lustre/libcfs/module.c b/drivers/staging/lustre/lustre/libcfs/module.c +index 24ae26d..9d09cab 100644 +--- a/drivers/staging/lustre/lustre/libcfs/module.c ++++ b/drivers/staging/lustre/lustre/libcfs/module.c +@@ -313,11 +313,11 @@ out: + + + struct cfs_psdev_ops libcfs_psdev_ops = { +- libcfs_psdev_open, +- libcfs_psdev_release, +- NULL, +- NULL, +- libcfs_ioctl ++ .p_open = libcfs_psdev_open, ++ .p_close = libcfs_psdev_release, ++ .p_read = NULL, ++ .p_write = NULL, ++ .p_ioctl = libcfs_ioctl + }; + + extern int insert_proc(void); +diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c +index 52b7731..d604da0 100644 +--- a/drivers/staging/lustre/lustre/llite/dir.c ++++ b/drivers/staging/lustre/lustre/llite/dir.c +@@ -660,7 +660,7 @@ int ll_dir_setdirstripe(struct inode *dir, struct lmv_user_md *lump, + int mode; + int err; + +- mode = (0755 & (S_IRWXUGO|S_ISVTX) & ~current->fs->umask) | S_IFDIR; ++ mode = (0755 & (S_IRWXUGO|S_ISVTX) & ~current_umask()) | S_IFDIR; + op_data = ll_prep_md_op_data(NULL, dir, NULL, filename, + strlen(filename), mode, LUSTRE_OPC_MKDIR, + lump); +diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c +index 480b7c4..6846324 100644 +--- a/drivers/staging/media/solo6x10/solo6x10-core.c ++++ b/drivers/staging/media/solo6x10/solo6x10-core.c +@@ -434,7 +434,7 @@ static void solo_device_release(struct device *dev) + + static int solo_sysfs_init(struct solo_dev *solo_dev) + { +- struct bin_attribute *sdram_attr = &solo_dev->sdram_attr; ++ bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr; + struct device *dev = &solo_dev->dev; + const char *driver; + int i; +diff --git a/drivers/staging/media/solo6x10/solo6x10-g723.c b/drivers/staging/media/solo6x10/solo6x10-g723.c +index 1db18c7..35e6afc 100644 +--- a/drivers/staging/media/solo6x10/solo6x10-g723.c ++++ b/drivers/staging/media/solo6x10/solo6x10-g723.c +@@ -355,7 +355,7 @@ static int solo_snd_pcm_init(struct solo_dev *solo_dev) + + int solo_g723_init(struct solo_dev *solo_dev) + { +- static struct snd_device_ops ops = { NULL }; ++ static struct snd_device_ops ops = { }; + struct snd_card *card; + struct snd_kcontrol_new kctl; + char name[32]; +diff --git a/drivers/staging/media/solo6x10/solo6x10-p2m.c b/drivers/staging/media/solo6x10/solo6x10-p2m.c +index 7f2f247..d999137 100644 +--- a/drivers/staging/media/solo6x10/solo6x10-p2m.c ++++ b/drivers/staging/media/solo6x10/solo6x10-p2m.c +@@ -77,7 +77,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev, + + /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */ + if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) { +- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M; ++ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M; + if (p2m_id < 0) + p2m_id = -p2m_id; + } +diff --git a/drivers/staging/media/solo6x10/solo6x10.h b/drivers/staging/media/solo6x10/solo6x10.h +index 8964f8b..36eb087 100644 +--- a/drivers/staging/media/solo6x10/solo6x10.h ++++ b/drivers/staging/media/solo6x10/solo6x10.h +@@ -237,7 +237,7 @@ struct solo_dev { + + /* P2M DMA Engine */ + struct solo_p2m_dev p2m_dev[SOLO_NR_P2M]; +- atomic_t p2m_count; ++ atomic_unchecked_t p2m_count; + int p2m_jiffies; + unsigned int p2m_timeouts; + +diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c +index a0f4868..139f1fb 100644 +--- a/drivers/staging/octeon/ethernet-rx.c ++++ b/drivers/staging/octeon/ethernet-rx.c +@@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget) + /* Increment RX stats for virtual ports */ + if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) { + #ifdef CONFIG_64BIT +- atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets); +- atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes); ++ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets); ++ atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes); + #else +- atomic_add(1, (atomic_t *)&priv->stats.rx_packets); +- atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes); ++ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets); ++ atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes); + #endif + } + netif_receive_skb(skb); +@@ -432,9 +432,9 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget) + dev->name); + */ + #ifdef CONFIG_64BIT +- atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped); ++ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped); + #else +- atomic_add(1, (atomic_t *)&priv->stats.rx_dropped); ++ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped); + #endif + dev_kfree_skb_irq(skb); + } +diff --git a/drivers/staging/octeon/ethernet.c b/drivers/staging/octeon/ethernet.c +index 089dc4b..c9a687e 100644 +--- a/drivers/staging/octeon/ethernet.c ++++ b/drivers/staging/octeon/ethernet.c +@@ -253,11 +253,11 @@ static struct net_device_stats *cvm_oct_common_get_stats(struct net_device *dev) + * since the RX tasklet also increments it. + */ + #ifdef CONFIG_64BIT +- atomic64_add(rx_status.dropped_packets, +- (atomic64_t *)&priv->stats.rx_dropped); ++ atomic64_add_unchecked(rx_status.dropped_packets, ++ (atomic64_unchecked_t *)&priv->stats.rx_dropped); + #else +- atomic_add(rx_status.dropped_packets, +- (atomic_t *)&priv->stats.rx_dropped); ++ atomic_add_unchecked(rx_status.dropped_packets, ++ (atomic_unchecked_t *)&priv->stats.rx_dropped); + #endif + } + +diff --git a/drivers/staging/rtl8188eu/include/hal_intf.h b/drivers/staging/rtl8188eu/include/hal_intf.h +index c274b34..f84de76 100644 +--- a/drivers/staging/rtl8188eu/include/hal_intf.h ++++ b/drivers/staging/rtl8188eu/include/hal_intf.h +@@ -271,7 +271,7 @@ struct hal_ops { + s32 (*c2h_handler)(struct adapter *padapter, + struct c2h_evt_hdr *c2h_evt); + c2h_id_filter c2h_id_filter_ccx; +-}; ++} __no_const; + + enum rt_eeprom_type { + EEPROM_93C46, +diff --git a/drivers/staging/rtl8188eu/include/rtw_io.h b/drivers/staging/rtl8188eu/include/rtw_io.h +index 3d1dfcc..ff5620a 100644 +--- a/drivers/staging/rtl8188eu/include/rtw_io.h ++++ b/drivers/staging/rtl8188eu/include/rtw_io.h +@@ -126,7 +126,7 @@ struct _io_ops { + u32 (*_write_scsi)(struct intf_hdl *pintfhdl, u32 cnt, u8 *pmem); + void (*_read_port_cancel)(struct intf_hdl *pintfhdl); + void (*_write_port_cancel)(struct intf_hdl *pintfhdl); +-}; ++} __no_const; + + struct io_req { + struct list_head list; +diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h +index dc23395..cf7e9b1 100644 +--- a/drivers/staging/rtl8712/rtl871x_io.h ++++ b/drivers/staging/rtl8712/rtl871x_io.h +@@ -108,7 +108,7 @@ struct _io_ops { + u8 *pmem); + u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt, + u8 *pmem); +-}; ++} __no_const; + + struct io_req { + struct list_head list; +diff --git a/drivers/staging/sbe-2t3e3/netdev.c b/drivers/staging/sbe-2t3e3/netdev.c +index 1f5088b..0e59820 100644 +--- a/drivers/staging/sbe-2t3e3/netdev.c ++++ b/drivers/staging/sbe-2t3e3/netdev.c +@@ -51,7 +51,7 @@ static int t3e3_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + t3e3_if_config(sc, cmd_2t3e3, (char *)¶m, &resp, &rlen); + + if (rlen) +- if (copy_to_user(data, &resp, rlen)) ++ if (rlen > sizeof resp || copy_to_user(data, &resp, rlen)) + return -EFAULT; + + return 0; +diff --git a/drivers/staging/usbip/vhci.h b/drivers/staging/usbip/vhci.h +index a863a98..d272795 100644 +--- a/drivers/staging/usbip/vhci.h ++++ b/drivers/staging/usbip/vhci.h +@@ -83,7 +83,7 @@ struct vhci_hcd { + unsigned resuming:1; + unsigned long re_timeout; + +- atomic_t seqnum; ++ atomic_unchecked_t seqnum; + + /* + * NOTE: +diff --git a/drivers/staging/usbip/vhci_hcd.c b/drivers/staging/usbip/vhci_hcd.c +index 72391ef..7c6717a 100644 +--- a/drivers/staging/usbip/vhci_hcd.c ++++ b/drivers/staging/usbip/vhci_hcd.c +@@ -440,7 +440,7 @@ static void vhci_tx_urb(struct urb *urb) + + spin_lock(&vdev->priv_lock); + +- priv->seqnum = atomic_inc_return(&the_controller->seqnum); ++ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum); + if (priv->seqnum == 0xffff) + dev_info(&urb->dev->dev, "seqnum max\n"); + +@@ -686,7 +686,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + return -ENOMEM; + } + +- unlink->seqnum = atomic_inc_return(&the_controller->seqnum); ++ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum); + if (unlink->seqnum == 0xffff) + pr_info("seqnum max\n"); + +@@ -890,7 +890,7 @@ static int vhci_start(struct usb_hcd *hcd) + vdev->rhport = rhport; + } + +- atomic_set(&vhci->seqnum, 0); ++ atomic_set_unchecked(&vhci->seqnum, 0); + spin_lock_init(&vhci->lock); + + hcd->power_budget = 0; /* no limit */ +diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c +index d07fcb5..358e1e1 100644 +--- a/drivers/staging/usbip/vhci_rx.c ++++ b/drivers/staging/usbip/vhci_rx.c +@@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + if (!urb) { + pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum); + pr_info("max seqnum %d\n", +- atomic_read(&the_controller->seqnum)); ++ atomic_read_unchecked(&the_controller->seqnum)); + usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); + return; + } +diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c +index 6eecd53..29317c6 100644 +--- a/drivers/staging/vt6655/hostap.c ++++ b/drivers/staging/vt6655/hostap.c +@@ -69,14 +69,13 @@ static int msglevel = MSG_LEVEL_INFO; + * + */ + ++static net_device_ops_no_const apdev_netdev_ops; ++ + static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked) + { + PSDevice apdev_priv; + struct net_device *dev = pDevice->dev; + int ret; +- const struct net_device_ops apdev_netdev_ops = { +- .ndo_start_xmit = pDevice->tx_80211, +- }; + + DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name); + +@@ -88,6 +87,8 @@ static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked) + *apdev_priv = *pDevice; + eth_hw_addr_inherit(pDevice->apdev, dev); + ++ /* only half broken now */ ++ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211; + pDevice->apdev->netdev_ops = &apdev_netdev_ops; + + pDevice->apdev->type = ARPHRD_IEEE80211; +diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c +index 67ba48b..24e602f 100644 +--- a/drivers/staging/vt6656/hostap.c ++++ b/drivers/staging/vt6656/hostap.c +@@ -60,14 +60,13 @@ static int msglevel =MSG_LEVEL_INFO; + * + */ + ++static net_device_ops_no_const apdev_netdev_ops; ++ + static int hostap_enable_hostapd(struct vnt_private *pDevice, int rtnl_locked) + { + struct vnt_private *apdev_priv; + struct net_device *dev = pDevice->dev; + int ret; +- const struct net_device_ops apdev_netdev_ops = { +- .ndo_start_xmit = pDevice->tx_80211, +- }; + + DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name); + +@@ -79,6 +78,8 @@ static int hostap_enable_hostapd(struct vnt_private *pDevice, int rtnl_locked) + *apdev_priv = *pDevice; + memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN); + ++ /* only half broken now */ ++ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211; + pDevice->apdev->netdev_ops = &apdev_netdev_ops; + + pDevice->apdev->type = ARPHRD_IEEE80211; +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 24884ca..26c8220 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -62,7 +62,7 @@ static const u32 sbp_unit_directory_template[] = { + + #define SESSION_MAINTENANCE_INTERVAL HZ + +-static atomic_t login_id = ATOMIC_INIT(0); ++static atomic_unchecked_t login_id = ATOMIC_INIT(0); + + static void session_maintenance_work(struct work_struct *); + static int sbp_run_transaction(struct fw_card *, int, int, int, int, +@@ -444,7 +444,7 @@ static void sbp_management_request_login( + login->lun = se_lun; + login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo); + login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc)); +- login->login_id = atomic_inc_return(&login_id); ++ login->login_id = atomic_inc_return_unchecked(&login_id); + + login->tgt_agt = sbp_target_agent_register(login); + if (IS_ERR(login->tgt_agt)) { +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 65001e1..2ebfbb9 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1520,7 +1520,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + spin_lock_init(&dev->se_tmr_lock); + spin_lock_init(&dev->qf_cmd_lock); + sema_init(&dev->caw_sem, 1); +- atomic_set(&dev->dev_ordered_id, 0); ++ atomic_set_unchecked(&dev->dev_ordered_id, 0); + INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list); + spin_lock_init(&dev->t10_wwn.t10_vpd_lock); + INIT_LIST_HEAD(&dev->t10_pr.registration_list); +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 2956250..b10f722 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1136,7 +1136,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd) + * Used to determine when ORDERED commands should go from + * Dormant to Active status. + */ +- cmd->se_ordered_id = atomic_inc_return(&dev->dev_ordered_id); ++ cmd->se_ordered_id = atomic_inc_return_unchecked(&dev->dev_ordered_id); + smp_mb__after_atomic_inc(); + pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n", + cmd->se_ordered_id, cmd->sam_task_attr, +diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c +index a57bb5a..1f727d33 100644 +--- a/drivers/tty/cyclades.c ++++ b/drivers/tty/cyclades.c +@@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp) + printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line, + info->port.count); + #endif +- info->port.count++; ++ atomic_inc(&info->port.count); + #ifdef CY_DEBUG_COUNT + printk(KERN_DEBUG "cyc:cy_open (%d): incrementing count to %d\n", +- current->pid, info->port.count); ++ current->pid, atomic_read(&info->port.count)); + #endif + + /* +@@ -3974,7 +3974,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v) + for (j = 0; j < cy_card[i].nports; j++) { + info = &cy_card[i].ports[j]; + +- if (info->port.count) { ++ if (atomic_read(&info->port.count)) { + /* XXX is the ldisc num worth this? */ + struct tty_struct *tty; + struct tty_ldisc *ld; +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index 50b4688..e1e8125 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -338,7 +338,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) + + spin_lock_irqsave(&hp->port.lock, flags); + /* Check and then increment for fast path open. */ +- if (hp->port.count++ > 0) { ++ if (atomic_inc_return(&hp->port.count) > 1) { + spin_unlock_irqrestore(&hp->port.lock, flags); + hvc_kick(); + return 0; +@@ -393,7 +393,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) + + spin_lock_irqsave(&hp->port.lock, flags); + +- if (--hp->port.count == 0) { ++ if (atomic_dec_return(&hp->port.count) == 0) { + spin_unlock_irqrestore(&hp->port.lock, flags); + /* We are done with the tty pointer now. */ + tty_port_tty_set(&hp->port, NULL); +@@ -415,9 +415,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) + */ + tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT); + } else { +- if (hp->port.count < 0) ++ if (atomic_read(&hp->port.count) < 0) + printk(KERN_ERR "hvc_close %X: oops, count is %d\n", +- hp->vtermno, hp->port.count); ++ hp->vtermno, atomic_read(&hp->port.count)); + spin_unlock_irqrestore(&hp->port.lock, flags); + } + } +@@ -447,12 +447,12 @@ static void hvc_hangup(struct tty_struct *tty) + * open->hangup case this can be called after the final close so prevent + * that from happening for now. + */ +- if (hp->port.count <= 0) { ++ if (atomic_read(&hp->port.count) <= 0) { + spin_unlock_irqrestore(&hp->port.lock, flags); + return; + } + +- hp->port.count = 0; ++ atomic_set(&hp->port.count, 0); + spin_unlock_irqrestore(&hp->port.lock, flags); + tty_port_tty_set(&hp->port, NULL); + +@@ -500,7 +500,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count + return -EPIPE; + + /* FIXME what's this (unprotected) check for? */ +- if (hp->port.count <= 0) ++ if (atomic_read(&hp->port.count) <= 0) + return -EIO; + + spin_lock_irqsave(&hp->lock, flags); +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 81e939e..95ead10 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -83,6 +83,7 @@ + #include + #include + #include ++#include + + /* + * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00). +@@ -416,7 +417,7 @@ static ssize_t hvcs_vterm_state_store(struct device *dev, struct device_attribut + + spin_lock_irqsave(&hvcsd->lock, flags); + +- if (hvcsd->port.count > 0) { ++ if (atomic_read(&hvcsd->port.count) > 0) { + spin_unlock_irqrestore(&hvcsd->lock, flags); + printk(KERN_INFO "HVCS: vterm state unchanged. " + "The hvcs device node is still in use.\n"); +@@ -1127,7 +1128,7 @@ static int hvcs_install(struct tty_driver *driver, struct tty_struct *tty) + } + } + +- hvcsd->port.count = 0; ++ atomic_set(&hvcsd->port.count, 0); + hvcsd->port.tty = tty; + tty->driver_data = hvcsd; + +@@ -1180,7 +1181,7 @@ static int hvcs_open(struct tty_struct *tty, struct file *filp) + unsigned long flags; + + spin_lock_irqsave(&hvcsd->lock, flags); +- hvcsd->port.count++; ++ atomic_inc(&hvcsd->port.count); + hvcsd->todo_mask |= HVCS_SCHED_READ; + spin_unlock_irqrestore(&hvcsd->lock, flags); + +@@ -1216,7 +1217,7 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + hvcsd = tty->driver_data; + + spin_lock_irqsave(&hvcsd->lock, flags); +- if (--hvcsd->port.count == 0) { ++ if (atomic_dec_and_test(&hvcsd->port.count)) { + + vio_disable_interrupts(hvcsd->vdev); + +@@ -1241,10 +1242,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + + free_irq(irq, hvcsd); + return; +- } else if (hvcsd->port.count < 0) { ++ } else if (atomic_read(&hvcsd->port.count) < 0) { + printk(KERN_ERR "HVCS: vty-server@%X open_count: %d" + " is missmanaged.\n", +- hvcsd->vdev->unit_address, hvcsd->port.count); ++ hvcsd->vdev->unit_address, atomic_read(&hvcsd->port.count)); + } + + spin_unlock_irqrestore(&hvcsd->lock, flags); +@@ -1266,7 +1267,7 @@ static void hvcs_hangup(struct tty_struct * tty) + + spin_lock_irqsave(&hvcsd->lock, flags); + /* Preserve this so that we know how many kref refs to put */ +- temp_open_count = hvcsd->port.count; ++ temp_open_count = atomic_read(&hvcsd->port.count); + + /* + * Don't kref put inside the spinlock because the destruction +@@ -1281,7 +1282,7 @@ static void hvcs_hangup(struct tty_struct * tty) + tty->driver_data = NULL; + hvcsd->port.tty = NULL; + +- hvcsd->port.count = 0; ++ atomic_set(&hvcsd->port.count, 0); + + /* This will drop any buffered data on the floor which is OK in a hangup + * scenario. */ +@@ -1352,7 +1353,7 @@ static int hvcs_write(struct tty_struct *tty, + * the middle of a write operation? This is a crummy place to do this + * but we want to keep it all in the spinlock. + */ +- if (hvcsd->port.count <= 0) { ++ if (atomic_read(&hvcsd->port.count) <= 0) { + spin_unlock_irqrestore(&hvcsd->lock, flags); + return -ENODEV; + } +@@ -1426,7 +1427,7 @@ static int hvcs_write_room(struct tty_struct *tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + +- if (!hvcsd || hvcsd->port.count <= 0) ++ if (!hvcsd || atomic_read(&hvcsd->port.count) <= 0) + return 0; + + return HVCS_BUFF_LEN - hvcsd->chars_in_buffer; +diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c +index 4190199..06d5bfa 100644 +--- a/drivers/tty/hvc/hvsi.c ++++ b/drivers/tty/hvc/hvsi.c +@@ -85,7 +85,7 @@ struct hvsi_struct { + int n_outbuf; + uint32_t vtermno; + uint32_t virq; +- atomic_t seqno; /* HVSI packet sequence number */ ++ atomic_unchecked_t seqno; /* HVSI packet sequence number */ + uint16_t mctrl; + uint8_t state; /* HVSI protocol state */ + uint8_t flags; +@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno) + + packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER; + packet.hdr.len = sizeof(struct hvsi_query_response); +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.verb = VSV_SEND_VERSION_NUMBER; + packet.u.version = HVSI_VERSION; + packet.query_seqno = query_seqno+1; +@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb) + + packet.hdr.type = VS_QUERY_PACKET_HEADER; + packet.hdr.len = sizeof(struct hvsi_query); +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.verb = verb; + + pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len); +@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl) + int wrote; + + packet.hdr.type = VS_CONTROL_PACKET_HEADER, +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = sizeof(struct hvsi_control); + packet.verb = VSV_SET_MODEM_CTL; + packet.mask = HVSI_TSDTR; +@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count) + BUG_ON(count > HVSI_MAX_OUTGOING_DATA); + + packet.hdr.type = VS_DATA_PACKET_HEADER; +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = count + sizeof(struct hvsi_header); + memcpy(&packet.data, buf, count); + +@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp) + struct hvsi_control packet __ALIGNED__; + + packet.hdr.type = VS_CONTROL_PACKET_HEADER; +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = 6; + packet.verb = VSV_CLOSE_PROTOCOL; + +@@ -725,7 +725,7 @@ static int hvsi_open(struct tty_struct *tty, struct file *filp) + + tty_port_tty_set(&hp->port, tty); + spin_lock_irqsave(&hp->lock, flags); +- hp->port.count++; ++ atomic_inc(&hp->port.count); + atomic_set(&hp->seqno, 0); + h_vio_signal(hp->vtermno, VIO_IRQ_ENABLE); + spin_unlock_irqrestore(&hp->lock, flags); +@@ -782,7 +782,7 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp) + + spin_lock_irqsave(&hp->lock, flags); + +- if (--hp->port.count == 0) { ++ if (atomic_dec_return(&hp->port.count) == 0) { + tty_port_tty_set(&hp->port, NULL); + hp->inbuf_end = hp->inbuf; /* discard remaining partial packets */ + +@@ -815,9 +815,9 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp) + + spin_lock_irqsave(&hp->lock, flags); + } +- } else if (hp->port.count < 0) ++ } else if (atomic_read(&hp->port.count) < 0) + printk(KERN_ERR "hvsi_close %lu: oops, count is %d\n", +- hp - hvsi_ports, hp->port.count); ++ hp - hvsi_ports, atomic_read(&hp->port.count)); + + spin_unlock_irqrestore(&hp->lock, flags); + } +@@ -832,7 +832,7 @@ static void hvsi_hangup(struct tty_struct *tty) + tty_port_tty_set(&hp->port, NULL); + + spin_lock_irqsave(&hp->lock, flags); +- hp->port.count = 0; ++ atomic_set(&hp->port.count, 0); + hp->n_outbuf = 0; + spin_unlock_irqrestore(&hp->lock, flags); + } +diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c +index 7ae6c29..05c6dba 100644 +--- a/drivers/tty/hvc/hvsi_lib.c ++++ b/drivers/tty/hvc/hvsi_lib.c +@@ -8,7 +8,7 @@ + + static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet) + { +- packet->seqno = cpu_to_be16(atomic_inc_return(&pv->seqno)); ++ packet->seqno = cpu_to_be16(atomic_inc_return_unchecked(&pv->seqno)); + + /* Assumes that always succeeds, works in practice */ + return pv->put_chars(pv->termno, (char *)packet, packet->len); +@@ -20,7 +20,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv) + + /* Reset state */ + pv->established = 0; +- atomic_set(&pv->seqno, 0); ++ atomic_set_unchecked(&pv->seqno, 0); + + pr_devel("HVSI@%x: Handshaking started\n", pv->termno); + +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c +index ebd5bff..b1acad3 100644 +--- a/drivers/tty/ipwireless/tty.c ++++ b/drivers/tty/ipwireless/tty.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "tty.h" + #include "network.h" +@@ -98,10 +99,10 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp) + mutex_unlock(&tty->ipw_tty_mutex); + return -ENODEV; + } +- if (tty->port.count == 0) ++ if (atomic_read(&tty->port.count) == 0) + tty->tx_bytes_queued = 0; + +- tty->port.count++; ++ atomic_inc(&tty->port.count); + + tty->port.tty = linux_tty; + linux_tty->driver_data = tty; +@@ -117,9 +118,7 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp) + + static void do_ipw_close(struct ipw_tty *tty) + { +- tty->port.count--; +- +- if (tty->port.count == 0) { ++ if (atomic_dec_return(&tty->port.count) == 0) { + struct tty_struct *linux_tty = tty->port.tty; + + if (linux_tty != NULL) { +@@ -140,7 +139,7 @@ static void ipw_hangup(struct tty_struct *linux_tty) + return; + + mutex_lock(&tty->ipw_tty_mutex); +- if (tty->port.count == 0) { ++ if (atomic_read(&tty->port.count) == 0) { + mutex_unlock(&tty->ipw_tty_mutex); + return; + } +@@ -163,7 +162,7 @@ void ipwireless_tty_received(struct ipw_tty *tty, unsigned char *data, + + mutex_lock(&tty->ipw_tty_mutex); + +- if (!tty->port.count) { ++ if (!atomic_read(&tty->port.count)) { + mutex_unlock(&tty->ipw_tty_mutex); + return; + } +@@ -205,7 +204,7 @@ static int ipw_write(struct tty_struct *linux_tty, + return -ENODEV; + + mutex_lock(&tty->ipw_tty_mutex); +- if (!tty->port.count) { ++ if (!atomic_read(&tty->port.count)) { + mutex_unlock(&tty->ipw_tty_mutex); + return -EINVAL; + } +@@ -245,7 +244,7 @@ static int ipw_write_room(struct tty_struct *linux_tty) + if (!tty) + return -ENODEV; + +- if (!tty->port.count) ++ if (!atomic_read(&tty->port.count)) + return -EINVAL; + + room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued; +@@ -287,7 +286,7 @@ static int ipw_chars_in_buffer(struct tty_struct *linux_tty) + if (!tty) + return 0; + +- if (!tty->port.count) ++ if (!atomic_read(&tty->port.count)) + return 0; + + return tty->tx_bytes_queued; +@@ -368,7 +367,7 @@ static int ipw_tiocmget(struct tty_struct *linux_tty) + if (!tty) + return -ENODEV; + +- if (!tty->port.count) ++ if (!atomic_read(&tty->port.count)) + return -EINVAL; + + return get_control_lines(tty); +@@ -384,7 +383,7 @@ ipw_tiocmset(struct tty_struct *linux_tty, + if (!tty) + return -ENODEV; + +- if (!tty->port.count) ++ if (!atomic_read(&tty->port.count)) + return -EINVAL; + + return set_control_lines(tty, set, clear); +@@ -398,7 +397,7 @@ static int ipw_ioctl(struct tty_struct *linux_tty, + if (!tty) + return -ENODEV; + +- if (!tty->port.count) ++ if (!atomic_read(&tty->port.count)) + return -EINVAL; + + /* FIXME: Exactly how is the tty object locked here .. */ +@@ -554,7 +553,7 @@ void ipwireless_tty_free(struct ipw_tty *tty) + * are gone */ + mutex_lock(&ttyj->ipw_tty_mutex); + } +- while (ttyj->port.count) ++ while (atomic_read(&ttyj->port.count)) + do_ipw_close(ttyj); + ipwireless_disassociate_network_ttys(network, + ttyj->channel_idx); +diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c +index 1deaca4..c8582d4 100644 +--- a/drivers/tty/moxa.c ++++ b/drivers/tty/moxa.c +@@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp) + } + + ch = &brd->ports[port % MAX_PORTS_PER_BOARD]; +- ch->port.count++; ++ atomic_inc(&ch->port.count); + tty->driver_data = ch; + tty_port_tty_set(&ch->port, tty); + mutex_lock(&ch->port.mutex); +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 2ebe47b..3205833 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1644,7 +1644,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) + spin_lock_init(&dlci->lock); + mutex_init(&dlci->mutex); + dlci->fifo = &dlci->_fifo; +- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) { ++ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) { + kfree(dlci); + return NULL; + } +@@ -2954,7 +2954,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) + struct gsm_dlci *dlci = tty->driver_data; + struct tty_port *port = &dlci->port; + +- port->count++; ++ atomic_inc(&port->count); + tty_port_tty_set(port, tty); + + dlci->modem_rx = 0; +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index d15624c..e512bdb 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -115,7 +115,7 @@ struct n_tty_data { + int minimum_to_wake; + + /* consumer-published */ +- size_t read_tail; ++ size_t read_tail __intentional_overflow(-1); + size_t line_start; + + /* protected by output lock */ +@@ -2515,6 +2515,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) + { + *ops = tty_ldisc_N_TTY; + ops->owner = NULL; +- ops->refcount = ops->flags = 0; ++ atomic_set(&ops->refcount, 0); ++ ops->flags = 0; + } + EXPORT_SYMBOL_GPL(n_tty_inherit_ops); +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 25c9bc7..24077b7 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -790,8 +790,10 @@ static void __init unix98_pty_init(void) + panic("Couldn't register Unix98 pts driver"); + + /* Now create the /dev/ptmx special device */ ++ pax_open_kernel(); + tty_default_fops(&ptmx_fops); +- ptmx_fops.open = ptmx_open; ++ *(void **)&ptmx_fops.open = ptmx_open; ++ pax_close_kernel(); + + cdev_init(&ptmx_cdev, &ptmx_fops); + if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) || +diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c +index 383c4c7..d408e21 100644 +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) + tty->driver_data = info; + tty_port_tty_set(port, tty); + +- if (port->count++ == 0) { ++ if (atomic_inc_return(&port->count) == 1) { + atomic_inc(&rp_num_ports_open); + + #ifdef ROCKET_DEBUG_OPEN +@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp) + #endif + } + #ifdef ROCKET_DEBUG_OPEN +- printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, info->port.count); ++ printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, atomic-read(&info->port.count)); + #endif + + /* +@@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty) + spin_unlock_irqrestore(&info->port.lock, flags); + return; + } +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + atomic_dec(&rp_num_ports_open); + clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]); + spin_unlock_irqrestore(&info->port.lock, flags); +diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c +index 1274499..f541382 100644 +--- a/drivers/tty/serial/ioc4_serial.c ++++ b/drivers/tty/serial/ioc4_serial.c +@@ -437,7 +437,7 @@ struct ioc4_soft { + } is_intr_info[MAX_IOC4_INTR_ENTS]; + + /* Number of entries active in the above array */ +- atomic_t is_num_intrs; ++ atomic_unchecked_t is_num_intrs; + } is_intr_type[IOC4_NUM_INTR_TYPES]; + + /* is_ir_lock must be held while +@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type, + BUG_ON(!((type == IOC4_SIO_INTR_TYPE) + || (type == IOC4_OTHER_INTR_TYPE))); + +- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1; ++ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1; + BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0))); + + /* Save off the lower level interrupt handler */ +@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg) + + soft = arg; + for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) { +- num_intrs = (int)atomic_read( ++ num_intrs = (int)atomic_read_unchecked( + &soft->is_intr_type[intr_type].is_num_intrs); + + this_mir = this_ir = pending_intrs(soft, intr_type); +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c +index a260cde..6b2b5ce 100644 +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -24,8 +24,9 @@ + #define MAX_CONFIG_LEN 40 + + static struct kgdb_io kgdboc_io_ops; ++static struct kgdb_io kgdboc_io_ops_console; + +-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */ ++/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */ + static int configured = -1; + + static char config[MAX_CONFIG_LEN]; +@@ -151,6 +152,8 @@ static void cleanup_kgdboc(void) + kgdboc_unregister_kbd(); + if (configured == 1) + kgdb_unregister_io_module(&kgdboc_io_ops); ++ else if (configured == 2) ++ kgdb_unregister_io_module(&kgdboc_io_ops_console); + } + + static int configure_kgdboc(void) +@@ -160,13 +163,13 @@ static int configure_kgdboc(void) + int err; + char *cptr = config; + struct console *cons; ++ int is_console = 0; + + err = kgdboc_option_setup(config); + if (err || !strlen(config) || isspace(config[0])) + goto noconfig; + + err = -ENODEV; +- kgdboc_io_ops.is_console = 0; + kgdb_tty_driver = NULL; + + kgdboc_use_kms = 0; +@@ -187,7 +190,7 @@ static int configure_kgdboc(void) + int idx; + if (cons->device && cons->device(cons, &idx) == p && + idx == tty_line) { +- kgdboc_io_ops.is_console = 1; ++ is_console = 1; + break; + } + cons = cons->next; +@@ -197,7 +200,13 @@ static int configure_kgdboc(void) + kgdb_tty_line = tty_line; + + do_register: +- err = kgdb_register_io_module(&kgdboc_io_ops); ++ if (is_console) { ++ err = kgdb_register_io_module(&kgdboc_io_ops_console); ++ configured = 2; ++ } else { ++ err = kgdb_register_io_module(&kgdboc_io_ops); ++ configured = 1; ++ } + if (err) + goto noconfig; + +@@ -205,8 +214,6 @@ do_register: + if (err) + goto nmi_con_failed; + +- configured = 1; +- + return 0; + + nmi_con_failed: +@@ -223,7 +230,7 @@ noconfig: + static int __init init_kgdboc(void) + { + /* Already configured? */ +- if (configured == 1) ++ if (configured >= 1) + return 0; + + return configure_kgdboc(); +@@ -272,7 +279,7 @@ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp) + if (config[len - 1] == '\n') + config[len - 1] = '\0'; + +- if (configured == 1) ++ if (configured >= 1) + cleanup_kgdboc(); + + /* Go and configure with the new params. */ +@@ -312,6 +319,15 @@ static struct kgdb_io kgdboc_io_ops = { + .post_exception = kgdboc_post_exp_handler, + }; + ++static struct kgdb_io kgdboc_io_ops_console = { ++ .name = "kgdboc", ++ .read_char = kgdboc_get_char, ++ .write_char = kgdboc_put_char, ++ .pre_exception = kgdboc_pre_exp_handler, ++ .post_exception = kgdboc_post_exp_handler, ++ .is_console = 1 ++}; ++ + #ifdef CONFIG_KGDB_SERIAL_CONSOLE + /* This is only available if kgdboc is a built in for early debugging */ + static int __init kgdboc_early_init(char *opt) +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index b5d779c..3622cfe 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -897,7 +897,7 @@ static struct uart_driver msm_uart_driver = { + .cons = MSM_CONSOLE, + }; + +-static atomic_t msm_uart_next_id = ATOMIC_INIT(0); ++static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0); + + static const struct of_device_id msm_uartdm_table[] = { + { .compatible = "qcom,msm-uartdm" }, +@@ -912,7 +912,7 @@ static int __init msm_serial_probe(struct platform_device *pdev) + int irq; + + if (pdev->id == -1) +- pdev->id = atomic_inc_return(&msm_uart_next_id) - 1; ++ pdev->id = atomic_inc_return_unchecked(&msm_uart_next_id) - 1; + + if (unlikely(pdev->id < 0 || pdev->id >= UART_NR)) + return -ENXIO; +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 9cd706d..6ff2de7 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -463,11 +463,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) + } + } + ++static int s3c64xx_serial_startup(struct uart_port *port); + static int s3c24xx_serial_startup(struct uart_port *port) + { + struct s3c24xx_uart_port *ourport = to_ourport(port); + int ret; + ++ /* Startup sequence is different for s3c64xx and higher SoC's */ ++ if (s3c24xx_serial_has_interrupt_mask(port)) ++ return s3c64xx_serial_startup(port); ++ + dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n", + port->mapbase, port->membase); + +@@ -1141,10 +1146,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, + /* setup info for port */ + port->dev = &platdev->dev; + +- /* Startup sequence is different for s3c64xx and higher SoC's */ +- if (s3c24xx_serial_has_interrupt_mask(port)) +- s3c24xx_serial_ops.startup = s3c64xx_serial_startup; +- + port->uartclk = 1; + + if (cfg->uart_flags & UPF_CONS_FLOW) { +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index ece2049..fba2524 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1448,7 +1448,7 @@ static void uart_hangup(struct tty_struct *tty) + uart_flush_buffer(tty); + uart_shutdown(tty, state); + spin_lock_irqsave(&port->lock, flags); +- port->count = 0; ++ atomic_set(&port->count, 0); + clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags); + spin_unlock_irqrestore(&port->lock, flags); + tty_port_tty_set(port, NULL); +@@ -1544,7 +1544,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp) + goto end; + } + +- port->count++; ++ atomic_inc(&port->count); + if (!state->uart_port || state->uart_port->flags & UPF_DEAD) { + retval = -ENXIO; + goto err_dec_count; +@@ -1572,7 +1572,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp) + /* + * Make sure the device is in D0 state. + */ +- if (port->count == 1) ++ if (atomic_read(&port->count) == 1) + uart_change_pm(state, UART_PM_STATE_ON); + + /* +@@ -1590,7 +1590,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp) + end: + return retval; + err_dec_count: +- port->count--; ++ atomic_inc(&port->count); + mutex_unlock(&port->mutex); + goto end; + } +diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c +index 5ae14b4..2c1288f 100644 +--- a/drivers/tty/synclink.c ++++ b/drivers/tty/synclink.c +@@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgsl_close(%s) entry, count=%d\n", +- __FILE__,__LINE__, info->device_name, info->port.count); ++ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count)); + + if (tty_port_close_start(&info->port, tty, filp) == 0) + goto cleanup; +@@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp) + cleanup: + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__, +- tty->driver->name, info->port.count); ++ tty->driver->name, atomic_read(&info->port.count)); + + } /* end of mgsl_close() */ + +@@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty) + + mgsl_flush_buffer(tty); + shutdown(info); +- +- info->port.count = 0; ++ ++ atomic_set(&info->port.count, 0); + info->port.flags &= ~ASYNC_NORMAL_ACTIVE; + info->port.tty = NULL; + +@@ -3297,12 +3297,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):block_til_ready before block on %s count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + spin_lock_irqsave(&info->irq_spinlock, flags); + if (!tty_hung_up_p(filp)) { + extra_count = true; +- port->count--; ++ atomic_dec(&port->count); + } + spin_unlock_irqrestore(&info->irq_spinlock, flags); + port->blocked_open++; +@@ -3331,7 +3331,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):block_til_ready blocking on %s count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + tty_unlock(tty); + schedule(); +@@ -3343,12 +3343,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp, + + /* FIXME: Racy on hangup during close wait */ + if (extra_count) +- port->count++; ++ atomic_inc(&port->count); + port->blocked_open--; + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):block_til_ready after blocking on %s count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + if (!retval) + port->flags |= ASYNC_NORMAL_ACTIVE; +@@ -3400,7 +3400,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):mgsl_open(%s), old ref count = %d\n", +- __FILE__,__LINE__,tty->driver->name, info->port.count); ++ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count)); + + /* If port is closing, signal caller to try again */ + if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){ +@@ -3419,10 +3419,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp) + spin_unlock_irqrestore(&info->netlock, flags); + goto cleanup; + } +- info->port.count++; ++ atomic_inc(&info->port.count); + spin_unlock_irqrestore(&info->netlock, flags); + +- if (info->port.count == 1) { ++ if (atomic_read(&info->port.count) == 1) { + /* 1st open on this device, init hardware */ + retval = startup(info); + if (retval < 0) +@@ -3446,8 +3446,8 @@ cleanup: + if (retval) { + if (tty->count == 1) + info->port.tty = NULL; /* tty layer will release tty struct */ +- if(info->port.count) +- info->port.count--; ++ if (atomic_read(&info->port.count)) ++ atomic_dec(&info->port.count); + } + + return retval; +@@ -7665,7 +7665,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, + unsigned short new_crctype; + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + switch (encoding) +@@ -7760,7 +7760,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* arbitrate between network and tty opens */ + spin_lock_irqsave(&info->netlock, flags); +- if (info->port.count != 0 || info->netcount != 0) { ++ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) { + printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name); + spin_unlock_irqrestore(&info->netlock, flags); + return -EBUSY; +@@ -7846,7 +7846,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name); + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + if (cmd != SIOCWANDEV) +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index c359a91..959fc26 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp) + tty->driver_data = info; + info->port.tty = tty; + +- DBGINFO(("%s open, old ref count = %d\n", info->device_name, info->port.count)); ++ DBGINFO(("%s open, old ref count = %d\n", info->device_name, atomic_read(&info->port.count))); + + /* If port is closing, signal caller to try again */ + if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){ +@@ -691,10 +691,10 @@ static int open(struct tty_struct *tty, struct file *filp) + mutex_unlock(&info->port.mutex); + goto cleanup; + } +- info->port.count++; ++ atomic_inc(&info->port.count); + spin_unlock_irqrestore(&info->netlock, flags); + +- if (info->port.count == 1) { ++ if (atomic_read(&info->port.count) == 1) { + /* 1st open on this device, init hardware */ + retval = startup(info); + if (retval < 0) { +@@ -715,8 +715,8 @@ cleanup: + if (retval) { + if (tty->count == 1) + info->port.tty = NULL; /* tty layer will release tty struct */ +- if(info->port.count) +- info->port.count--; ++ if(atomic_read(&info->port.count)) ++ atomic_dec(&info->port.count); + } + + DBGINFO(("%s open rc=%d\n", info->device_name, retval)); +@@ -729,7 +729,7 @@ static void close(struct tty_struct *tty, struct file *filp) + + if (sanity_check(info, tty->name, "close")) + return; +- DBGINFO(("%s close entry, count=%d\n", info->device_name, info->port.count)); ++ DBGINFO(("%s close entry, count=%d\n", info->device_name, atomic_read(&info->port.count))); + + if (tty_port_close_start(&info->port, tty, filp) == 0) + goto cleanup; +@@ -746,7 +746,7 @@ static void close(struct tty_struct *tty, struct file *filp) + tty_port_close_end(&info->port, tty); + info->port.tty = NULL; + cleanup: +- DBGINFO(("%s close exit, count=%d\n", tty->driver->name, info->port.count)); ++ DBGINFO(("%s close exit, count=%d\n", tty->driver->name, atomic_read(&info->port.count))); + } + + static void hangup(struct tty_struct *tty) +@@ -764,7 +764,7 @@ static void hangup(struct tty_struct *tty) + shutdown(info); + + spin_lock_irqsave(&info->port.lock, flags); +- info->port.count = 0; ++ atomic_set(&info->port.count, 0); + info->port.flags &= ~ASYNC_NORMAL_ACTIVE; + info->port.tty = NULL; + spin_unlock_irqrestore(&info->port.lock, flags); +@@ -1449,7 +1449,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, + unsigned short new_crctype; + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + DBGINFO(("%s hdlcdev_attach\n", info->device_name)); +@@ -1544,7 +1544,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* arbitrate between network and tty opens */ + spin_lock_irqsave(&info->netlock, flags); +- if (info->port.count != 0 || info->netcount != 0) { ++ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) { + DBGINFO(("%s hdlc_open busy\n", dev->name)); + spin_unlock_irqrestore(&info->netlock, flags); + return -EBUSY; +@@ -1629,7 +1629,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + DBGINFO(("%s hdlcdev_ioctl\n", dev->name)); + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + if (cmd != SIOCWANDEV) +@@ -2413,7 +2413,7 @@ static irqreturn_t slgt_interrupt(int dummy, void *dev_id) + if (port == NULL) + continue; + spin_lock(&port->lock); +- if ((port->port.count || port->netcount) && ++ if ((atomic_read(&port->port.count) || port->netcount) && + port->pending_bh && !port->bh_running && + !port->bh_requested) { + DBGISR(("%s bh queued\n", port->device_name)); +@@ -3302,7 +3302,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp, + spin_lock_irqsave(&info->lock, flags); + if (!tty_hung_up_p(filp)) { + extra_count = true; +- port->count--; ++ atomic_dec(&port->count); + } + spin_unlock_irqrestore(&info->lock, flags); + port->blocked_open++; +@@ -3339,7 +3339,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp, + remove_wait_queue(&port->open_wait, &wait); + + if (extra_count) +- port->count++; ++ atomic_inc(&port->count); + port->blocked_open--; + + if (!retval) +diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c +index 144202e..4ccb07d 100644 +--- a/drivers/tty/synclinkmp.c ++++ b/drivers/tty/synclinkmp.c +@@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s open(), old ref count = %d\n", +- __FILE__,__LINE__,tty->driver->name, info->port.count); ++ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count)); + + /* If port is closing, signal caller to try again */ + if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){ +@@ -769,10 +769,10 @@ static int open(struct tty_struct *tty, struct file *filp) + spin_unlock_irqrestore(&info->netlock, flags); + goto cleanup; + } +- info->port.count++; ++ atomic_inc(&info->port.count); + spin_unlock_irqrestore(&info->netlock, flags); + +- if (info->port.count == 1) { ++ if (atomic_read(&info->port.count) == 1) { + /* 1st open on this device, init hardware */ + retval = startup(info); + if (retval < 0) +@@ -796,8 +796,8 @@ cleanup: + if (retval) { + if (tty->count == 1) + info->port.tty = NULL; /* tty layer will release tty struct */ +- if(info->port.count) +- info->port.count--; ++ if(atomic_read(&info->port.count)) ++ atomic_dec(&info->port.count); + } + + return retval; +@@ -815,7 +815,7 @@ static void close(struct tty_struct *tty, struct file *filp) + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s close() entry, count=%d\n", +- __FILE__,__LINE__, info->device_name, info->port.count); ++ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count)); + + if (tty_port_close_start(&info->port, tty, filp) == 0) + goto cleanup; +@@ -834,7 +834,7 @@ static void close(struct tty_struct *tty, struct file *filp) + cleanup: + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s close() exit, count=%d\n", __FILE__,__LINE__, +- tty->driver->name, info->port.count); ++ tty->driver->name, atomic_read(&info->port.count)); + } + + /* Called by tty_hangup() when a hangup is signaled. +@@ -857,7 +857,7 @@ static void hangup(struct tty_struct *tty) + shutdown(info); + + spin_lock_irqsave(&info->port.lock, flags); +- info->port.count = 0; ++ atomic_set(&info->port.count, 0); + info->port.flags &= ~ASYNC_NORMAL_ACTIVE; + info->port.tty = NULL; + spin_unlock_irqrestore(&info->port.lock, flags); +@@ -1565,7 +1565,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding, + unsigned short new_crctype; + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + switch (encoding) +@@ -1660,7 +1660,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* arbitrate between network and tty opens */ + spin_lock_irqsave(&info->netlock, flags); +- if (info->port.count != 0 || info->netcount != 0) { ++ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) { + printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name); + spin_unlock_irqrestore(&info->netlock, flags); + return -EBUSY; +@@ -1746,7 +1746,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name); + + /* return error if TTY interface open */ +- if (info->port.count) ++ if (atomic_read(&info->port.count)) + return -EBUSY; + + if (cmd != SIOCWANDEV) +@@ -2620,7 +2620,7 @@ static irqreturn_t synclinkmp_interrupt(int dummy, void *dev_id) + * do not request bottom half processing if the + * device is not open in a normal mode. + */ +- if ( port && (port->port.count || port->netcount) && ++ if ( port && (atomic_read(&port->port.count) || port->netcount) && + port->pending_bh && !port->bh_running && + !port->bh_requested ) { + if ( debug_level >= DEBUG_LEVEL_ISR ) +@@ -3318,12 +3318,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp, + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s block_til_ready() before block, count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + spin_lock_irqsave(&info->lock, flags); + if (!tty_hung_up_p(filp)) { + extra_count = true; +- port->count--; ++ atomic_dec(&port->count); + } + spin_unlock_irqrestore(&info->lock, flags); + port->blocked_open++; +@@ -3352,7 +3352,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp, + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s block_til_ready() count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + tty_unlock(tty); + schedule(); +@@ -3363,12 +3363,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp, + remove_wait_queue(&port->open_wait, &wait); + + if (extra_count) +- port->count++; ++ atomic_inc(&port->count); + port->blocked_open--; + + if (debug_level >= DEBUG_LEVEL_INFO) + printk("%s(%d):%s block_til_ready() after, count=%d\n", +- __FILE__,__LINE__, tty->driver->name, port->count ); ++ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count)); + + if (!retval) + port->flags |= ASYNC_NORMAL_ACTIVE; +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index ce396ec..04a37be 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -1075,7 +1075,7 @@ EXPORT_SYMBOL(unregister_sysrq_key); + static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- if (count) { ++ if (count && capable(CAP_SYS_ADMIN)) { + char c; + + if (get_user(c, buf)) +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index c74a00a..02cf211a 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -3474,7 +3474,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); + + void tty_default_fops(struct file_operations *fops) + { +- *fops = tty_fops; ++ memcpy((void *)fops, &tty_fops, sizeof(tty_fops)); + } + + /* +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index 2d822aa..a566234 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -71,7 +71,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc) + raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); + tty_ldiscs[disc] = new_ldisc; + new_ldisc->num = disc; +- new_ldisc->refcount = 0; ++ atomic_set(&new_ldisc->refcount, 0); + raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags); + + return ret; +@@ -99,7 +99,7 @@ int tty_unregister_ldisc(int disc) + return -EINVAL; + + raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); +- if (tty_ldiscs[disc]->refcount) ++ if (atomic_read(&tty_ldiscs[disc]->refcount)) + ret = -EBUSY; + else + tty_ldiscs[disc] = NULL; +@@ -120,7 +120,7 @@ static struct tty_ldisc_ops *get_ldops(int disc) + if (ldops) { + ret = ERR_PTR(-EAGAIN); + if (try_module_get(ldops->owner)) { +- ldops->refcount++; ++ atomic_inc(&ldops->refcount); + ret = ldops; + } + } +@@ -133,7 +133,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops) + unsigned long flags; + + raw_spin_lock_irqsave(&tty_ldiscs_lock, flags); +- ldops->refcount--; ++ atomic_dec(&ldops->refcount); + module_put(ldops->owner); + raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags); + } +diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c +index 3f746c8..2f2fcaa 100644 +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -235,7 +235,7 @@ void tty_port_hangup(struct tty_port *port) + unsigned long flags; + + spin_lock_irqsave(&port->lock, flags); +- port->count = 0; ++ atomic_set(&port->count, 0); + port->flags &= ~ASYNC_NORMAL_ACTIVE; + tty = port->tty; + if (tty) +@@ -393,7 +393,7 @@ int tty_port_block_til_ready(struct tty_port *port, + /* The port lock protects the port counts */ + spin_lock_irqsave(&port->lock, flags); + if (!tty_hung_up_p(filp)) +- port->count--; ++ atomic_dec(&port->count); + port->blocked_open++; + spin_unlock_irqrestore(&port->lock, flags); + +@@ -435,7 +435,7 @@ int tty_port_block_til_ready(struct tty_port *port, + we must not mess that up further */ + spin_lock_irqsave(&port->lock, flags); + if (!tty_hung_up_p(filp)) +- port->count++; ++ atomic_inc(&port->count); + port->blocked_open--; + if (retval == 0) + port->flags |= ASYNC_NORMAL_ACTIVE; +@@ -469,19 +469,19 @@ int tty_port_close_start(struct tty_port *port, + return 0; + } + +- if (tty->count == 1 && port->count != 1) { ++ if (tty->count == 1 && atomic_read(&port->count) != 1) { + printk(KERN_WARNING + "tty_port_close_start: tty->count = 1 port count = %d.\n", +- port->count); +- port->count = 1; ++ atomic_read(&port->count)); ++ atomic_set(&port->count, 1); + } +- if (--port->count < 0) { ++ if (atomic_dec_return(&port->count) < 0) { + printk(KERN_WARNING "tty_port_close_start: count = %d\n", +- port->count); +- port->count = 0; ++ atomic_read(&port->count)); ++ atomic_set(&port->count, 0); + } + +- if (port->count) { ++ if (atomic_read(&port->count)) { + spin_unlock_irqrestore(&port->lock, flags); + return 0; + } +@@ -563,7 +563,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty, + { + spin_lock_irq(&port->lock); + if (!tty_hung_up_p(filp)) +- ++port->count; ++ atomic_inc(&port->count); + spin_unlock_irq(&port->lock); + tty_port_tty_set(port, tty); + +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index d0e3a44..5f8b754 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -641,6 +641,16 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag) + kbd->kbdmode == VC_OFF) && + value != KVAL(K_SAK)) + return; /* SAK is allowed even in raw mode */ ++ ++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP) ++ { ++ void *func = fn_handler[value]; ++ if (func == fn_show_state || func == fn_show_ptregs || ++ func == fn_show_mem) ++ return; ++ } ++#endif ++ + fn_handler[value](vc); + } + +@@ -1776,9 +1786,6 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, + if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry))) + return -EFAULT; + +- if (!capable(CAP_SYS_TTY_CONFIG)) +- perm = 0; +- + switch (cmd) { + case KDGKBENT: + /* Ensure another thread doesn't free it under us */ +@@ -1793,6 +1800,9 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, + spin_unlock_irqrestore(&kbd_event_lock, flags); + return put_user(val, &user_kbe->kb_value); + case KDSKBENT: ++ if (!capable(CAP_SYS_TTY_CONFIG)) ++ perm = 0; ++ + if (!perm) + return -EPERM; + if (!i && v == K_NOSUCHMAP) { +@@ -1883,9 +1893,6 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + int i, j, k; + int ret; + +- if (!capable(CAP_SYS_TTY_CONFIG)) +- perm = 0; +- + kbs = kmalloc(sizeof(*kbs), GFP_KERNEL); + if (!kbs) { + ret = -ENOMEM; +@@ -1919,6 +1926,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + kfree(kbs); + return ((p && *p) ? -EOVERFLOW : 0); + case KDSKBSENT: ++ if (!capable(CAP_SYS_TTY_CONFIG)) ++ perm = 0; ++ + if (!perm) { + ret = -EPERM; + goto reterr; +diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c +index a673e5b..36e5d32 100644 +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #define UIO_MAX_DEVICES (1U << MINORBITS) + +@@ -32,7 +33,7 @@ struct uio_device { + struct module *owner; + struct device *dev; + int minor; +- atomic_t event; ++ atomic_unchecked_t event; + struct fasync_struct *async_queue; + wait_queue_head_t wait; + struct uio_info *info; +@@ -243,7 +244,7 @@ static ssize_t event_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct uio_device *idev = dev_get_drvdata(dev); +- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event)); ++ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event)); + } + static DEVICE_ATTR_RO(event); + +@@ -405,7 +406,7 @@ void uio_event_notify(struct uio_info *info) + { + struct uio_device *idev = info->uio_dev; + +- atomic_inc(&idev->event); ++ atomic_inc_unchecked(&idev->event); + wake_up_interruptible(&idev->wait); + kill_fasync(&idev->async_queue, SIGIO, POLL_IN); + } +@@ -458,7 +459,7 @@ static int uio_open(struct inode *inode, struct file *filep) + } + + listener->dev = idev; +- listener->event_count = atomic_read(&idev->event); ++ listener->event_count = atomic_read_unchecked(&idev->event); + filep->private_data = listener; + + if (idev->info->open) { +@@ -509,7 +510,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait) + return -EIO; + + poll_wait(filep, &idev->wait, wait); +- if (listener->event_count != atomic_read(&idev->event)) ++ if (listener->event_count != atomic_read_unchecked(&idev->event)) + return POLLIN | POLLRDNORM; + return 0; + } +@@ -534,7 +535,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf, + do { + set_current_state(TASK_INTERRUPTIBLE); + +- event_count = atomic_read(&idev->event); ++ event_count = atomic_read_unchecked(&idev->event); + if (event_count != listener->event_count) { + if (copy_to_user(buf, &event_count, count)) + retval = -EFAULT; +@@ -591,9 +592,13 @@ static ssize_t uio_write(struct file *filep, const char __user *buf, + static int uio_find_mem_index(struct vm_area_struct *vma) + { + struct uio_device *idev = vma->vm_private_data; ++ unsigned long size; + + if (vma->vm_pgoff < MAX_UIO_MAPS) { +- if (idev->info->mem[vma->vm_pgoff].size == 0) ++ size = idev->info->mem[vma->vm_pgoff].size; ++ if (size == 0) ++ return -1; ++ if (vma->vm_end - vma->vm_start > size) + return -1; + return (int)vma->vm_pgoff; + } +@@ -825,7 +830,7 @@ int __uio_register_device(struct module *owner, + idev->owner = owner; + idev->info = info; + init_waitqueue_head(&idev->wait); +- atomic_set(&idev->event, 0); ++ atomic_set_unchecked(&idev->event, 0); + + ret = uio_get_minor(idev); + if (ret) +diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c +index 813d4d3..a71934f 100644 +--- a/drivers/usb/atm/cxacru.c ++++ b/drivers/usb/atm/cxacru.c +@@ -472,7 +472,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, + ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp); + if (ret < 2) + return -EINVAL; +- if (index < 0 || index > 0x7f) ++ if (index > 0x7f) + return -EINVAL; + pos += tmp; + +diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c +index dada014..1d0d517 100644 +--- a/drivers/usb/atm/usbatm.c ++++ b/drivers/usb/atm/usbatm.c +@@ -331,7 +331,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char + if (printk_ratelimit()) + atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n", + __func__, vpi, vci); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + return; + } + +@@ -358,7 +358,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char + if (length > ATM_MAX_AAL5_PDU) { + atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n", + __func__, length, vcc); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto out; + } + +@@ -367,14 +367,14 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char + if (sarb->len < pdu_length) { + atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n", + __func__, pdu_length, sarb->len, vcc); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto out; + } + + if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) { + atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n", + __func__, vcc); +- atomic_inc(&vcc->stats->rx_err); ++ atomic_inc_unchecked(&vcc->stats->rx_err); + goto out; + } + +@@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char + if (printk_ratelimit()) + atm_err(instance, "%s: no memory for skb (length: %u)!\n", + __func__, length); +- atomic_inc(&vcc->stats->rx_drop); ++ atomic_inc_unchecked(&vcc->stats->rx_drop); + goto out; + } + +@@ -414,7 +414,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char + + vcc->push(vcc, skb); + +- atomic_inc(&vcc->stats->rx); ++ atomic_inc_unchecked(&vcc->stats->rx); + out: + skb_trim(sarb, 0); + } +@@ -612,7 +612,7 @@ static void usbatm_tx_process(unsigned long data) + struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc; + + usbatm_pop(vcc, skb); +- atomic_inc(&vcc->stats->tx); ++ atomic_inc_unchecked(&vcc->stats->tx); + + skb = skb_dequeue(&instance->sndqueue); + } +@@ -756,11 +756,11 @@ static int usbatm_atm_proc_read(struct atm_dev *atm_dev, loff_t *pos, char *page + if (!left--) + return sprintf(page, + "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n", +- atomic_read(&atm_dev->stats.aal5.tx), +- atomic_read(&atm_dev->stats.aal5.tx_err), +- atomic_read(&atm_dev->stats.aal5.rx), +- atomic_read(&atm_dev->stats.aal5.rx_err), +- atomic_read(&atm_dev->stats.aal5.rx_drop)); ++ atomic_read_unchecked(&atm_dev->stats.aal5.tx), ++ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err), ++ atomic_read_unchecked(&atm_dev->stats.aal5.rx), ++ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err), ++ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop)); + + if (!left--) { + if (instance->disconnected) +diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c +index 2a3bbdf..91d72cf 100644 +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -126,7 +126,7 @@ static const char format_endpt[] = + * time it gets called. + */ + static struct device_connect_event { +- atomic_t count; ++ atomic_unchecked_t count; + wait_queue_head_t wait; + } device_event = { + .count = ATOMIC_INIT(1), +@@ -164,7 +164,7 @@ static const struct class_info clas_info[] = { + + void usbfs_conn_disc_event(void) + { +- atomic_add(2, &device_event.count); ++ atomic_add_unchecked(2, &device_event.count); + wake_up(&device_event.wait); + } + +@@ -652,7 +652,7 @@ static unsigned int usb_device_poll(struct file *file, + + poll_wait(file, &device_event.wait, wait); + +- event_count = atomic_read(&device_event.count); ++ event_count = atomic_read_unchecked(&device_event.count); + if (file->f_version != event_count) { + file->f_version = event_count; + return POLLIN | POLLRDNORM; +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 90e18f6..5eeda46 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, + struct dev_state *ps = file->private_data; + struct usb_device *dev = ps->dev; + ssize_t ret = 0; +- unsigned len; ++ size_t len; + loff_t pos; + int i; + +@@ -229,22 +229,22 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, + for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { + struct usb_config_descriptor *config = + (struct usb_config_descriptor *)dev->rawdescriptors[i]; +- unsigned int length = le16_to_cpu(config->wTotalLength); ++ size_t length = le16_to_cpu(config->wTotalLength); + + if (*ppos < pos + length) { + + /* The descriptor may claim to be longer than it + * really is. Here is the actual allocated length. */ +- unsigned alloclen = ++ size_t alloclen = + le16_to_cpu(dev->config[i].desc.wTotalLength); + +- len = length - (*ppos - pos); ++ len = length + pos - *ppos; + if (len > nbytes) + len = nbytes; + + /* Simply don't write (skip over) unallocated parts */ + if (alloclen > (*ppos - pos)) { +- alloclen -= (*ppos - pos); ++ alloclen = alloclen + pos - *ppos; + if (copy_to_user(buf, + dev->rawdescriptors[i] + (*ppos - pos), + min(len, alloclen))) { +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 2518c32..1c201bb 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1550,7 +1550,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + */ + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + usbmon_urb_submit(&hcd->self, urb); + + /* NOTE requirements on root-hub callers (usbfs and the hub +@@ -1577,7 +1577,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags) + urb->hcpriv = NULL; + INIT_LIST_HEAD(&urb->urb_list); + atomic_dec(&urb->use_count); +- atomic_dec(&urb->dev->urbnum); ++ atomic_dec_unchecked(&urb->dev->urbnum); + if (atomic_read(&urb->reject)) + wake_up(&usb_kill_urb_queue); + usb_put_urb(urb); +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 64ea219..dbc1780 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4472,6 +4473,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, + goto done; + return; + } ++ ++ if (gr_handle_new_usb()) ++ goto done; ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index f829a1a..e6c334a 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -128,7 +128,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev, + * Return: If successful, the number of bytes transferred. Otherwise, a negative + * error number. + */ +-int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, ++int __intentional_overflow(-1) usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, + __u8 requesttype, __u16 value, __u16 index, void *data, + __u16 size, int timeout) + { +@@ -180,7 +180,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg); + * If successful, 0. Otherwise a negative error number. The number of actual + * bytes transferred will be stored in the @actual_length paramater. + */ +-int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe, ++int __intentional_overflow(-1) usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe, + void *data, int len, int *actual_length, int timeout) + { + return usb_bulk_msg(usb_dev, pipe, data, len, actual_length, timeout); +@@ -220,7 +220,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg); + * bytes transferred will be stored in the @actual_length parameter. + * + */ +-int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, ++int __intentional_overflow(-1) usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, + void *data, int len, int *actual_length, int timeout) + { + struct urb *urb; +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 1236c60..d47a51c 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr, + struct usb_device *udev; + + udev = to_usb_device(dev); +- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum)); ++ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum)); + } + static DEVICE_ATTR_RO(urbnum); + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 4d11449..f4ccabf 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -433,7 +433,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + set_dev_node(&dev->dev, dev_to_node(bus->controller)); + dev->state = USB_STATE_ATTACHED; + dev->lpm_disable_count = 1; +- atomic_set(&dev->urbnum, 0); ++ atomic_set_unchecked(&dev->urbnum, 0); + + INIT_LIST_HEAD(&dev->ep0.urb_list); + dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 2da0a5a..4870e09 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -532,8 +532,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, + if (!usb_endpoint_xfer_isoc(desc)) + return 0; + +- memset(&trb_link, 0, sizeof(trb_link)); +- + /* Link TRB for ISOC. The HWO bit is never reset */ + trb_st_hw = &dep->trb_pool[0]; + +diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c +index 8cfc319..4868255 100644 +--- a/drivers/usb/early/ehci-dbgp.c ++++ b/drivers/usb/early/ehci-dbgp.c +@@ -98,7 +98,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len) + + #ifdef CONFIG_KGDB + static struct kgdb_io kgdbdbgp_io_ops; +-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops) ++static struct kgdb_io kgdbdbgp_io_ops_console; ++#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console) + #else + #define dbgp_kgdb_mode (0) + #endif +@@ -1043,6 +1044,13 @@ static struct kgdb_io kgdbdbgp_io_ops = { + .write_char = kgdbdbgp_write_char, + }; + ++static struct kgdb_io kgdbdbgp_io_ops_console = { ++ .name = "kgdbdbgp", ++ .read_char = kgdbdbgp_read_char, ++ .write_char = kgdbdbgp_write_char, ++ .is_console = 1 ++}; ++ + static int kgdbdbgp_wait_time; + + static int __init kgdbdbgp_parse_config(char *str) +@@ -1058,8 +1066,10 @@ static int __init kgdbdbgp_parse_config(char *str) + ptr++; + kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10); + } +- kgdb_register_io_module(&kgdbdbgp_io_ops); +- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1; ++ if (early_dbgp_console.index != -1) ++ kgdb_register_io_module(&kgdbdbgp_io_ops_console); ++ else ++ kgdb_register_io_module(&kgdbdbgp_io_ops); + + return 0; + } +diff --git a/drivers/usb/gadget/u_serial.c b/drivers/usb/gadget/u_serial.c +index b369292..9f3ba40 100644 +--- a/drivers/usb/gadget/u_serial.c ++++ b/drivers/usb/gadget/u_serial.c +@@ -733,9 +733,9 @@ static int gs_open(struct tty_struct *tty, struct file *file) + spin_lock_irq(&port->port_lock); + + /* already open? Great. */ +- if (port->port.count) { ++ if (atomic_read(&port->port.count)) { + status = 0; +- port->port.count++; ++ atomic_inc(&port->port.count); + + /* currently opening/closing? wait ... */ + } else if (port->openclose) { +@@ -794,7 +794,7 @@ static int gs_open(struct tty_struct *tty, struct file *file) + tty->driver_data = port; + port->port.tty = tty; + +- port->port.count = 1; ++ atomic_set(&port->port.count, 1); + port->openclose = false; + + /* if connected, start the I/O stream */ +@@ -836,11 +836,11 @@ static void gs_close(struct tty_struct *tty, struct file *file) + + spin_lock_irq(&port->port_lock); + +- if (port->port.count != 1) { +- if (port->port.count == 0) ++ if (atomic_read(&port->port.count) != 1) { ++ if (atomic_read(&port->port.count) == 0) + WARN_ON(1); + else +- --port->port.count; ++ atomic_dec(&port->port.count); + goto exit; + } + +@@ -850,7 +850,7 @@ static void gs_close(struct tty_struct *tty, struct file *file) + * and sleep if necessary + */ + port->openclose = true; +- port->port.count = 0; ++ atomic_set(&port->port.count, 0); + + gser = port->port_usb; + if (gser && gser->disconnect) +@@ -1066,7 +1066,7 @@ static int gs_closed(struct gs_port *port) + int cond; + + spin_lock_irq(&port->port_lock); +- cond = (port->port.count == 0) && !port->openclose; ++ cond = (atomic_read(&port->port.count) == 0) && !port->openclose; + spin_unlock_irq(&port->port_lock); + return cond; + } +@@ -1209,7 +1209,7 @@ int gserial_connect(struct gserial *gser, u8 port_num) + /* if it's already open, start I/O ... and notify the serial + * protocol about open/close status (connect/disconnect). + */ +- if (port->port.count) { ++ if (atomic_read(&port->port.count)) { + pr_debug("gserial_connect: start ttyGS%d\n", port->port_num); + gs_start_io(port); + if (gser->connect) +@@ -1256,7 +1256,7 @@ void gserial_disconnect(struct gserial *gser) + + port->port_usb = NULL; + gser->ioport = NULL; +- if (port->port.count > 0 || port->openclose) { ++ if (atomic_read(&port->port.count) > 0 || port->openclose) { + wake_up_interruptible(&port->drain_wait); + if (port->port.tty) + tty_hangup(port->port.tty); +@@ -1272,7 +1272,7 @@ void gserial_disconnect(struct gserial *gser) + + /* finally, free any unused/unusable I/O buffers */ + spin_lock_irqsave(&port->port_lock, flags); +- if (port->port.count == 0 && !port->openclose) ++ if (atomic_read(&port->port.count) == 0 && !port->openclose) + gs_buf_free(&port->port_write_buf); + gs_free_requests(gser->out, &port->read_pool, NULL); + gs_free_requests(gser->out, &port->read_queue, NULL); +diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c +index 7ae0c4d..35521b7 100644 +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -780,7 +780,7 @@ static struct urb *request_single_step_set_feature_urb( + urb->transfer_flags = URB_DIR_IN; + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + urb->setup_dma = dma_map_single( + hcd->self.controller, + urb->setup_packet, +@@ -847,7 +847,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port) + urb->status = -EINPROGRESS; + usb_get_urb(urb); + atomic_inc(&urb->use_count); +- atomic_inc(&urb->dev->urbnum); ++ atomic_inc_unchecked(&urb->dev->urbnum); + retval = submit_single_step_set_feature(hcd, urb, 0); + if (!retval && !wait_for_completion_timeout(&done, + msecs_to_jiffies(2000))) { +diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c +index ba6a5d6..f88f7f3 100644 +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -83,7 +83,7 @@ struct appledisplay { + spinlock_t lock; + }; + +-static atomic_t count_displays = ATOMIC_INIT(0); ++static atomic_unchecked_t count_displays = ATOMIC_INIT(0); + static struct workqueue_struct *wq; + + static void appledisplay_complete(struct urb *urb) +@@ -281,7 +281,7 @@ static int appledisplay_probe(struct usb_interface *iface, + + /* Register backlight device */ + snprintf(bl_name, sizeof(bl_name), "appledisplay%d", +- atomic_inc_return(&count_displays) - 1); ++ atomic_inc_return_unchecked(&count_displays) - 1); + memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.max_brightness = 0xff; +diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c +index 8d7fc48..01c4986 100644 +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options) + + info->port = port; + +- ++port->port.count; ++ atomic_inc(&port->port.count); + if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { + if (serial->type->set_termios) { + /* +@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options) + } + /* Now that any required fake tty operations are completed restore + * the tty port count */ +- --port->port.count; ++ atomic_dec(&port->port.count); + /* The console is special in terms of closing the device so + * indicate this port is now acting as a system console. */ + port->port.console = 1; +@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options) + free_tty: + kfree(tty); + reset_open_count: +- port->port.count = 0; ++ atomic_set(&port->port.count, 0); + usb_autopm_put_interface(serial->interface); + error_get_interface: + usb_serial_put(serial); +@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options) + static void usb_console_write(struct console *co, + const char *buf, unsigned count) + { +- static struct usbcons_info *info = &usbcons_info; ++ struct usbcons_info *info = &usbcons_info; + struct usb_serial_port *port = info->port; + struct usb_serial *serial; + int retval = -ENODEV; +diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h +index 75f70f0..d467e1a 100644 +--- a/drivers/usb/storage/usb.h ++++ b/drivers/usb/storage/usb.h +@@ -63,7 +63,7 @@ struct us_unusual_dev { + __u8 useProtocol; + __u8 useTransport; + int (*initFunction)(struct us_data *); +-}; ++} __do_const; + + + /* Dynamic bitflag definitions (us->dflags): used in set_bit() etc. */ +diff --git a/drivers/usb/wusbcore/wa-hc.h b/drivers/usb/wusbcore/wa-hc.h +index a2ef84b..aa7c2b8 100644 +--- a/drivers/usb/wusbcore/wa-hc.h ++++ b/drivers/usb/wusbcore/wa-hc.h +@@ -225,7 +225,7 @@ struct wahc { + spinlock_t xfer_list_lock; + struct work_struct xfer_enqueue_work; + struct work_struct xfer_error_work; +- atomic_t xfer_id_count; ++ atomic_unchecked_t xfer_id_count; + + kernel_ulong_t quirks; + }; +@@ -287,7 +287,7 @@ static inline void wa_init(struct wahc *wa) + INIT_WORK(&wa->xfer_enqueue_work, wa_urb_enqueue_run); + INIT_WORK(&wa->xfer_error_work, wa_process_errored_transfers_run); + wa->dto_in_use = 0; +- atomic_set(&wa->xfer_id_count, 1); ++ atomic_set_unchecked(&wa->xfer_id_count, 1); + } + + /** +diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c +index 3cd96e9..bd7c58d 100644 +--- a/drivers/usb/wusbcore/wa-xfer.c ++++ b/drivers/usb/wusbcore/wa-xfer.c +@@ -312,7 +312,7 @@ static void wa_xfer_completion(struct wa_xfer *xfer) + */ + static void wa_xfer_id_init(struct wa_xfer *xfer) + { +- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count); ++ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count); + } + + /* Return the xfer's ID. */ +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 21271d8..45b55a0 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -487,7 +487,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev) + return 0; + + /* TODO Prevent device auto probing */ +- WARN("Device %s added to live group %d!\n", dev_name(dev), ++ WARN(1, "Device %s added to live group %d!\n", dev_name(dev), + iommu_group_id(group->iommu_group)); + + return 0; +diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c +index 5174eba..451e6bc 100644 +--- a/drivers/vhost/vringh.c ++++ b/drivers/vhost/vringh.c +@@ -530,17 +530,17 @@ static inline void __vringh_notify_disable(struct vringh *vrh, + /* Userspace access helpers: in this case, addresses are really userspace. */ + static inline int getu16_user(u16 *val, const u16 *p) + { +- return get_user(*val, (__force u16 __user *)p); ++ return get_user(*val, (u16 __force_user *)p); + } + + static inline int putu16_user(u16 *p, u16 val) + { +- return put_user(val, (__force u16 __user *)p); ++ return put_user(val, (u16 __force_user *)p); + } + + static inline int copydesc_user(void *dst, const void *src, size_t len) + { +- return copy_from_user(dst, (__force void __user *)src, len) ? ++ return copy_from_user(dst, (void __force_user *)src, len) ? + -EFAULT : 0; + } + +@@ -548,19 +548,19 @@ static inline int putused_user(struct vring_used_elem *dst, + const struct vring_used_elem *src, + unsigned int num) + { +- return copy_to_user((__force void __user *)dst, src, ++ return copy_to_user((void __force_user *)dst, src, + sizeof(*dst) * num) ? -EFAULT : 0; + } + + static inline int xfer_from_user(void *src, void *dst, size_t len) + { +- return copy_from_user(dst, (__force void __user *)src, len) ? ++ return copy_from_user(dst, (void __force_user *)src, len) ? + -EFAULT : 0; + } + + static inline int xfer_to_user(void *dst, void *src, size_t len) + { +- return copy_to_user((__force void __user *)dst, src, len) ? ++ return copy_to_user((void __force_user *)dst, src, len) ? + -EFAULT : 0; + } + +@@ -596,9 +596,9 @@ int vringh_init_user(struct vringh *vrh, u32 features, + vrh->last_used_idx = 0; + vrh->vring.num = num; + /* vring expects kernel addresses, but only used via accessors. */ +- vrh->vring.desc = (__force struct vring_desc *)desc; +- vrh->vring.avail = (__force struct vring_avail *)avail; +- vrh->vring.used = (__force struct vring_used *)used; ++ vrh->vring.desc = (__force_kernel struct vring_desc *)desc; ++ vrh->vring.avail = (__force_kernel struct vring_avail *)avail; ++ vrh->vring.used = (__force_kernel struct vring_used *)used; + return 0; + } + EXPORT_SYMBOL(vringh_init_user); +@@ -800,7 +800,7 @@ static inline int getu16_kern(u16 *val, const u16 *p) + + static inline int putu16_kern(u16 *p, u16 val) + { +- ACCESS_ONCE(*p) = val; ++ ACCESS_ONCE_RW(*p) = val; + return 0; + } + +diff --git a/drivers/video/arcfb.c b/drivers/video/arcfb.c +index 1b0b233..6f34c2c 100644 +--- a/drivers/video/arcfb.c ++++ b/drivers/video/arcfb.c +@@ -458,7 +458,7 @@ static ssize_t arcfb_write(struct fb_info *info, const char __user *buf, + return -ENOSPC; + + err = 0; +- if ((count + p) > fbmemlength) { ++ if (count > (fbmemlength - p)) { + count = fbmemlength - p; + err = -ENOSPC; + } +diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c +index 52108be..c7c110d 100644 +--- a/drivers/video/aty/aty128fb.c ++++ b/drivers/video/aty/aty128fb.c +@@ -149,7 +149,7 @@ enum { + }; + + /* Must match above enum */ +-static char * const r128_family[] = { ++static const char * const r128_family[] = { + "AGP", + "PCI", + "PRO AGP", +diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c +index 28fafbf..ae91651 100644 +--- a/drivers/video/aty/atyfb_base.c ++++ b/drivers/video/aty/atyfb_base.c +@@ -1326,10 +1326,14 @@ static int atyfb_set_par(struct fb_info *info) + par->accel_flags = var->accel_flags; /* hack */ + + if (var->accel_flags) { +- info->fbops->fb_sync = atyfb_sync; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_sync = atyfb_sync; ++ pax_close_kernel(); + info->flags &= ~FBINFO_HWACCEL_DISABLED; + } else { +- info->fbops->fb_sync = NULL; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_sync = NULL; ++ pax_close_kernel(); + info->flags |= FBINFO_HWACCEL_DISABLED; + } + +diff --git a/drivers/video/aty/mach64_cursor.c b/drivers/video/aty/mach64_cursor.c +index 95ec042..e6affdd 100644 +--- a/drivers/video/aty/mach64_cursor.c ++++ b/drivers/video/aty/mach64_cursor.c +@@ -7,6 +7,7 @@ + #include + + #include ++#include + + #ifdef __sparc__ + #include +@@ -208,7 +209,9 @@ int aty_init_cursor(struct fb_info *info) + info->sprite.buf_align = 16; /* and 64 lines tall. */ + info->sprite.flags = FB_PIXMAP_IO; + +- info->fbops->fb_cursor = atyfb_cursor; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_cursor = atyfb_cursor; ++ pax_close_kernel(); + + return 0; + } +diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c +index 84a110a..96312c3 100644 +--- a/drivers/video/backlight/kb3886_bl.c ++++ b/drivers/video/backlight/kb3886_bl.c +@@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo; + static unsigned long kb3886bl_flags; + #define KB3886BL_SUSPENDED 0x01 + +-static struct dmi_system_id kb3886bl_device_table[] __initdata = { ++static const struct dmi_system_id kb3886bl_device_table[] __initconst = { + { + .ident = "Sahara Touch-iT", + .matches = { +diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c +index 900aa4e..6d49418 100644 +--- a/drivers/video/fb_defio.c ++++ b/drivers/video/fb_defio.c +@@ -206,7 +206,9 @@ void fb_deferred_io_init(struct fb_info *info) + + BUG_ON(!fbdefio); + mutex_init(&fbdefio->lock); +- info->fbops->fb_mmap = fb_deferred_io_mmap; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_mmap = fb_deferred_io_mmap; ++ pax_close_kernel(); + INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work); + INIT_LIST_HEAD(&fbdefio->pagelist); + if (fbdefio->delay == 0) /* set a default of 1 s */ +@@ -237,7 +239,7 @@ void fb_deferred_io_cleanup(struct fb_info *info) + page->mapping = NULL; + } + +- info->fbops->fb_mmap = NULL; ++ *(void **)&info->fbops->fb_mmap = NULL; + mutex_destroy(&fbdefio->lock); + } + EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup); +diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c +index 7309ac7..be3c49c 100644 +--- a/drivers/video/fbmem.c ++++ b/drivers/video/fbmem.c +@@ -433,7 +433,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dx += image->width + 8; + } + } else if (rotate == FB_ROTATE_UD) { +- for (x = 0; x < num && image->dx >= 0; x++) { ++ for (x = 0; x < num && (__s32)image->dx >= 0; x++) { + info->fbops->fb_imageblit(info, image); + image->dx -= image->width + 8; + } +@@ -445,7 +445,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dy += image->height + 8; + } + } else if (rotate == FB_ROTATE_CCW) { +- for (x = 0; x < num && image->dy >= 0; x++) { ++ for (x = 0; x < num && (__s32)image->dy >= 0; x++) { + info->fbops->fb_imageblit(info, image); + image->dy -= image->height + 8; + } +@@ -1179,7 +1179,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, + return -EFAULT; + if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES) + return -EINVAL; +- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX) ++ if (con2fb.framebuffer >= FB_MAX) + return -EINVAL; + if (!registered_fb[con2fb.framebuffer]) + request_module("fb%d", con2fb.framebuffer); +@@ -1300,7 +1300,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix, + __u32 data; + int err; + +- err = copy_to_user(&fix32->id, &fix->id, sizeof(fix32->id)); ++ err = copy_to_user(fix32->id, &fix->id, sizeof(fix32->id)); + + data = (__u32) (unsigned long) fix->smem_start; + err |= put_user(data, &fix32->smem_start); +diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c +index 130708f..cdac1a9 100644 +--- a/drivers/video/hyperv_fb.c ++++ b/drivers/video/hyperv_fb.c +@@ -233,7 +233,7 @@ static uint screen_fb_size; + static inline int synthvid_send(struct hv_device *hdev, + struct synthvid_msg *msg) + { +- static atomic64_t request_id = ATOMIC64_INIT(0); ++ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0); + int ret; + + msg->pipe_hdr.type = PIPE_MSG_DATA; +@@ -241,7 +241,7 @@ static inline int synthvid_send(struct hv_device *hdev, + + ret = vmbus_sendpacket(hdev->channel, msg, + msg->vid_hdr.size + sizeof(struct pipe_msg_hdr), +- atomic64_inc_return(&request_id), ++ atomic64_inc_return_unchecked(&request_id), + VM_PKT_DATA_INBAND, 0); + + if (ret) +diff --git a/drivers/video/i810/i810_accel.c b/drivers/video/i810/i810_accel.c +index 7672d2e..b56437f 100644 +--- a/drivers/video/i810/i810_accel.c ++++ b/drivers/video/i810/i810_accel.c +@@ -73,6 +73,7 @@ static inline int wait_for_space(struct fb_info *info, u32 space) + } + } + printk("ringbuffer lockup!!!\n"); ++ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space); + i810_report_error(mmio); + par->dev_flags |= LOCKUP; + info->pixmap.scan_align = 1; +diff --git a/drivers/video/logo/logo_linux_clut224.ppm b/drivers/video/logo/logo_linux_clut224.ppm +index 3c14e43..2630570 100644 +--- a/drivers/video/logo/logo_linux_clut224.ppm ++++ b/drivers/video/logo/logo_linux_clut224.ppm +@@ -2,1603 +2,1123 @@ P3 + # Standard 224-color Linux logo + 80 80 + 255 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 6 6 6 10 10 10 10 10 10 +- 10 10 10 6 6 6 6 6 6 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 10 10 10 14 14 14 +- 22 22 22 26 26 26 30 30 30 34 34 34 +- 30 30 30 30 30 30 26 26 26 18 18 18 +- 14 14 14 10 10 10 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 14 14 14 26 26 26 42 42 42 +- 54 54 54 66 66 66 78 78 78 78 78 78 +- 78 78 78 74 74 74 66 66 66 54 54 54 +- 42 42 42 26 26 26 18 18 18 10 10 10 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 22 22 22 42 42 42 66 66 66 86 86 86 +- 66 66 66 38 38 38 38 38 38 22 22 22 +- 26 26 26 34 34 34 54 54 54 66 66 66 +- 86 86 86 70 70 70 46 46 46 26 26 26 +- 14 14 14 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 10 10 10 26 26 26 +- 50 50 50 82 82 82 58 58 58 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 6 6 6 54 54 54 86 86 86 66 66 66 +- 38 38 38 18 18 18 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 22 22 22 50 50 50 +- 78 78 78 34 34 34 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 6 6 6 70 70 70 +- 78 78 78 46 46 46 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 18 18 18 42 42 42 82 82 82 +- 26 26 26 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 14 14 14 +- 46 46 46 34 34 34 6 6 6 2 2 6 +- 42 42 42 78 78 78 42 42 42 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 0 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 10 10 10 30 30 30 66 66 66 58 58 58 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 26 26 26 +- 86 86 86 101 101 101 46 46 46 10 10 10 +- 2 2 6 58 58 58 70 70 70 34 34 34 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 14 14 14 42 42 42 86 86 86 10 10 10 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 30 30 30 +- 94 94 94 94 94 94 58 58 58 26 26 26 +- 2 2 6 6 6 6 78 78 78 54 54 54 +- 22 22 22 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 22 22 22 62 62 62 62 62 62 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 26 26 26 +- 54 54 54 38 38 38 18 18 18 10 10 10 +- 2 2 6 2 2 6 34 34 34 82 82 82 +- 38 38 38 14 14 14 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 30 30 30 78 78 78 30 30 30 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 10 10 10 +- 10 10 10 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 78 78 78 +- 50 50 50 18 18 18 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 38 38 38 86 86 86 14 14 14 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 54 54 54 +- 66 66 66 26 26 26 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 42 42 42 82 82 82 2 2 6 2 2 6 +- 2 2 6 6 6 6 10 10 10 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 6 6 6 +- 14 14 14 10 10 10 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 18 18 18 +- 82 82 82 34 34 34 10 10 10 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 46 46 46 86 86 86 2 2 6 2 2 6 +- 6 6 6 6 6 6 22 22 22 34 34 34 +- 6 6 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 18 18 18 34 34 34 +- 10 10 10 50 50 50 22 22 22 2 2 6 +- 2 2 6 2 2 6 2 2 6 10 10 10 +- 86 86 86 42 42 42 14 14 14 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 46 46 46 86 86 86 2 2 6 2 2 6 +- 38 38 38 116 116 116 94 94 94 22 22 22 +- 22 22 22 2 2 6 2 2 6 2 2 6 +- 14 14 14 86 86 86 138 138 138 162 162 162 +-154 154 154 38 38 38 26 26 26 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 86 86 86 46 46 46 14 14 14 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 46 46 46 86 86 86 2 2 6 14 14 14 +-134 134 134 198 198 198 195 195 195 116 116 116 +- 10 10 10 2 2 6 2 2 6 6 6 6 +-101 98 89 187 187 187 210 210 210 218 218 218 +-214 214 214 134 134 134 14 14 14 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 86 86 86 50 50 50 18 18 18 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 1 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 46 46 46 86 86 86 2 2 6 54 54 54 +-218 218 218 195 195 195 226 226 226 246 246 246 +- 58 58 58 2 2 6 2 2 6 30 30 30 +-210 210 210 253 253 253 174 174 174 123 123 123 +-221 221 221 234 234 234 74 74 74 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 70 70 70 58 58 58 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 46 46 46 82 82 82 2 2 6 106 106 106 +-170 170 170 26 26 26 86 86 86 226 226 226 +-123 123 123 10 10 10 14 14 14 46 46 46 +-231 231 231 190 190 190 6 6 6 70 70 70 +- 90 90 90 238 238 238 158 158 158 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 70 70 70 58 58 58 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 1 0 0 0 +- 0 0 1 0 0 1 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 42 42 42 86 86 86 6 6 6 116 116 116 +-106 106 106 6 6 6 70 70 70 149 149 149 +-128 128 128 18 18 18 38 38 38 54 54 54 +-221 221 221 106 106 106 2 2 6 14 14 14 +- 46 46 46 190 190 190 198 198 198 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 74 74 74 62 62 62 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 1 0 0 0 +- 0 0 1 0 0 0 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 42 42 42 94 94 94 14 14 14 101 101 101 +-128 128 128 2 2 6 18 18 18 116 116 116 +-118 98 46 121 92 8 121 92 8 98 78 10 +-162 162 162 106 106 106 2 2 6 2 2 6 +- 2 2 6 195 195 195 195 195 195 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 74 74 74 62 62 62 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 1 0 0 1 +- 0 0 1 0 0 0 0 0 1 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 38 38 38 90 90 90 14 14 14 58 58 58 +-210 210 210 26 26 26 54 38 6 154 114 10 +-226 170 11 236 186 11 225 175 15 184 144 12 +-215 174 15 175 146 61 37 26 9 2 2 6 +- 70 70 70 246 246 246 138 138 138 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 70 70 70 66 66 66 26 26 26 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 38 38 38 86 86 86 14 14 14 10 10 10 +-195 195 195 188 164 115 192 133 9 225 175 15 +-239 182 13 234 190 10 232 195 16 232 200 30 +-245 207 45 241 208 19 232 195 16 184 144 12 +-218 194 134 211 206 186 42 42 42 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 50 50 50 74 74 74 30 30 30 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 34 34 34 86 86 86 14 14 14 2 2 6 +-121 87 25 192 133 9 219 162 10 239 182 13 +-236 186 11 232 195 16 241 208 19 244 214 54 +-246 218 60 246 218 38 246 215 20 241 208 19 +-241 208 19 226 184 13 121 87 25 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 50 50 50 82 82 82 34 34 34 10 10 10 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 34 34 34 82 82 82 30 30 30 61 42 6 +-180 123 7 206 145 10 230 174 11 239 182 13 +-234 190 10 238 202 15 241 208 19 246 218 74 +-246 218 38 246 215 20 246 215 20 246 215 20 +-226 184 13 215 174 15 184 144 12 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 26 26 26 94 94 94 42 42 42 14 14 14 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 78 78 78 50 50 50 104 69 6 +-192 133 9 216 158 10 236 178 12 236 186 11 +-232 195 16 241 208 19 244 214 54 245 215 43 +-246 215 20 246 215 20 241 208 19 198 155 10 +-200 144 11 216 158 10 156 118 10 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 6 6 6 90 90 90 54 54 54 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 78 78 78 46 46 46 22 22 22 +-137 92 6 210 162 10 239 182 13 238 190 10 +-238 202 15 241 208 19 246 215 20 246 215 20 +-241 208 19 203 166 17 185 133 11 210 150 10 +-216 158 10 210 150 10 102 78 10 2 2 6 +- 6 6 6 54 54 54 14 14 14 2 2 6 +- 2 2 6 62 62 62 74 74 74 30 30 30 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 34 34 34 78 78 78 50 50 50 6 6 6 +- 94 70 30 139 102 15 190 146 13 226 184 13 +-232 200 30 232 195 16 215 174 15 190 146 13 +-168 122 10 192 133 9 210 150 10 213 154 11 +-202 150 34 182 157 106 101 98 89 2 2 6 +- 2 2 6 78 78 78 116 116 116 58 58 58 +- 2 2 6 22 22 22 90 90 90 46 46 46 +- 18 18 18 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 38 38 38 86 86 86 50 50 50 6 6 6 +-128 128 128 174 154 114 156 107 11 168 122 10 +-198 155 10 184 144 12 197 138 11 200 144 11 +-206 145 10 206 145 10 197 138 11 188 164 115 +-195 195 195 198 198 198 174 174 174 14 14 14 +- 2 2 6 22 22 22 116 116 116 116 116 116 +- 22 22 22 2 2 6 74 74 74 70 70 70 +- 30 30 30 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 50 50 50 101 101 101 26 26 26 10 10 10 +-138 138 138 190 190 190 174 154 114 156 107 11 +-197 138 11 200 144 11 197 138 11 192 133 9 +-180 123 7 190 142 34 190 178 144 187 187 187 +-202 202 202 221 221 221 214 214 214 66 66 66 +- 2 2 6 2 2 6 50 50 50 62 62 62 +- 6 6 6 2 2 6 10 10 10 90 90 90 +- 50 50 50 18 18 18 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 10 10 10 34 34 34 +- 74 74 74 74 74 74 2 2 6 6 6 6 +-144 144 144 198 198 198 190 190 190 178 166 146 +-154 121 60 156 107 11 156 107 11 168 124 44 +-174 154 114 187 187 187 190 190 190 210 210 210 +-246 246 246 253 253 253 253 253 253 182 182 182 +- 6 6 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 62 62 62 +- 74 74 74 34 34 34 14 14 14 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 10 10 10 22 22 22 54 54 54 +- 94 94 94 18 18 18 2 2 6 46 46 46 +-234 234 234 221 221 221 190 190 190 190 190 190 +-190 190 190 187 187 187 187 187 187 190 190 190 +-190 190 190 195 195 195 214 214 214 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +- 82 82 82 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 14 14 14 +- 86 86 86 54 54 54 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 18 18 18 46 46 46 90 90 90 +- 46 46 46 18 18 18 6 6 6 182 182 182 +-253 253 253 246 246 246 206 206 206 190 190 190 +-190 190 190 190 190 190 190 190 190 190 190 190 +-206 206 206 231 231 231 250 250 250 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-202 202 202 14 14 14 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 42 42 42 86 86 86 42 42 42 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 14 14 14 38 38 38 74 74 74 66 66 66 +- 2 2 6 6 6 6 90 90 90 250 250 250 +-253 253 253 253 253 253 238 238 238 198 198 198 +-190 190 190 190 190 190 195 195 195 221 221 221 +-246 246 246 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 82 82 82 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 78 78 78 70 70 70 34 34 34 +- 14 14 14 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 34 34 34 66 66 66 78 78 78 6 6 6 +- 2 2 6 18 18 18 218 218 218 253 253 253 +-253 253 253 253 253 253 253 253 253 246 246 246 +-226 226 226 231 231 231 246 246 246 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 178 178 178 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 18 18 18 90 90 90 62 62 62 +- 30 30 30 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 10 10 10 26 26 26 +- 58 58 58 90 90 90 18 18 18 2 2 6 +- 2 2 6 110 110 110 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-250 250 250 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 231 231 231 18 18 18 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 18 18 18 94 94 94 +- 54 54 54 26 26 26 10 10 10 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 22 22 22 50 50 50 +- 90 90 90 26 26 26 2 2 6 2 2 6 +- 14 14 14 195 195 195 250 250 250 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-250 250 250 242 242 242 54 54 54 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 38 38 38 +- 86 86 86 50 50 50 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 14 14 14 38 38 38 82 82 82 +- 34 34 34 2 2 6 2 2 6 2 2 6 +- 42 42 42 195 195 195 246 246 246 253 253 253 +-253 253 253 253 253 253 253 253 253 250 250 250 +-242 242 242 242 242 242 250 250 250 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 250 250 250 246 246 246 238 238 238 +-226 226 226 231 231 231 101 101 101 6 6 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 38 38 38 82 82 82 42 42 42 14 14 14 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 10 10 10 26 26 26 62 62 62 66 66 66 +- 2 2 6 2 2 6 2 2 6 6 6 6 +- 70 70 70 170 170 170 206 206 206 234 234 234 +-246 246 246 250 250 250 250 250 250 238 238 238 +-226 226 226 231 231 231 238 238 238 250 250 250 +-250 250 250 250 250 250 246 246 246 231 231 231 +-214 214 214 206 206 206 202 202 202 202 202 202 +-198 198 198 202 202 202 182 182 182 18 18 18 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 62 62 62 66 66 66 30 30 30 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 14 14 14 42 42 42 82 82 82 18 18 18 +- 2 2 6 2 2 6 2 2 6 10 10 10 +- 94 94 94 182 182 182 218 218 218 242 242 242 +-250 250 250 253 253 253 253 253 253 250 250 250 +-234 234 234 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 246 246 246 +-238 238 238 226 226 226 210 210 210 202 202 202 +-195 195 195 195 195 195 210 210 210 158 158 158 +- 6 6 6 14 14 14 50 50 50 14 14 14 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 6 6 6 86 86 86 46 46 46 +- 18 18 18 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 22 22 22 54 54 54 70 70 70 2 2 6 +- 2 2 6 10 10 10 2 2 6 22 22 22 +-166 166 166 231 231 231 250 250 250 253 253 253 +-253 253 253 253 253 253 253 253 253 250 250 250 +-242 242 242 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 246 246 246 +-231 231 231 206 206 206 198 198 198 226 226 226 +- 94 94 94 2 2 6 6 6 6 38 38 38 +- 30 30 30 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 62 62 62 66 66 66 +- 26 26 26 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 74 74 74 50 50 50 2 2 6 +- 26 26 26 26 26 26 2 2 6 106 106 106 +-238 238 238 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 246 246 246 218 218 218 202 202 202 +-210 210 210 14 14 14 2 2 6 2 2 6 +- 30 30 30 22 22 22 2 2 6 2 2 6 +- 2 2 6 2 2 6 18 18 18 86 86 86 +- 42 42 42 14 14 14 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 42 42 42 90 90 90 22 22 22 2 2 6 +- 42 42 42 2 2 6 18 18 18 218 218 218 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 250 250 250 221 221 221 +-218 218 218 101 101 101 2 2 6 14 14 14 +- 18 18 18 38 38 38 10 10 10 2 2 6 +- 2 2 6 2 2 6 2 2 6 78 78 78 +- 58 58 58 22 22 22 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 54 54 54 82 82 82 2 2 6 26 26 26 +- 22 22 22 2 2 6 123 123 123 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 250 250 250 +-238 238 238 198 198 198 6 6 6 38 38 38 +- 58 58 58 26 26 26 38 38 38 2 2 6 +- 2 2 6 2 2 6 2 2 6 46 46 46 +- 78 78 78 30 30 30 10 10 10 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 10 10 10 30 30 30 +- 74 74 74 58 58 58 2 2 6 42 42 42 +- 2 2 6 22 22 22 231 231 231 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 250 250 250 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 246 246 246 46 46 46 38 38 38 +- 42 42 42 14 14 14 38 38 38 14 14 14 +- 2 2 6 2 2 6 2 2 6 6 6 6 +- 86 86 86 46 46 46 14 14 14 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 14 14 14 42 42 42 +- 90 90 90 18 18 18 18 18 18 26 26 26 +- 2 2 6 116 116 116 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 250 250 250 238 238 238 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 94 94 94 6 6 6 +- 2 2 6 2 2 6 10 10 10 34 34 34 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 74 74 74 58 58 58 22 22 22 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 10 10 10 26 26 26 66 66 66 +- 82 82 82 2 2 6 38 38 38 6 6 6 +- 14 14 14 210 210 210 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 246 246 246 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 144 144 144 2 2 6 +- 2 2 6 2 2 6 2 2 6 46 46 46 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 42 42 42 74 74 74 30 30 30 10 10 10 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 14 14 14 42 42 42 90 90 90 +- 26 26 26 6 6 6 42 42 42 2 2 6 +- 74 74 74 250 250 250 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 242 242 242 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 182 182 182 2 2 6 +- 2 2 6 2 2 6 2 2 6 46 46 46 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 10 10 10 86 86 86 38 38 38 10 10 10 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 10 10 10 26 26 26 66 66 66 82 82 82 +- 2 2 6 22 22 22 18 18 18 2 2 6 +-149 149 149 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 234 234 234 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 206 206 206 2 2 6 +- 2 2 6 2 2 6 2 2 6 38 38 38 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 6 6 6 86 86 86 46 46 46 14 14 14 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 18 18 18 46 46 46 86 86 86 18 18 18 +- 2 2 6 34 34 34 10 10 10 6 6 6 +-210 210 210 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 234 234 234 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 221 221 221 6 6 6 +- 2 2 6 2 2 6 6 6 6 30 30 30 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 82 82 82 54 54 54 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 26 26 26 66 66 66 62 62 62 2 2 6 +- 2 2 6 38 38 38 10 10 10 26 26 26 +-238 238 238 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 238 238 238 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 6 6 6 +- 2 2 6 2 2 6 10 10 10 30 30 30 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 66 66 66 58 58 58 22 22 22 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 38 38 38 78 78 78 6 6 6 2 2 6 +- 2 2 6 46 46 46 14 14 14 42 42 42 +-246 246 246 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 234 234 234 10 10 10 +- 2 2 6 2 2 6 22 22 22 14 14 14 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 66 66 66 62 62 62 22 22 22 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 50 50 50 74 74 74 2 2 6 2 2 6 +- 14 14 14 70 70 70 34 34 34 62 62 62 +-250 250 250 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 246 246 246 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 234 234 234 14 14 14 +- 2 2 6 2 2 6 30 30 30 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 66 66 66 62 62 62 22 22 22 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 54 54 54 62 62 62 2 2 6 2 2 6 +- 2 2 6 30 30 30 46 46 46 70 70 70 +-250 250 250 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 246 246 246 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 226 226 226 10 10 10 +- 2 2 6 6 6 6 30 30 30 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 66 66 66 58 58 58 22 22 22 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 22 22 22 +- 58 58 58 62 62 62 2 2 6 2 2 6 +- 2 2 6 2 2 6 30 30 30 78 78 78 +-250 250 250 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 246 246 246 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 206 206 206 2 2 6 +- 22 22 22 34 34 34 18 14 6 22 22 22 +- 26 26 26 18 18 18 6 6 6 2 2 6 +- 2 2 6 82 82 82 54 54 54 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 26 26 26 +- 62 62 62 106 106 106 74 54 14 185 133 11 +-210 162 10 121 92 8 6 6 6 62 62 62 +-238 238 238 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 246 246 246 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 158 158 158 18 18 18 +- 14 14 14 2 2 6 2 2 6 2 2 6 +- 6 6 6 18 18 18 66 66 66 38 38 38 +- 6 6 6 94 94 94 50 50 50 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 10 10 10 10 10 10 18 18 18 38 38 38 +- 78 78 78 142 134 106 216 158 10 242 186 14 +-246 190 14 246 190 14 156 118 10 10 10 10 +- 90 90 90 238 238 238 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 250 250 250 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 246 230 190 +-238 204 91 238 204 91 181 142 44 37 26 9 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 38 38 38 46 46 46 +- 26 26 26 106 106 106 54 54 54 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 14 14 14 22 22 22 +- 30 30 30 38 38 38 50 50 50 70 70 70 +-106 106 106 190 142 34 226 170 11 242 186 14 +-246 190 14 246 190 14 246 190 14 154 114 10 +- 6 6 6 74 74 74 226 226 226 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 231 231 231 250 250 250 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 228 184 62 +-241 196 14 241 208 19 232 195 16 38 30 10 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 6 6 6 30 30 30 26 26 26 +-203 166 17 154 142 90 66 66 66 26 26 26 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 18 18 18 38 38 38 58 58 58 +- 78 78 78 86 86 86 101 101 101 123 123 123 +-175 146 61 210 150 10 234 174 13 246 186 14 +-246 190 14 246 190 14 246 190 14 238 190 10 +-102 78 10 2 2 6 46 46 46 198 198 198 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 234 234 234 242 242 242 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 224 178 62 +-242 186 14 241 196 14 210 166 10 22 18 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 6 6 6 121 92 8 +-238 202 15 232 195 16 82 82 82 34 34 34 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 14 14 14 38 38 38 70 70 70 154 122 46 +-190 142 34 200 144 11 197 138 11 197 138 11 +-213 154 11 226 170 11 242 186 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-225 175 15 46 32 6 2 2 6 22 22 22 +-158 158 158 250 250 250 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 250 250 250 242 242 242 224 178 62 +-239 182 13 236 186 11 213 154 11 46 32 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 61 42 6 225 175 15 +-238 190 10 236 186 11 112 100 78 42 42 42 +- 14 14 14 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 22 22 22 54 54 54 154 122 46 213 154 11 +-226 170 11 230 174 11 226 170 11 226 170 11 +-236 178 12 242 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-241 196 14 184 144 12 10 10 10 2 2 6 +- 6 6 6 116 116 116 242 242 242 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 231 231 231 198 198 198 214 170 54 +-236 178 12 236 178 12 210 150 10 137 92 6 +- 18 14 6 2 2 6 2 2 6 2 2 6 +- 6 6 6 70 47 6 200 144 11 236 178 12 +-239 182 13 239 182 13 124 112 88 58 58 58 +- 22 22 22 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 70 70 70 180 133 36 226 170 11 +-239 182 13 242 186 14 242 186 14 246 186 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 232 195 16 98 70 6 2 2 6 +- 2 2 6 2 2 6 66 66 66 221 221 221 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 206 206 206 198 198 198 214 166 58 +-230 174 11 230 174 11 216 158 10 192 133 9 +-163 110 8 116 81 8 102 78 10 116 81 8 +-167 114 7 197 138 11 226 170 11 239 182 13 +-242 186 14 242 186 14 162 146 94 78 78 78 +- 34 34 34 14 14 14 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 30 30 30 78 78 78 190 142 34 226 170 11 +-239 182 13 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 241 196 14 203 166 17 22 18 6 +- 2 2 6 2 2 6 2 2 6 38 38 38 +-218 218 218 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-250 250 250 206 206 206 198 198 198 202 162 69 +-226 170 11 236 178 12 224 166 10 210 150 10 +-200 144 11 197 138 11 192 133 9 197 138 11 +-210 150 10 226 170 11 242 186 14 246 190 14 +-246 190 14 246 186 14 225 175 15 124 112 88 +- 62 62 62 30 30 30 14 14 14 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 78 78 78 174 135 50 224 166 10 +-239 182 13 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 241 196 14 139 102 15 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 78 78 78 250 250 250 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-250 250 250 214 214 214 198 198 198 190 150 46 +-219 162 10 236 178 12 234 174 13 224 166 10 +-216 158 10 213 154 11 213 154 11 216 158 10 +-226 170 11 239 182 13 246 190 14 246 190 14 +-246 190 14 246 190 14 242 186 14 206 162 42 +-101 101 101 58 58 58 30 30 30 14 14 14 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 74 74 74 174 135 50 216 158 10 +-236 178 12 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 241 196 14 226 184 13 +- 61 42 6 2 2 6 2 2 6 2 2 6 +- 22 22 22 238 238 238 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 226 226 226 187 187 187 180 133 36 +-216 158 10 236 178 12 239 182 13 236 178 12 +-230 174 11 226 170 11 226 170 11 230 174 11 +-236 178 12 242 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 186 14 239 182 13 +-206 162 42 106 106 106 66 66 66 34 34 34 +- 14 14 14 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 26 26 26 70 70 70 163 133 67 213 154 11 +-236 178 12 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 241 196 14 +-190 146 13 18 14 6 2 2 6 2 2 6 +- 46 46 46 246 246 246 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 221 221 221 86 86 86 156 107 11 +-216 158 10 236 178 12 242 186 14 246 186 14 +-242 186 14 239 182 13 239 182 13 242 186 14 +-242 186 14 246 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-242 186 14 225 175 15 142 122 72 66 66 66 +- 30 30 30 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 26 26 26 70 70 70 163 133 67 210 150 10 +-236 178 12 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-232 195 16 121 92 8 34 34 34 106 106 106 +-221 221 221 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-242 242 242 82 82 82 18 14 6 163 110 8 +-216 158 10 236 178 12 242 186 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 242 186 14 163 133 67 +- 46 46 46 18 18 18 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 10 10 10 +- 30 30 30 78 78 78 163 133 67 210 150 10 +-236 178 12 246 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-241 196 14 215 174 15 190 178 144 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 218 218 218 +- 58 58 58 2 2 6 22 18 6 167 114 7 +-216 158 10 236 178 12 246 186 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 186 14 242 186 14 190 150 46 +- 54 54 54 22 22 22 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 38 38 38 86 86 86 180 133 36 213 154 11 +-236 178 12 246 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 232 195 16 190 146 13 214 214 214 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 250 250 250 170 170 170 26 26 26 +- 2 2 6 2 2 6 37 26 9 163 110 8 +-219 162 10 239 182 13 246 186 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 186 14 236 178 12 224 166 10 142 122 72 +- 46 46 46 18 18 18 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 50 50 50 109 106 95 192 133 9 224 166 10 +-242 186 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-242 186 14 226 184 13 210 162 10 142 110 46 +-226 226 226 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-253 253 253 253 253 253 253 253 253 253 253 253 +-198 198 198 66 66 66 2 2 6 2 2 6 +- 2 2 6 2 2 6 50 34 6 156 107 11 +-219 162 10 239 182 13 246 186 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 242 186 14 +-234 174 13 213 154 11 154 122 46 66 66 66 +- 30 30 30 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 22 22 22 +- 58 58 58 154 121 60 206 145 10 234 174 13 +-242 186 14 246 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 186 14 236 178 12 210 162 10 163 110 8 +- 61 42 6 138 138 138 218 218 218 250 250 250 +-253 253 253 253 253 253 253 253 253 250 250 250 +-242 242 242 210 210 210 144 144 144 66 66 66 +- 6 6 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 61 42 6 163 110 8 +-216 158 10 236 178 12 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 239 182 13 230 174 11 216 158 10 +-190 142 34 124 112 88 70 70 70 38 38 38 +- 18 18 18 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 22 22 22 +- 62 62 62 168 124 44 206 145 10 224 166 10 +-236 178 12 239 182 13 242 186 14 242 186 14 +-246 186 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 236 178 12 216 158 10 175 118 6 +- 80 54 7 2 2 6 6 6 6 30 30 30 +- 54 54 54 62 62 62 50 50 50 38 38 38 +- 14 14 14 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 6 6 6 80 54 7 167 114 7 +-213 154 11 236 178 12 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 190 14 242 186 14 239 182 13 239 182 13 +-230 174 11 210 150 10 174 135 50 124 112 88 +- 82 82 82 54 54 54 34 34 34 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 18 18 18 +- 50 50 50 158 118 36 192 133 9 200 144 11 +-216 158 10 219 162 10 224 166 10 226 170 11 +-230 174 11 236 178 12 239 182 13 239 182 13 +-242 186 14 246 186 14 246 190 14 246 190 14 +-246 190 14 246 190 14 246 190 14 246 190 14 +-246 186 14 230 174 11 210 150 10 163 110 8 +-104 69 6 10 10 10 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 6 6 6 91 60 6 167 114 7 +-206 145 10 230 174 11 242 186 14 246 190 14 +-246 190 14 246 190 14 246 186 14 242 186 14 +-239 182 13 230 174 11 224 166 10 213 154 11 +-180 133 36 124 112 88 86 86 86 58 58 58 +- 38 38 38 22 22 22 10 10 10 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 14 14 14 +- 34 34 34 70 70 70 138 110 50 158 118 36 +-167 114 7 180 123 7 192 133 9 197 138 11 +-200 144 11 206 145 10 213 154 11 219 162 10 +-224 166 10 230 174 11 239 182 13 242 186 14 +-246 186 14 246 186 14 246 186 14 246 186 14 +-239 182 13 216 158 10 185 133 11 152 99 6 +-104 69 6 18 14 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 2 2 6 2 2 6 2 2 6 +- 2 2 6 6 6 6 80 54 7 152 99 6 +-192 133 9 219 162 10 236 178 12 239 182 13 +-246 186 14 242 186 14 239 182 13 236 178 12 +-224 166 10 206 145 10 192 133 9 154 121 60 +- 94 94 94 62 62 62 42 42 42 22 22 22 +- 14 14 14 6 6 6 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 18 18 18 34 34 34 58 58 58 78 78 78 +-101 98 89 124 112 88 142 110 46 156 107 11 +-163 110 8 167 114 7 175 118 6 180 123 7 +-185 133 11 197 138 11 210 150 10 219 162 10 +-226 170 11 236 178 12 236 178 12 234 174 13 +-219 162 10 197 138 11 163 110 8 130 83 6 +- 91 60 6 10 10 10 2 2 6 2 2 6 +- 18 18 18 38 38 38 38 38 38 38 38 38 +- 38 38 38 38 38 38 38 38 38 38 38 38 +- 38 38 38 38 38 38 26 26 26 2 2 6 +- 2 2 6 6 6 6 70 47 6 137 92 6 +-175 118 6 200 144 11 219 162 10 230 174 11 +-234 174 13 230 174 11 219 162 10 210 150 10 +-192 133 9 163 110 8 124 112 88 82 82 82 +- 50 50 50 30 30 30 14 14 14 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 14 14 14 22 22 22 34 34 34 +- 42 42 42 58 58 58 74 74 74 86 86 86 +-101 98 89 122 102 70 130 98 46 121 87 25 +-137 92 6 152 99 6 163 110 8 180 123 7 +-185 133 11 197 138 11 206 145 10 200 144 11 +-180 123 7 156 107 11 130 83 6 104 69 6 +- 50 34 6 54 54 54 110 110 110 101 98 89 +- 86 86 86 82 82 82 78 78 78 78 78 78 +- 78 78 78 78 78 78 78 78 78 78 78 78 +- 78 78 78 82 82 82 86 86 86 94 94 94 +-106 106 106 101 101 101 86 66 34 124 80 6 +-156 107 11 180 123 7 192 133 9 200 144 11 +-206 145 10 200 144 11 192 133 9 175 118 6 +-139 102 15 109 106 95 70 70 70 42 42 42 +- 22 22 22 10 10 10 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 6 6 6 10 10 10 +- 14 14 14 22 22 22 30 30 30 38 38 38 +- 50 50 50 62 62 62 74 74 74 90 90 90 +-101 98 89 112 100 78 121 87 25 124 80 6 +-137 92 6 152 99 6 152 99 6 152 99 6 +-138 86 6 124 80 6 98 70 6 86 66 30 +-101 98 89 82 82 82 58 58 58 46 46 46 +- 38 38 38 34 34 34 34 34 34 34 34 34 +- 34 34 34 34 34 34 34 34 34 34 34 34 +- 34 34 34 34 34 34 38 38 38 42 42 42 +- 54 54 54 82 82 82 94 86 76 91 60 6 +-134 86 6 156 107 11 167 114 7 175 118 6 +-175 118 6 167 114 7 152 99 6 121 87 25 +-101 98 89 62 62 62 34 34 34 18 18 18 +- 6 6 6 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 6 6 6 10 10 10 +- 18 18 18 22 22 22 30 30 30 42 42 42 +- 50 50 50 66 66 66 86 86 86 101 98 89 +-106 86 58 98 70 6 104 69 6 104 69 6 +-104 69 6 91 60 6 82 62 34 90 90 90 +- 62 62 62 38 38 38 22 22 22 14 14 14 +- 10 10 10 10 10 10 10 10 10 10 10 10 +- 10 10 10 10 10 10 6 6 6 10 10 10 +- 10 10 10 10 10 10 10 10 10 14 14 14 +- 22 22 22 42 42 42 70 70 70 89 81 66 +- 80 54 7 104 69 6 124 80 6 137 92 6 +-134 86 6 116 81 8 100 82 52 86 86 86 +- 58 58 58 30 30 30 14 14 14 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 10 10 10 14 14 14 +- 18 18 18 26 26 26 38 38 38 54 54 54 +- 70 70 70 86 86 86 94 86 76 89 81 66 +- 89 81 66 86 86 86 74 74 74 50 50 50 +- 30 30 30 14 14 14 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 18 18 18 34 34 34 58 58 58 +- 82 82 82 89 81 66 89 81 66 89 81 66 +- 94 86 66 94 86 76 74 74 74 50 50 50 +- 26 26 26 14 14 14 6 6 6 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 6 6 6 6 6 6 14 14 14 18 18 18 +- 30 30 30 38 38 38 46 46 46 54 54 54 +- 50 50 50 42 42 42 30 30 30 18 18 18 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 6 6 6 14 14 14 26 26 26 +- 38 38 38 50 50 50 58 58 58 58 58 58 +- 54 54 54 42 42 42 30 30 30 18 18 18 +- 10 10 10 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 6 6 6 10 10 10 14 14 14 18 18 18 +- 18 18 18 14 14 14 10 10 10 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 6 6 6 +- 14 14 14 18 18 18 22 22 22 22 22 22 +- 18 18 18 14 14 14 10 10 10 6 6 6 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 +- 0 0 0 0 0 0 0 0 0 0 0 0 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0 ++0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 ++0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28 ++37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2 ++5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6 ++2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 ++4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0 ++1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137 ++153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0 ++0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125 ++60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4 ++4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35 ++2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0 ++4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167 ++165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63 ++1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 ++3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167 ++163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5 ++0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159 ++37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 ++37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158 ++156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166 ++125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4 ++5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 ++0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158 ++174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1 ++0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196 ++64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 ++5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134 ++156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157 ++156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167 ++174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0 ++1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0 ++13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153 ++174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2 ++22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193 ++90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3 ++0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174 ++174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155 ++156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153 ++163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17 ++4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 ++5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63 ++131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174 ++190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103 ++90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196 ++31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0 ++4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163 ++155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165 ++167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155 ++153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131 ++41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4 ++1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174 ++177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137 ++125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209 ++136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122 ++7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37 ++125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155 ++156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155 ++137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156 ++156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174 ++167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0 ++0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174 ++166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6 ++6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196 ++90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14 ++1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153 ++167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156 ++157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68 ++26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166 ++158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158 ++165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17 ++60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165 ++137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21 ++52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146 ++13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0 ++4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 ++0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166 ++158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158 ++167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0 ++4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158 ++174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156 ++155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125 ++137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125 ++16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188 ++136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14 ++2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5 ++4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0 ++37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157 ++157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174 ++153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0 ++4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37 ++125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154 ++156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163 ++174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0 ++4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211 ++136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2 ++1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4 ++2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0 ++0 0 0 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 ++4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127 ++158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156 ++153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125 ++37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4 ++4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0 ++4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165 ++154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174 ++174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3 ++32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193 ++28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5 ++50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1 ++0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81 ++2 0 0 0 0 0 ++4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2 ++0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174 ++174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153 ++165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6 ++4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3 ++4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174 ++174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158 ++60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148 ++136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13 ++22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132 ++136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0 ++26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165 ++37 38 37 0 0 0 ++4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0 ++13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165 ++153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174 ++177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0 ++4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5 ++5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5 ++6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84 ++166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27 ++4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220 ++146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103 ++71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196 ++90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28 ++125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174 ++85 115 134 4 0 0 ++4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55 ++125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153 ++155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154 ++125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5 ++5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 ++0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4 ++5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6 ++37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0 ++4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209 ++90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103 ++2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93 ++13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137 ++166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174 ++60 73 81 4 0 0 ++4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174 ++174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155 ++156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37 ++4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5 ++4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3 ++10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0 ++4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55 ++80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209 ++28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13 ++50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1 ++1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174 ++167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125 ++16 19 21 4 0 0 ++4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174 ++158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 ++167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0 ++4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4 ++4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86 ++80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1 ++4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5 ++3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209 ++146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 ++68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193 ++136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0 ++24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165 ++163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28 ++4 0 0 4 3 3 ++3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158 ++156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174 ++155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3 ++2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196 ++136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0 ++0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0 ++0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211 ++136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193 ++28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193 ++22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81 ++137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153 ++60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0 ++3 2 2 4 4 4 ++3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158 ++157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125 ++37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4 ++4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0 ++0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196 ++101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126 ++14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ++22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209 ++136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13 ++17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15 ++2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163 ++166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63 ++13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2 ++4 4 4 4 4 4 ++1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153 ++163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6 ++4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4 ++4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18 ++40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209 ++101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126 ++136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 ++136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103 ++136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5 ++3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167 ++174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0 ++4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131 ++155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0 ++4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5 ++4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159 ++101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 ++136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211 ++136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196 ++136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220 ++90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17 ++85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174 ++167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3 ++6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5 ++5 5 5 5 5 5 ++1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125 ++131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0 ++6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1 ++0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196 ++101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 ++101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209 ++136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209 ++101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141 ++7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154 ++174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125 ++24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5 ++4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 ++5 5 5 4 4 4 ++4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131 ++131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3 ++6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0 ++13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 ++101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 ++136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196 ++136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8 ++2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174 ++174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0 ++4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137 ++137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2 ++4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72 ++64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 ++136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 ++101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7 ++37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166 ++167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0 ++3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137 ++153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2 ++4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 ++90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209 ++101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196 ++101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193 ++35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84 ++154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157 ++60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137 ++153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2 ++4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193 ++64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193 ++64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 ++136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 ++13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165 ++174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81 ++6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153 ++156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2 ++4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161 ++90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 ++90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 ++101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8 ++2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158 ++174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37 ++4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153 ++158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2 ++4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161 ++37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 ++90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 ++90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 ++90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7 ++5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154 ++167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37 ++6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154 ++163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2 ++4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151 ++18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193 ++64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 ++90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196 ++101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141 ++13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5 ++3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158 ++174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63 ++4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158 ++167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2 ++4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144 ++18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 ++26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193 ++90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196 ++101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17 ++7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5 ++4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158 ++174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37 ++4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163 ++174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3 ++5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151 ++18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196 ++101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5 ++2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5 ++3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137 ++153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37 ++4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166 ++174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3 ++5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144 ++18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161 ++35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8 ++2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5 ++3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125 ++131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37 ++4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167 ++174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3 ++5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151 ++18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25 ++7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3 ++4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3 ++4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174 ++174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3 ++5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144 ++18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161 ++18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193 ++26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3 ++28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3 ++3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4 ++4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174 ++174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2 ++5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151 ++10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161 ++90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35 ++3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3 ++4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174 ++177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2 ++5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144 ++10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151 ++26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93 ++6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193 ++10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93 ++2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0 ++4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174 ++177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2 ++5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144 ++10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2 ++7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34 ++3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34 ++21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0 ++4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174 ++190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2 ++5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144 ++10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144 ++24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52 ++18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0 ++28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93 ++26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0 ++4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174 ++190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2 ++5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144 ++10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14 ++0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161 ++26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52 ++37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161 ++90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0 ++4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174 ++193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2 ++5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144 ++10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7 ++1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52 ++22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161 ++26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0 ++4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174 ++190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2 ++5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144 ++10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2 ++2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161 ++26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52 ++10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0 ++4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174 ++193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2 ++5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144 ++10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25 ++13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161 ++10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3 ++4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174 ++190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2 ++5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25 ++28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 ++10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151 ++28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161 ++26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 ++26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4 ++4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174 ++193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3 ++5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5 ++4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144 ++10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151 ++10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151 ++18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 ++22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4 ++4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174 ++190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2 ++6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3 ++1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151 ++18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144 ++10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144 ++26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14 ++1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4 ++5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137 ++137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174 ++193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0 ++2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 ++4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93 ++10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 ++10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161 ++26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0 ++2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5 ++3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137 ++131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174 ++193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34 ++0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4 ++4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7 ++13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144 ++10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151 ++28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4 ++4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0 ++0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131 ++125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174 ++193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203 ++120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4 ++4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2 ++4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144 ++10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25 ++4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2 ++24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125 ++125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28 ++0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221 ++174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221 ++220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0 ++3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5 ++4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144 ++10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2 ++1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 ++5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81 ++137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131 ++125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8 ++0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221 ++193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221 ++220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6 ++4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25 ++22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3 ++4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166 ++166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125 ++125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3 ++4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167 ++220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 ++205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125 ++24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5 ++4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7 ++4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4 ++4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0 ++2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166 ++156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137 ++137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0 ++5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28 ++125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203 ++205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246 ++193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3 ++5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3 ++1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4 ++5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17 ++60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163 ++153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137 ++125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 ++6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221 ++193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246 ++244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0 ++0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5 ++4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6 ++3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156 ++220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154 ++153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81 ++13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6 ++6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246 ++244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203 ++220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37 ++3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1 ++0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221 ++177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157 ++158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0 ++4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6 ++6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81 ++177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221 ++220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215 ++125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5 ++4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0 ++37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174 ++174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167 ++158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0 ++4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 ++4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 ++26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221 ++205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246 ++244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0 ++0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127 ++177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187 ++174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137 ++60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0 ++6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6 ++6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221 ++220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221 ++220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2 ++0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214 ++220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174 ++174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27 ++4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 ++6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 ++4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167 ++220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215 ++205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137 ++60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203 ++177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187 ++190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0 ++4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6 ++4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 ++6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6 ++125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215 ++205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221 ++193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187 ++190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201 ++153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 ++6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6 ++4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0 ++4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221 ++205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215 ++220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174 ++174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125 ++6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 ++5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5 ++6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 ++4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221 ++220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 ++190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203 ++193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0 ++4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 ++4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6 ++6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81 ++174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174 ++193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221 ++193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0 ++6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 ++5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3 ++5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 ++6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203 ++193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158 ++60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6 ++5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3 ++5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0 ++4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203 ++193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6 ++6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5 ++4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 ++4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 ++6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125 ++153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6 ++6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3 ++6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6 ++24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0 ++6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 ++4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 ++6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 ++4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 ++5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6 ++6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 ++6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 ++4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6 ++4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 ++6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6 ++6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6 ++4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 ++4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3 ++5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6 ++5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 ++5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 ++4 4 4 4 4 4 +diff --git a/drivers/video/matrox/matroxfb_DAC1064.c b/drivers/video/matrox/matroxfb_DAC1064.c +index a01147f..5d896f8 100644 +--- a/drivers/video/matrox/matroxfb_DAC1064.c ++++ b/drivers/video/matrox/matroxfb_DAC1064.c +@@ -1088,14 +1088,20 @@ static void MGAG100_restore(struct matrox_fb_info *minfo) + + #ifdef CONFIG_FB_MATROX_MYSTIQUE + struct matrox_switch matrox_mystique = { +- MGA1064_preinit, MGA1064_reset, MGA1064_init, MGA1064_restore, ++ .preinit = MGA1064_preinit, ++ .reset = MGA1064_reset, ++ .init = MGA1064_init, ++ .restore = MGA1064_restore, + }; + EXPORT_SYMBOL(matrox_mystique); + #endif + + #ifdef CONFIG_FB_MATROX_G + struct matrox_switch matrox_G100 = { +- MGAG100_preinit, MGAG100_reset, MGAG100_init, MGAG100_restore, ++ .preinit = MGAG100_preinit, ++ .reset = MGAG100_reset, ++ .init = MGAG100_init, ++ .restore = MGAG100_restore, + }; + EXPORT_SYMBOL(matrox_G100); + #endif +diff --git a/drivers/video/matrox/matroxfb_Ti3026.c b/drivers/video/matrox/matroxfb_Ti3026.c +index 195ad7c..09743fc 100644 +--- a/drivers/video/matrox/matroxfb_Ti3026.c ++++ b/drivers/video/matrox/matroxfb_Ti3026.c +@@ -738,7 +738,10 @@ static int Ti3026_preinit(struct matrox_fb_info *minfo) + } + + struct matrox_switch matrox_millennium = { +- Ti3026_preinit, Ti3026_reset, Ti3026_init, Ti3026_restore ++ .preinit = Ti3026_preinit, ++ .reset = Ti3026_reset, ++ .init = Ti3026_init, ++ .restore = Ti3026_restore + }; + EXPORT_SYMBOL(matrox_millennium); + #endif +diff --git a/drivers/video/mb862xx/mb862xxfb_accel.c b/drivers/video/mb862xx/mb862xxfb_accel.c +index fe92eed..106e085 100644 +--- a/drivers/video/mb862xx/mb862xxfb_accel.c ++++ b/drivers/video/mb862xx/mb862xxfb_accel.c +@@ -312,14 +312,18 @@ void mb862xxfb_init_accel(struct fb_info *info, int xres) + struct mb862xxfb_par *par = info->par; + + if (info->var.bits_per_pixel == 32) { +- info->fbops->fb_fillrect = cfb_fillrect; +- info->fbops->fb_copyarea = cfb_copyarea; +- info->fbops->fb_imageblit = cfb_imageblit; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_fillrect = cfb_fillrect; ++ *(void **)&info->fbops->fb_copyarea = cfb_copyarea; ++ *(void **)&info->fbops->fb_imageblit = cfb_imageblit; ++ pax_close_kernel(); + } else { + outreg(disp, GC_L0EM, 3); +- info->fbops->fb_fillrect = mb86290fb_fillrect; +- info->fbops->fb_copyarea = mb86290fb_copyarea; +- info->fbops->fb_imageblit = mb86290fb_imageblit; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_fillrect = mb86290fb_fillrect; ++ *(void **)&info->fbops->fb_copyarea = mb86290fb_copyarea; ++ *(void **)&info->fbops->fb_imageblit = mb86290fb_imageblit; ++ pax_close_kernel(); + } + outreg(draw, GDC_REG_DRAW_BASE, 0); + outreg(draw, GDC_REG_MODE_MISC, 0x8000); +diff --git a/drivers/video/nvidia/nvidia.c b/drivers/video/nvidia/nvidia.c +index def0412..fed6529 100644 +--- a/drivers/video/nvidia/nvidia.c ++++ b/drivers/video/nvidia/nvidia.c +@@ -669,19 +669,23 @@ static int nvidiafb_set_par(struct fb_info *info) + info->fix.line_length = (info->var.xres_virtual * + info->var.bits_per_pixel) >> 3; + if (info->var.accel_flags) { +- info->fbops->fb_imageblit = nvidiafb_imageblit; +- info->fbops->fb_fillrect = nvidiafb_fillrect; +- info->fbops->fb_copyarea = nvidiafb_copyarea; +- info->fbops->fb_sync = nvidiafb_sync; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_imageblit = nvidiafb_imageblit; ++ *(void **)&info->fbops->fb_fillrect = nvidiafb_fillrect; ++ *(void **)&info->fbops->fb_copyarea = nvidiafb_copyarea; ++ *(void **)&info->fbops->fb_sync = nvidiafb_sync; ++ pax_close_kernel(); + info->pixmap.scan_align = 4; + info->flags &= ~FBINFO_HWACCEL_DISABLED; + info->flags |= FBINFO_READS_FAST; + NVResetGraphics(info); + } else { +- info->fbops->fb_imageblit = cfb_imageblit; +- info->fbops->fb_fillrect = cfb_fillrect; +- info->fbops->fb_copyarea = cfb_copyarea; +- info->fbops->fb_sync = NULL; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_imageblit = cfb_imageblit; ++ *(void **)&info->fbops->fb_fillrect = cfb_fillrect; ++ *(void **)&info->fbops->fb_copyarea = cfb_copyarea; ++ *(void **)&info->fbops->fb_sync = NULL; ++ pax_close_kernel(); + info->pixmap.scan_align = 1; + info->flags |= FBINFO_HWACCEL_DISABLED; + info->flags &= ~FBINFO_READS_FAST; +@@ -1173,8 +1177,11 @@ static int nvidia_set_fbinfo(struct fb_info *info) + info->pixmap.size = 8 * 1024; + info->pixmap.flags = FB_PIXMAP_SYSTEM; + +- if (!hwcur) +- info->fbops->fb_cursor = NULL; ++ if (!hwcur) { ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_cursor = NULL; ++ pax_close_kernel(); ++ } + + info->var.accel_flags = (!noaccel); + +diff --git a/drivers/video/omap2/dss/display.c b/drivers/video/omap2/dss/display.c +index 669a81f..e216d76 100644 +--- a/drivers/video/omap2/dss/display.c ++++ b/drivers/video/omap2/dss/display.c +@@ -137,12 +137,14 @@ int omapdss_register_display(struct omap_dss_device *dssdev) + snprintf(dssdev->alias, sizeof(dssdev->alias), + "display%d", disp_num_counter++); + ++ pax_open_kernel(); + if (drv && drv->get_resolution == NULL) +- drv->get_resolution = omapdss_default_get_resolution; ++ *(void **)&drv->get_resolution = omapdss_default_get_resolution; + if (drv && drv->get_recommended_bpp == NULL) +- drv->get_recommended_bpp = omapdss_default_get_recommended_bpp; ++ *(void **)&drv->get_recommended_bpp = omapdss_default_get_recommended_bpp; + if (drv && drv->get_timings == NULL) +- drv->get_timings = omapdss_default_get_timings; ++ *(void **)&drv->get_timings = omapdss_default_get_timings; ++ pax_close_kernel(); + + mutex_lock(&panel_list_mutex); + list_add_tail(&dssdev->panel_list, &panel_list); +diff --git a/drivers/video/s1d13xxxfb.c b/drivers/video/s1d13xxxfb.c +index 83433cb..71e9b98 100644 +--- a/drivers/video/s1d13xxxfb.c ++++ b/drivers/video/s1d13xxxfb.c +@@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev) + + switch(prod_id) { + case S1D13506_PROD_ID: /* activate acceleration */ +- s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill; +- s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea; ++ pax_open_kernel(); ++ *(void **)&s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill; ++ *(void **)&s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea; ++ pax_close_kernel(); + info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN | + FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA; + break; +diff --git a/drivers/video/smscufx.c b/drivers/video/smscufx.c +index d513ed6..90b0de9 100644 +--- a/drivers/video/smscufx.c ++++ b/drivers/video/smscufx.c +@@ -1175,7 +1175,9 @@ static int ufx_ops_release(struct fb_info *info, int user) + fb_deferred_io_cleanup(info); + kfree(info->fbdefio); + info->fbdefio = NULL; +- info->fbops->fb_mmap = ufx_ops_mmap; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_mmap = ufx_ops_mmap; ++ pax_close_kernel(); + } + + pr_debug("released /dev/fb%d user=%d count=%d", +diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c +index 77b890e..458e666 100644 +--- a/drivers/video/udlfb.c ++++ b/drivers/video/udlfb.c +@@ -623,11 +623,11 @@ static int dlfb_handle_damage(struct dlfb_data *dev, int x, int y, + dlfb_urb_completion(urb); + + error: +- atomic_add(bytes_sent, &dev->bytes_sent); +- atomic_add(bytes_identical, &dev->bytes_identical); +- atomic_add(width*height*2, &dev->bytes_rendered); ++ atomic_add_unchecked(bytes_sent, &dev->bytes_sent); ++ atomic_add_unchecked(bytes_identical, &dev->bytes_identical); ++ atomic_add_unchecked(width*height*2, &dev->bytes_rendered); + end_cycles = get_cycles(); +- atomic_add(((unsigned int) ((end_cycles - start_cycles) ++ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles) + >> 10)), /* Kcycles */ + &dev->cpu_kcycles_used); + +@@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info, + dlfb_urb_completion(urb); + + error: +- atomic_add(bytes_sent, &dev->bytes_sent); +- atomic_add(bytes_identical, &dev->bytes_identical); +- atomic_add(bytes_rendered, &dev->bytes_rendered); ++ atomic_add_unchecked(bytes_sent, &dev->bytes_sent); ++ atomic_add_unchecked(bytes_identical, &dev->bytes_identical); ++ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered); + end_cycles = get_cycles(); +- atomic_add(((unsigned int) ((end_cycles - start_cycles) ++ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles) + >> 10)), /* Kcycles */ + &dev->cpu_kcycles_used); + } +@@ -993,7 +993,9 @@ static int dlfb_ops_release(struct fb_info *info, int user) + fb_deferred_io_cleanup(info); + kfree(info->fbdefio); + info->fbdefio = NULL; +- info->fbops->fb_mmap = dlfb_ops_mmap; ++ pax_open_kernel(); ++ *(void **)&info->fbops->fb_mmap = dlfb_ops_mmap; ++ pax_close_kernel(); + } + + pr_warn("released /dev/fb%d user=%d count=%d\n", +@@ -1376,7 +1378,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev, + struct fb_info *fb_info = dev_get_drvdata(fbdev); + struct dlfb_data *dev = fb_info->par; + return snprintf(buf, PAGE_SIZE, "%u\n", +- atomic_read(&dev->bytes_rendered)); ++ atomic_read_unchecked(&dev->bytes_rendered)); + } + + static ssize_t metrics_bytes_identical_show(struct device *fbdev, +@@ -1384,7 +1386,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev, + struct fb_info *fb_info = dev_get_drvdata(fbdev); + struct dlfb_data *dev = fb_info->par; + return snprintf(buf, PAGE_SIZE, "%u\n", +- atomic_read(&dev->bytes_identical)); ++ atomic_read_unchecked(&dev->bytes_identical)); + } + + static ssize_t metrics_bytes_sent_show(struct device *fbdev, +@@ -1392,7 +1394,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev, + struct fb_info *fb_info = dev_get_drvdata(fbdev); + struct dlfb_data *dev = fb_info->par; + return snprintf(buf, PAGE_SIZE, "%u\n", +- atomic_read(&dev->bytes_sent)); ++ atomic_read_unchecked(&dev->bytes_sent)); + } + + static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev, +@@ -1400,7 +1402,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev, + struct fb_info *fb_info = dev_get_drvdata(fbdev); + struct dlfb_data *dev = fb_info->par; + return snprintf(buf, PAGE_SIZE, "%u\n", +- atomic_read(&dev->cpu_kcycles_used)); ++ atomic_read_unchecked(&dev->cpu_kcycles_used)); + } + + static ssize_t edid_show( +@@ -1460,10 +1462,10 @@ static ssize_t metrics_reset_store(struct device *fbdev, + struct fb_info *fb_info = dev_get_drvdata(fbdev); + struct dlfb_data *dev = fb_info->par; + +- atomic_set(&dev->bytes_rendered, 0); +- atomic_set(&dev->bytes_identical, 0); +- atomic_set(&dev->bytes_sent, 0); +- atomic_set(&dev->cpu_kcycles_used, 0); ++ atomic_set_unchecked(&dev->bytes_rendered, 0); ++ atomic_set_unchecked(&dev->bytes_identical, 0); ++ atomic_set_unchecked(&dev->bytes_sent, 0); ++ atomic_set_unchecked(&dev->cpu_kcycles_used, 0); + + return count; + } +diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c +index 256fba7..6e75516 100644 +--- a/drivers/video/uvesafb.c ++++ b/drivers/video/uvesafb.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include